Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
USER_IN_SPF_WHITELIST vs freemails
budic at onholyground
Nov 12, 2020, 9:23 AM
Post #1 of 9 (838 views)
Permalink
Got a few of these 411 google form spams recently and was wondering why they weren’t getting caught by SA. Looks like the Return-Path: is triggering a whitelist rule on google.com so the rest of the tests aren’t enough to get it tagged. Anything I can do to keep the whitelist rule from firing when the free mail rules have been tripped?

thanks,

-Darrell

Return-Path: <3yVCtXxAJBSQMORGANWAGNERbjjdGMAIL.COM <http://3yvctxxajbsqmorganwagnerbjjdgmail.com/>[me]@trix.bounces.google.com>
Received: from mail.onholyground.com ([unix socket])
by mail.onholyground.com (Cyrus v2.4.20) with LMTPA;
Thu, 12 Nov 2020 09:12:13 -0600
X-Sieve: CMU Sieve 2.4
Received: from mail-vk1-f197.google.com (mail-vk1-f197.google.com [209.85.221.197])
by mail.onholyground.com (8.14.9/8.14.4) with ESMTP id 0ACFCBTW017981
(version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=OK)
for <[me]>; Thu, 12 Nov 2020 09:12:12 -0600
Received: by mail-vk1-f197.google.com with SMTP id y16so1640638vke.0
for <[me]>; Thu, 12 Nov 2020 07:12:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:reply-to:message-id:date:subject:from:to;
bh=Xj+YfJdy6SvVqmqwKgKqW8OWjMVW3nj8jUVW78yd1PU=;
b=HzlI9oaQiGvUygeibKwDegYKhlGveOjA9H6ruvw9XG6oL/xw8sp+pg8o4kd012rlNu
zgjvPqRhAerGLgGphd0+Kt9vt3MNToHEUI3aDalZ1d7EQeE7ki9uzuvVX8Y/aiAWKI+D
p3J86hMTUEMqVKbAF9kmPTGWmxjon9NAgI7Zx/ZfRW2VbMnlbi5oYnW7n5cyPfu+b1Cr
GxFpzx9AHtrNWNXYR/bhUFLn/y8/6pKhVl+TGEOgBaNgzClWyPH6RbyHMcjDlZ3uTvrG
sDlAUj4uc26J+mrxvk8RpCpUBMAxaT5YkkbSVUzMo51FFmT0dUWeV3LOy6vXU4NBeLXG
Vhuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:reply-to:message-id:date:subject
:from:to;
bh=Xj+YfJdy6SvVqmqwKgKqW8OWjMVW3nj8jUVW78yd1PU=;
b=gACy0+O415lR4xM+JUQo1MBT8RQE1rUBzW/qegRB1NPLJ2kryEPVDL3CQp90id7v2J
trtbPo2DC2Vts4jJx7eQpr6oMPMQIa1aZBJs0Z/6iejQxWgtVOA5YKVLMTrbgvXQ0eRY
/YmtWNfWd562OKhwJi9J28c8VsE6/doJ5aalENGhE9GlLMQ9EdE5zruNXcdLYtgmCtXG
LPgQLTkgY8FLNQNSWNB2ajma4LDWOu8XoawK8+0bTQ4gRfaXt3uja0/dG4B/kogIdoXP
68ogdGoYnlgxLnaqPqn7MFfCE1W9iVSI8eMzrescSR0aOIkgzG6wmvX7BTcPnAtqv4eA
a6eA==
X-Gm-Message-State: AOAM532jkOWP/B/k6Lk0O5/pJBQeNZlR462QiJlMTo6P2kHBNQwoDPM8
0UCdjsmi9g6pQdsPrtr4HaqRpGOB1gA+wgFtP8kk
MIME-Version: 1.0
X-Received: by 2002:a67:b44d:: with SMTP id c13mt20398769vsm.38.1605193929733;
Thu, 12 Nov 2020 07:12:09 -0800 (PST)
Reply-To: morganwagner1993@gmail.com
X-No-Auto-Attachment: 1
Message-ID: <000000000000fa8c4b05b3ea5506@google.com>
Date: Thu, 12 Nov 2020 15:12:11 +0000
Subject: Hello good day.
From: morganwagner1993@gmail.com
To: [me]
Content-Type: multipart/alternative; boundary="00000000000019959e05b3ea56dc"
X-Greylist: Sender succeeded STARTTLS authentication, not delayed by milter-greylist-4.6.2 (mail.onholyground.com [204.130.133.20]); Thu, 12 Nov 2020 09:12:12 -0600 (CST)
X-Spam-Checked: This message probably not SPAM (-94.234)
X-Spam-Tests: BAYES_60,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,FREEMAIL_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,LOTS_OF_MONEY,MONEY_FRAUD_8,NOT_FROM_SENDER,NOT_SENDER_MSGID,SO_PUB_SNDR_DOMAIN_DKIM_50,SPF_HELO_NONE,SPF_PASS,TXREP,T_GB_FREEM_FROM_NOT_REPLY,USER_IN_SPF_WHITELIST
X-Scanned-By: MIMEDefang 2.84
Re: USER_IN_SPF_WHITELIST vs freemails [ In reply to ]
jhardin at impsec
Nov 12, 2020, 9:54 AM
Post #2 of 9 (838 views)
Permalink
On Thu, 12 Nov 2020, Darrell Budic wrote:

> Got a few of these 411 google form spams recently and was wondering why
> they weren?t getting caught by SA. Looks like the Return-Path: is
> triggering a whitelist rule on google.com so the rest of the tests
> aren?t enough to get it tagged. Anything I can do to keep the whitelist
> rule from firing when the free mail rules have been tripped?

You can't keep it from firing beyond removing google.com from the
whitelist, which would impact non-gmail google mails. What you *can* do is
define a meta to offset the whitelist score:

meta FREEM_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM
score FREEM_WLIST_OFFSET 100.000 # offset whitelist score
describe FREEM_WLIST_OFFSET Offset SPF whitelist on freemail From

Of course, that would prevent you from auth-whitelisting any freemail
provider, if you wanted to do such a thing.

> X-Spam-Tests: BAYES_60,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,FREEMAIL_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,LOTS_OF_MONEY,MONEY_FRAUD_8,NOT_FROM_SENDER,NOT_SENDER_MSGID,SO_PUB_SNDR_DOMAIN_DKIM_50,SPF_HELO_NONE,SPF_PASS,TXREP,T_GB_FREEM_FROM_NOT_REPLY,USER_IN_SPF_WHITELIST

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You can't reason a person out of a position if
he didn't use reason to get there in the first place.
-- Jonathan Swift, paraphrased
-----------------------------------------------------------------------
166 days since the first private commercial manned orbital mission (SpaceX)
Re: USER_IN_SPF_WHITELIST vs freemails [ In reply to ]
budic at onholyground
Nov 12, 2020, 10:22 AM
Post #3 of 9 (837 views)
Permalink
On Nov 12, 2020, at 11:54 AM, John Hardin <jhardin@impsec.org> wrote:
>
> On Thu, 12 Nov 2020, Darrell Budic wrote:
>
>> Got a few of these 411 google form spams recently and was wondering why they weren’t getting caught by SA. Looks like the Return-Path: is triggering a whitelist rule on google.com so the rest of the tests aren’t enough to get it tagged. Anything I can do to keep the whitelist rule from firing when the free mail rules have been tripped?
>
> You can't keep it from firing beyond removing google.com from the whitelist, which would impact non-gmail google mails. What you *can* do is define a meta to offset the whitelist score:
>
> meta FREEM_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM
> score FREEM_WLIST_OFFSET 100.000 # offset whitelist score
> describe FREEM_WLIST_OFFSET Offset SPF whitelist on freemail From
>
> Of course, that would prevent you from auth-whitelisting any freemail provider, if you wanted to do such a thing.

Thanks, figured it would be something like that.

Would this make sense for something a bit more granular?

uri GOOGLE_FORMS /docs\.google\.com\/forms\//
meta FREEM_WLIST_OFFSET_GOOGLE GOOGLE_FORMS && USER_IN_SPF_WHITELIST && FREEMAIL_FROM
score FREEM_WLIST_OFFSET_GOOGLE 100.000 # offset whitelist score
describe FREEM_WLIST_OFFSET_GOOGLE Offset SPF whitelist on freemail From for google forms

>> X-Spam-Tests: BAYES_60,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,FREEMAIL_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,LOTS_OF_MONEY,MONEY_FRAUD_8,NOT_FROM_SENDER,NOT_SENDER_MSGID,SO_PUB_SNDR_DOMAIN_DKIM_50,SPF_HELO_NONE,SPF_PASS,TXREP,T_GB_FREEM_FROM_NOT_REPLY,USER_IN_SPF_WHITELIST
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> You can't reason a person out of a position if
> he didn't use reason to get there in the first place.
> -- Jonathan Swift, paraphrased
> -----------------------------------------------------------------------
> 166 days since the first private commercial manned orbital mission (SpaceX)
Re: USER_IN_SPF_WHITELIST vs freemails [ In reply to ]
jhardin at impsec
Nov 12, 2020, 10:31 AM
Post #4 of 9 (837 views)
Permalink
On Thu, 12 Nov 2020, Darrell Budic wrote:

> On Nov 12, 2020, at 11:54 AM, John Hardin <jhardin@impsec.org> wrote:
>>
>> On Thu, 12 Nov 2020, Darrell Budic wrote:
>>
>>> Got a few of these 411 google form spams recently and was wondering why they weren’t getting caught by SA. Looks like the Return-Path: is triggering a whitelist rule on google.com so the rest of the tests aren’t enough to get it tagged. Anything I can do to keep the whitelist rule from firing when the free mail rules have been tripped?
>>
>> You can't keep it from firing beyond removing google.com from the whitelist, which would impact non-gmail google mails. What you *can* do is define a meta to offset the whitelist score:
>>
>> meta FREEM_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM
>> score FREEM_WLIST_OFFSET 100.000 # offset whitelist score
>> describe FREEM_WLIST_OFFSET Offset SPF whitelist on freemail From
>>
>> Of course, that would prevent you from auth-whitelisting any freemail provider, if you wanted to do such a thing.
>
> Thanks, figured it would be something like that.
>
> Would this make sense for something a bit more granular?
>
> uri GOOGLE_FORMS /docs\.google\.com\/forms\//
> meta FREEM_WLIST_OFFSET_GOOGLE GOOGLE_FORMS && USER_IN_SPF_WHITELIST && FREEMAIL_FROM
> score FREEM_WLIST_OFFSET_GOOGLE 100.000 # offset whitelist score
> describe FREEM_WLIST_OFFSET_GOOGLE Offset SPF whitelist on freemail From for google forms

There's already a google doc subrule in the base ruleset, try using that:

meta FREEM_GDOC_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM && __URI_GOOGLE_DOC

I'd have to see a spample to tell whether that would hit your particular
case, though. Can you upload an example to pastebin for us?


>>> X-Spam-Tests: BAYES_60,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,FREEMAIL_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,LOTS_OF_MONEY,MONEY_FRAUD_8,NOT_FROM_SENDER,NOT_SENDER_MSGID,SO_PUB_SNDR_DOMAIN_DKIM_50,SPF_HELO_NONE,SPF_PASS,TXREP,T_GB_FREEM_FROM_NOT_REPLY,USER_IN_SPF_WHITELIST

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
We have to realize that people who run the government can and do
change. Our society and laws must assume that bad people -
criminals even - will run the government, at least part of the
time. -- John Gilmore
-----------------------------------------------------------------------
166 days since the first private commercial manned orbital mission (SpaceX)
Re: USER_IN_SPF_WHITELIST vs freemails [ In reply to ]
rwmaillists at googlemail
Nov 12, 2020, 11:01 AM
Post #5 of 9 (837 views)
Permalink
On Thu, 12 Nov 2020 11:23:29 -0600
Darrell Budic wrote:

> Got a few of these 411 google form spams recently and was wondering
> why they weren’t getting caught by SA. Looks like the Return-Path: is
> triggering a whitelist rule on google.com so the rest of the tests
> aren’t enough to get it tagged. Anything I can do to keep the
> whitelist rule from firing when the free mail rules have been tripped?

That whitelisting rule is your own.

Take a look at how the default whitelisting of google.com is done in
the core rules using the lower scoring "def_" whitelist definitions.
Re: USER_IN_SPF_WHITELIST vs freemails [ In reply to ]
budic at onholyground
Nov 12, 2020, 11:52 AM
Post #6 of 9 (837 views)
Permalink
On Nov 12, 2020, at 12:31 PM, John Hardin <jhardin@impsec.org> wrote:
>
> On Thu, 12 Nov 2020, Darrell Budic wrote:
>
>> On Nov 12, 2020, at 11:54 AM, John Hardin <jhardin@impsec.org> wrote:
>>>
>>> On Thu, 12 Nov 2020, Darrell Budic wrote:
>>>
>>>> Got a few of these 411 google form spams recently and was wondering why they weren’t getting caught by SA. Looks like the Return-Path: is triggering a whitelist rule on google.com so the rest of the tests aren’t enough to get it tagged. Anything I can do to keep the whitelist rule from firing when the free mail rules have been tripped?
>>>
>>> You can't keep it from firing beyond removing google.com from the whitelist, which would impact non-gmail google mails. What you *can* do is define a meta to offset the whitelist score:
>>>
>>> meta FREEM_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM
>>> score FREEM_WLIST_OFFSET 100.000 # offset whitelist score
>>> describe FREEM_WLIST_OFFSET Offset SPF whitelist on freemail From
>>>
>>> Of course, that would prevent you from auth-whitelisting any freemail provider, if you wanted to do such a thing.
>>
>> Thanks, figured it would be something like that.
>>
>> Would this make sense for something a bit more granular?
>>
>> uri GOOGLE_FORMS /docs\.google\.com\/forms\//
>> meta FREEM_WLIST_OFFSET_GOOGLE GOOGLE_FORMS && USER_IN_SPF_WHITELIST && FREEMAIL_FROM
>> score FREEM_WLIST_OFFSET_GOOGLE 100.000 # offset whitelist score
>> describe FREEM_WLIST_OFFSET_GOOGLE Offset SPF whitelist on freemail From for google forms
>
> There's already a google doc subrule in the base ruleset, try using that:
>
> meta FREEM_GDOC_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM && __URI_GOOGLE_DOC
>
> I'd have to see a spample to tell whether that would hit your particular case, though. Can you upload an example to pastebin for us?

Sure, it’s at https://paste.centos.org/view/045312a7 <https://paste.centos.org/view/045312a7>.

The line it’d be looking for is
https://docs.google.com/forms/d/e/1FAIpQLSewTcsIWucmT-BDiN5F0_25NVaNqfbTcCANvTA8ReD_MjpONw/viewform?vc=0&amp;c=0&amp;w=1&amp;flr=0&amp;usp=mail_form_link
which looks like it would match if I'm reading regexps correctly today?
Re: USER_IN_SPF_WHITELIST vs freemails [ In reply to ]
budic at onholyground
Nov 12, 2020, 11:56 AM
Post #7 of 9 (837 views)
Permalink
> On Nov 12, 2020, at 1:01 PM, RW <rwmaillists@googlemail.com> wrote:
>
> On Thu, 12 Nov 2020 11:23:29 -0600
> Darrell Budic wrote:
>
>> Got a few of these 411 google form spams recently and was wondering
>> why they weren’t getting caught by SA. Looks like the Return-Path: is
>> triggering a whitelist rule on google.com so the rest of the tests
>> aren’t enough to get it tagged. Anything I can do to keep the
>> whitelist rule from firing when the free mail rules have been tripped?
>
> That whitelisting rule is your own.
>
> Take a look at how the default whitelisting of google.com is done in
> the core rules using the lower scoring "def_" whitelist definitions.

Ah, good point, I missed that at first. I’d added the whitelist_auth *.google.com <http://google.com/> with rules to add points to things with google From: addresses to catch a things claiming to be from them but not. I will have to reconsider those and at least change them to the def_ versions, thanks for pointing that out.
Re: USER_IN_SPF_WHITELIST vs freemails [ In reply to ]
jhardin at impsec
Nov 12, 2020, 12:10 PM
Post #8 of 9 (837 views)
Permalink
On Thu, 12 Nov 2020, Darrell Budic wrote:

> On Nov 12, 2020, at 12:31 PM, John Hardin <jhardin@impsec.org> wrote:
>>
>> I'd have to see a spample to tell whether that would hit your particular case, though. Can you upload an example to pastebin for us?
>
> Sure, it’s at https://paste.centos.org/view/045312a7
>
> The line it’d be looking for is
> https://docs.google.com/forms/d/e/1FAIpQLSewTcsIWucmT-BDiN5F0_25NVaNqfbTcCANvTA8ReD_MjpONw/viewform?vc=0&amp;c=0&amp;w=1&amp;flr=0&amp;usp=mail_form_link
> which looks like it would match if I'm reading regexps correctly today?

Sadly, that doesn't hit the current form of the rule. Fix checked in, the
next rule publication should catch it. Thanks for the sample.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Liberals love sex ed because it teaches kids to be safe around their
sex organs. Conservatives love gun education because it teaches kids
to be safe around guns. However, both believe that the other's
education goals lead to dangers too terrible to contemplate.
-----------------------------------------------------------------------
166 days since the first private commercial manned orbital mission (SpaceX)
Re: USER_IN_SPF_WHITELIST vs freemails [ In reply to ]
rwmaillists at googlemail
Nov 12, 2020, 2:15 PM
Post #9 of 9 (837 views)
Permalink
On Thu, 12 Nov 2020 13:56:10 -0600
Darrell Budic wrote:

> > On Nov 12, 2020, at 1:01 PM, RW <rwmaillists@googlemail.com> wrote:
> >
> > On Thu, 12 Nov 2020 11:23:29 -0600
> > Darrell Budic wrote:
> >
> >> Got a few of these 411 google form spams recently and was wondering
> >> why they weren’t getting caught by SA. Looks like the Return-Path:
> >> is triggering a whitelist rule on google.com so the rest of the
> >> tests aren’t enough to get it tagged. Anything I can do to keep the
> >> whitelist rule from firing when the free mail rules have been
> >> tripped?
> >
> > That whitelisting rule is your own.
> >
> > Take a look at how the default whitelisting of google.com is done in
> > the core rules using the lower scoring "def_" whitelist
> > definitions.
>
> Ah, good point, I missed that at first. I’d added the whitelist_auth
> *.google.com <http://google.com/> with rules to add points to things
> with google From: addresses to catch a things claiming to be from
> them but not. I will have to reconsider those and at least change
> them to the def_ versions, thanks for pointing that out.

The def versions are already there by default. The important thing
is that those default rules didn't hit that spam:


./60_whitelist_auth.cf:def_whitelist_auth *@google.com
./60_whitelist_auth.cf:def_whitelist_auth *@accounts.google.com

./60_whitelist_dkim.cf:def_whitelist_from_dkim googlealerts-noreply@google.com
./60_whitelist_dkim.cf:def_whitelist_from_dkim *@*.google.com
./60_whitelist_dkim.cf:# def_whitelist_from_dkim *@google.com


where def_whitelist_auth is SPF or DKIM.

The only envelope subdomain checked with SPF is accounts.google.com.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal