Mailing List Archive

freshworks and DKIM and KAM
Hi,

I can't figure out why attempts at adding emails from the
freshworks.com domain to the welcome list aren't successful. This is
from a quarantined message on my amavis/SA/fedora system.

I'm not sure why the entirety of freshworks.com would be blocked in
the first place?
* 9.0 KAM_FROM_URIBL_PCCC RBL: From address listed in PCCC URIBL
* (https://raptor.pccc.com/RBL)
* [listed in freshworks.com.wild.pccc.com]
* 9.0 KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC URIBL
* (https://raptor.pccc.com/RBL)
* [URI: freshworks.com]

X-Envelope-From:
<bounces+5.327789648558399953-support=freshworks.com@frwfiddkim.freshworks.com>
Authentication-Results: xavier.example.com (amavisd-new);
dkim=pass (2048-bit key) header.d=freshworks.com

All of these rules were hit for this email, yet it is still being quarantined.
"DKIM_SIGNED","DKIM_VALID","DKIM_VALID_AU", "USER_IN_DKIM_WELCOMELIST"

USER_IN_DKIM_WELCOMELIST is only scored with 0.01. I saw a reference
to feature_blocklist_welcomelist in 60_whitelist_dkim.cf. Perhaps
that's related?

$ spamassassin --version
SpamAssassin version 4.0.0-r1889518
running on Perl version 5.32.1

Here are my welcomelist/whitelist entries:
welcomelist_from_dkim *@frwfiddkim.freshworks.com
welcomelist_from_dkim *@freshworks.com
welcomelist_from *@frwfiddkim.freshworks.com
whitelist_from *@frwfiddkim.freshworks.com
welcomelist_from *@freshworks.com
welcomelist_from *@freshsales.com
welcomelist_from *@*.freshsales.com
welcomelist_from *@*.freshworks.com
welcomelist_from *@freshmarketer.com
welcomelist_from *@freshsales.io
welcomelist_auth *@freshworks.com
welcomelist_auth *@*.freshworks.com
welcomelist_spf *@frwfiddkim.freshworks.com
whitelist_spf *@frwfiddkim.freshworks.com

Many of these are just temporary to test different options (especially
the *_from entries).

Is this a bug?

https://pastebin.com/6u4uNnLQ

Ideas greatly appreciated.
Re: freshworks and DKIM and KAM [ In reply to ]
On 2021-08-27 19:36, Alex wrote:

> https://pastebin.com/6u4uNnLQ

score USER_IN_DKIM_WELCOMELIST -10 -10 -10 -10

since USER_IN_DKIM_WHITELIST is not hitting then add this above score,
its not a bug :=)

dont know if its same as here
https://mailing.unix.spamassassin-talk.narkive.com/rijlOWzJ/short-circuit-user-in-dkim-whitelist-hits-sometimes
Re: freshworks and DKIM and KAM [ In reply to ]
Alex wrote:
> Hi,
>
> I can't figure out why attempts at adding emails from the
> freshworks.com domain to the welcome list aren't successful. This is
> from a quarantined message on my amavis/SA/fedora system.
>
> I'm not sure why the entirety of freshworks.com would be blocked in
> the first place?
> * 9.0 KAM_FROM_URIBL_PCCC RBL: From address listed in PCCC URIBL
> * (https://raptor.pccc.com/RBL)
> * [listed in freshworks.com.wild.pccc.com]
> * 9.0 KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC URIBL
> * (https://raptor.pccc.com/RBL)
> * [URI: freshworks.com]

Looking at the channel rules file that's surrounded by an ifplugin:

ifplugin Mail::SpamAssassin::Plugin::KAMOnly

and so unless you are one of Peregrine Computer Consultants Corporation
paying customers you are likely (correctly, justifiably) getting funky
DNSBL lookup results.

If you *are* a paying customer you'd need to contact their support to
see why your DNSBL lookups are going sideways.

A number of rules in that channel are surrounded by barriers like this
because they are variously unuseful for anyone else; in this case, it's
a DNSBL lookup that isn't publicly available. Don't remove those
barriers unless you really really know what you're doing.

-kgd
Re: freshworks and DKIM and KAM [ In reply to ]
Hi,

> > I can't figure out why attempts at adding emails from the
> > freshworks.com domain to the welcome list aren't successful. This is
> > from a quarantined message on my amavis/SA/fedora system.
> >
> > I'm not sure why the entirety of freshworks.com would be blocked in
> > the first place?
> > * 9.0 KAM_FROM_URIBL_PCCC RBL: From address listed in PCCC URIBL
> > * (https://raptor.pccc.com/RBL)
> > * [listed in freshworks.com.wild.pccc.com]
> > * 9.0 KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC URIBL
> > * (https://raptor.pccc.com/RBL)
> > * [URI: freshworks.com]
>
> Looking at the channel rules file that's surrounded by an ifplugin:
>
> ifplugin Mail::SpamAssassin::Plugin::KAMOnly
>
> and so unless you are one of Peregrine Computer Consultants Corporation
> paying customers you are likely (correctly, justifiably) getting funky
> DNSBL lookup results.

Yes, it seems I have misinterpreted the meaning of the publically
available KAMOnly.cf file.

Fixed, thanks
Re: freshworks and DKIM and KAM [ In reply to ]
On 27.08.21 13:36, Alex wrote:
>I can't figure out why attempts at adding emails from the
>freshworks.com domain to the welcome list aren't successful. This is
>from a quarantined message on my amavis/SA/fedora system.

>X-Envelope-From:
><bounces+5.327789648558399953-support=freshworks.com@frwfiddkim.freshworks.com>

>All of these rules were hit for this email, yet it is still being quarantined.
>"DKIM_SIGNED","DKIM_VALID","DKIM_VALID_AU", "USER_IN_DKIM_WELCOMELIST"

note that DKIM rules are supposed to hit on From:, not on envelope from.

>USER_IN_DKIM_WELCOMELIST is only scored with 0.01. I saw a reference
>to feature_blocklist_welcomelist in 60_whitelist_dkim.cf. Perhaps
>that's related?

seems that while USER_IN_DKIM_WELCOMELIST does have proper score configured
in 60_whitelist_dkim.cf (-0.01 or -100)

...it's being overriden in 72_scores.cf:

score USER_IN_DKIM_WELCOMELIST 0.001 0.001 0.001 0.001

a bug report should do that.
until then, put:

score USER_IN_DKIM_WELCOMELIST -100.000

into your local overrides.


>https://pastebin.com/6u4uNnLQ
>
>Ideas greatly appreciated.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
Re: freshworks and DKIM and KAM [ In reply to ]
NOTE: All entries on the wild RBL are hand reviewed.

Freshworks was listed on 8/11 for spamming. They seem to have freshteam,
freshsales, freshworks, etc. and present a problem. I've delisted them for
now and will keep an eye on more samples.

Re: KAM Ruleset, the best way to install it is to use the channel:
https://mcgrail.com/template/kam.cf_channel

The manual downloads are problematic because people rarely install it
correctly with all the files or sometimes using the kam only plugin which
is unlikely to work correctly for most people.

BTW, the wild RBL is not commercial but it was DDoSed when a major system
started using it for 10's of millions of systems. Thanks to Linode, we
will be launching two mirrors for the RBL and putting it back in use for
the world.

Regards,
KAM

--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Sat, Aug 28, 2021 at 5:06 AM Matus UHLAR - fantomas <uhlar@fantomas.sk>
wrote:

> On 27.08.21 13:36, Alex wrote:
> >I can't figure out why attempts at adding emails from the
> >freshworks.com domain to the welcome list aren't successful. This is
> >from a quarantined message on my amavis/SA/fedora system.
>
> >X-Envelope-From:
> ><bounces+5.327789648558399953-support=
> freshworks.com@frwfiddkim.freshworks.com>
>
> >All of these rules were hit for this email, yet it is still being
> quarantined.
> >"DKIM_SIGNED","DKIM_VALID","DKIM_VALID_AU", "USER_IN_DKIM_WELCOMELIST"
>
> note that DKIM rules are supposed to hit on From:, not on envelope from.
>
> >USER_IN_DKIM_WELCOMELIST is only scored with 0.01. I saw a reference
> >to feature_blocklist_welcomelist in 60_whitelist_dkim.cf. Perhaps
> >that's related?
>
> seems that while USER_IN_DKIM_WELCOMELIST does have proper score configured
> in 60_whitelist_dkim.cf (-0.01 or -100)
>
> ...it's being overriden in 72_scores.cf:
>
> score USER_IN_DKIM_WELCOMELIST 0.001 0.001 0.001 0.001
>
> a bug report should do that.
> until then, put:
>
> score USER_IN_DKIM_WELCOMELIST -100.000
>
> into your local overrides.
>
>
> >https://pastebin.com/6u4uNnLQ
> >
> >Ideas greatly appreciated.
>
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Christian Science Programming: "Let God Debug It!".
>