Mailing List Archive

SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify
Full headers follow, but it seems the shopify detection in the above isn't quite correct;

Return-path: <bounces+11006833-f9b2-vmstfpodc=mattcorallo.com@mailer.shopifyemail.com>
Envelope-to: vmstfpodc@mattcorallo.com
Delivery-date: Mon, 15 Nov 2021 21:10:55 +0000
Received: from o13.mailer.shopify.com ([149.72.221.62])
by mail.as397444.net with esmtps TLS1.3 id 1mmjFb-0034Ki-02
(envelope-from <bounces+11006833-f9b2-vmstfpodc=mattcorallo.com@mailer.shopifyemail.com>)
for vmstfpodc@mattcorallo.com; Mon, 15 Nov 2021 21:10:54 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shopifyemail.com;
h=content-transfer-encoding:content-type:from:mime-version:subject:to;
s=s1; bh=L6MOYDUWmLOqslFvAtFYWh5qLPKmd6pYEgpqrenHnBs=;
b=UvsSoEOv493AjrzWR4oEG6Az0lh/7AXA3ffUaba8uMXlw9JLorE+crRICh8MvxfG5Fvo
pvdct01r9M+Bf026VMyW/FlFWXpWzN05nzQAOCiFbmG+5EO1eRH1OeVgh01abOvixsBeE3
CjdBHnuX6AN5nqhsAbN9sCxvqbp8Fw2ua/gXe3UV4I2eN84kKNavD+OXlg6p58tAdYLbIP
H0cZsSbI2P0r7IBx9xy8W75+xko5TmEv8G3iCqu5XIkjyFiXXQ7Tb6945ufsesdWPySptl
tB/4bpKj0tsHPVB5P0Khbs+D+rihd6fXCIR1DVSi95zRy7jFetZ+qs92V2kcriqw==
Received: by filterdrecv-55446c4d49-qtzhb with SMTP id filterdrecv-55446c4d49-qtzhb-1-6192CCBD-22
2021-11-15 21:10:21.40606231 +0000 UTC m=+6475835.615170087
Received: from MTEwMDY4MzM (unknown)
by ismtpd0166p1iad2.sendgrid.net (SG)
with HTTP
id IH-oNFPeQuCQYJmXFK0TZA
Mon, 15 Nov 2021 21:10:21.347 +0000 (UTC)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=utf-8
Date: Mon, 15 Nov 2021 21:10:47 +0000 (UTC)
From: Vogmask <contact@vogmask.com>
Mime-Version: 1.0
Message-ID: <E1020005-16B7D47C7B523542-AB2626CC@shopify.com>
Subject: Vogmask wishing you healthy holidays
X-SG-EID:
=?us-ascii?Q?5B6O2rXra8yyjbieZ0HfzpfFbNtt4wWp=2Fd3WXqmWbfqOhxfdxmGFIM=2FJ+PIMU1?=
=?us-ascii?Q?oyOqpYWvcUFyjZEr5TyX=2FjAbJd+Cumgvq6xfZOv?=
=?us-ascii?Q?dJTD9NPE03XHHpKZfmLGsyYlBT3Yxr5Qogi9GtS?=
=?us-ascii?Q?fGgYxj6BfQZ5sgFhTZLSAkyx3A5JqvfSC2cUCEQ?=
=?us-ascii?Q?qw1QCFhVicli0a95RuZaLPLyojnDWYGuWhoz4K6?=
=?us-ascii?Q?GTt0hihCTSnJlw373HjtCV5Prw7z7g1O=2Fp5Qmd?=
X-SG-ID:
=?us-ascii?Q?N2C25iY2uzGMFz6rgvQsb8raWjw0ZPf1VmjsCkspi=2FKOpeJUHWlRJMC+AMZBck?=
=?us-ascii?Q?1FO70fiqNhdDAf7Doabm9bNI6SbkpfQ9BOq3F=2F8?=
=?us-ascii?Q?X4Pw5908aEJHVHyHsvaINuP86SswzO+KInLAmfy?=
=?us-ascii?Q?9hxCxyg11qt5djFNco+YTTtSQciyHkmmHsAzq2d?=
=?us-ascii?Q?vU8YuM0JyjIqBCzK+fgunAGA9Am7yJx+ms17zgY?=
=?us-ascii?Q?FJS+BROGhX8MiQjivNzk380SgpNY5C77gvW8ZRj?=
=?us-ascii?Q?J15FBaoBIyCz33IurtkuTOueoixnDmSsOGPzF15?=
=?us-ascii?Q?+s7qzGuDM+9E2jc5P6iFBrwJxrOf8hFN0sB00=2Fa?=
=?us-ascii?Q?Xo8cRVYiWGen6HzGlYT6fSn7Vay=2FY27=2FBNYADhS?=
=?us-ascii?Q?1JZAzkQXvIaP0zmaHEaAEZopZo88ZOhNWsc6FEM?=
=?us-ascii?Q?1eN4=2FbcZYpm8pCYg=2Fnnc8Ll8pbJoKP9Qv5DFaIz?=
=?us-ascii?Q?uBuKVnzHb2SVWp5I3aJpBgKe7xNFr9sOQ5jmlao?=
=?us-ascii?Q?hZxMWfZUD230qWrgZ16HraxrsZF7515ZObGChZQ?=
=?us-ascii?Q?3uJhHV1Sj=2FwBNNl9TPZVyAfsmATNtj3RDatJAcG?=
=?us-ascii?Q?jexHfFXjGFY9AmxpOYK0W6DYsjWkeILZAVpZZK+?=
=?us-ascii?Q?D8wsG9qf1R0eTHxM33td=2Fm8AYcA9EW4OmMOG=2FQ8?=
=?us-ascii?Q?ReYV=2Fvs8P1g=2FUONIhgeeGhV1l1bBEBMcf35JieG?=
=?us-ascii?Q?s74Y=2FlXN01oc9YfbTQIhhgT08M8LoR8h95fUZ8M?=
=?us-ascii?Q?Qo04CgxLdXmsz82L1x903a0Uvfs+KkRfhi8rGrP?=
=?us-ascii?Q?g0rFHSls9Tpqc87ZvvEhLjRcXKBedlUchWuc4Cr?=
=?us-ascii?Q?Vh7kppkZ7A=2F6kiTgrwHMNPpzdG6AuDzwWvQ6kEB?=
=?us-ascii?Q?MO4SRttyHoWu3ILaf0TaUxRVJeckcR6BeoTE1xX?=
=?us-ascii?Q?4pDsp6BX4mp6H=2F0dE5pxtt9xpbAnVXAhRWn=2FNpV?=
=?us-ascii?Q?23at3HdyRYfnbrS7QGNLw6=2F62aJ3q0nPU6WD0Xf?=
=?us-ascii?Q?J0TtFlA8=2Fsp=2FC7AfYYvr3SBAQIO6Lc5EwetgQ0i?=
=?us-ascii?Q?R34qVWkrMon+WZRUu36toGbC19DACvzpa8=2FZbLM?=
=?us-ascii?Q?1bPSFCWyI1bi9=2FDVVt0JaX2kTVFQvJa55JAUWT0?=
=?us-ascii?Q?awO+R9n92HN3?=
To: Matthew Corallo <vmstfpodc@mattcorallo.com>
X-Entity-ID: IhRJlkz40SfErzamwKHkAA==
X-Spam-Report: Yes, score=6.3 required=5.0 autolearn=disabled version=3.4.6
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4944]
-0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[149.72.221.62 listed in wl.mailspike.net]
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to background
0.0 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image
area
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
2.0 HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
2.5 SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not
from Shopify
0.0 NORDNS_LOW_CONTRAST No rDNS + hidden text
X-Spam-Score: 6.3
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify [ In reply to ]
----- Message from Matt Corallo <saaul@mattcorallo.com> ---------
Date: Mon, 15 Nov 2021 20:06:22 -0500
From: Matt Corallo <saaul@mattcorallo.com>
Subject: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify
To: users@spamassassin.apache.org


> Full headers follow, but it seems the shopify detection in the above
> isn't quite correct;
>
> Return-path:
> <bounces+11006833-f9b2-vmstfpodc=mattcorallo.com@mailer.shopifyemail.com>
> Envelope-to: vmstfpodc@mattcorallo.com
> Delivery-date: Mon, 15 Nov 2021 21:10:55 +0000
> Received: from o13.mailer.shopify.com ([149.72.221.62])
> by mail.as397444.net with esmtps TLS1.3 id 1mmjFb-0034Ki-02
> (envelope-from
> <bounces+11006833-f9b2-vmstfpodc=mattcorallo.com@mailer.shopifyemail.com>)
> for vmstfpodc@mattcorallo.com; Mon, 15 Nov 2021 21:10:54 +0000
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shopifyemail.com;
> h=content-transfer-encoding:content-type:from:mime-version:subject:to;
> s=s1; bh=L6MOYDUWmLOqslFvAtFYWh5qLPKmd6pYEgpqrenHnBs=;
> b=UvsSoEOv493AjrzWR4oEG6Az0lh/7AXA3ffUaba8uMXlw9JLorE+crRICh8MvxfG5Fvo
> pvdct01r9M+Bf026VMyW/FlFWXpWzN05nzQAOCiFbmG+5EO1eRH1OeVgh01abOvixsBeE3
> CjdBHnuX6AN5nqhsAbN9sCxvqbp8Fw2ua/gXe3UV4I2eN84kKNavD+OXlg6p58tAdYLbIP
> H0cZsSbI2P0r7IBx9xy8W75+xko5TmEv8G3iCqu5XIkjyFiXXQ7Tb6945ufsesdWPySptl
> tB/4bpKj0tsHPVB5P0Khbs+D+rihd6fXCIR1DVSi95zRy7jFetZ+qs92V2kcriqw==
> Received: by filterdrecv-55446c4d49-qtzhb with SMTP id
> filterdrecv-55446c4d49-qtzhb-1-6192CCBD-22
> 2021-11-15 21:10:21.40606231 +0000 UTC m=+6475835.615170087
> Received: from MTEwMDY4MzM (unknown)
> by ismtpd0166p1iad2.sendgrid.net (SG)
> with HTTP
> id IH-oNFPeQuCQYJmXFK0TZA
> Mon, 15 Nov 2021 21:10:21.347 +0000 (UTC)
> Content-Transfer-Encoding: quoted-printable
> Content-Type: text/html; charset=utf-8
> Date: Mon, 15 Nov 2021 21:10:47 +0000 (UTC)
> From: Vogmask <contact@vogmask.com>
> Mime-Version: 1.0
> Message-ID: <E1020005-16B7D47C7B523542-AB2626CC@shopify.com>
> Subject: Vogmask wishing you healthy holidays
> X-SG-EID:
>
> =?us-ascii?Q?5B6O2rXra8yyjbieZ0HfzpfFbNtt4wWp=2Fd3WXqmWbfqOhxfdxmGFIM=2FJ+PIMU1?=
> =?us-ascii?Q?oyOqpYWvcUFyjZEr5TyX=2FjAbJd+Cumgvq6xfZOv?=
> =?us-ascii?Q?dJTD9NPE03XHHpKZfmLGsyYlBT3Yxr5Qogi9GtS?=
> =?us-ascii?Q?fGgYxj6BfQZ5sgFhTZLSAkyx3A5JqvfSC2cUCEQ?=
> =?us-ascii?Q?qw1QCFhVicli0a95RuZaLPLyojnDWYGuWhoz4K6?=
> =?us-ascii?Q?GTt0hihCTSnJlw373HjtCV5Prw7z7g1O=2Fp5Qmd?=
> X-SG-ID:
>
> =?us-ascii?Q?N2C25iY2uzGMFz6rgvQsb8raWjw0ZPf1VmjsCkspi=2FKOpeJUHWlRJMC+AMZBck?=
> =?us-ascii?Q?1FO70fiqNhdDAf7Doabm9bNI6SbkpfQ9BOq3F=2F8?=
> =?us-ascii?Q?X4Pw5908aEJHVHyHsvaINuP86SswzO+KInLAmfy?=
> =?us-ascii?Q?9hxCxyg11qt5djFNco+YTTtSQciyHkmmHsAzq2d?=
> =?us-ascii?Q?vU8YuM0JyjIqBCzK+fgunAGA9Am7yJx+ms17zgY?=
> =?us-ascii?Q?FJS+BROGhX8MiQjivNzk380SgpNY5C77gvW8ZRj?=
> =?us-ascii?Q?J15FBaoBIyCz33IurtkuTOueoixnDmSsOGPzF15?=
> =?us-ascii?Q?+s7qzGuDM+9E2jc5P6iFBrwJxrOf8hFN0sB00=2Fa?=
> =?us-ascii?Q?Xo8cRVYiWGen6HzGlYT6fSn7Vay=2FY27=2FBNYADhS?=
> =?us-ascii?Q?1JZAzkQXvIaP0zmaHEaAEZopZo88ZOhNWsc6FEM?=
> =?us-ascii?Q?1eN4=2FbcZYpm8pCYg=2Fnnc8Ll8pbJoKP9Qv5DFaIz?=
> =?us-ascii?Q?uBuKVnzHb2SVWp5I3aJpBgKe7xNFr9sOQ5jmlao?=
> =?us-ascii?Q?hZxMWfZUD230qWrgZ16HraxrsZF7515ZObGChZQ?=
> =?us-ascii?Q?3uJhHV1Sj=2FwBNNl9TPZVyAfsmATNtj3RDatJAcG?=
> =?us-ascii?Q?jexHfFXjGFY9AmxpOYK0W6DYsjWkeILZAVpZZK+?=
> =?us-ascii?Q?D8wsG9qf1R0eTHxM33td=2Fm8AYcA9EW4OmMOG=2FQ8?=
> =?us-ascii?Q?ReYV=2Fvs8P1g=2FUONIhgeeGhV1l1bBEBMcf35JieG?=
> =?us-ascii?Q?s74Y=2FlXN01oc9YfbTQIhhgT08M8LoR8h95fUZ8M?=
> =?us-ascii?Q?Qo04CgxLdXmsz82L1x903a0Uvfs+KkRfhi8rGrP?=
> =?us-ascii?Q?g0rFHSls9Tpqc87ZvvEhLjRcXKBedlUchWuc4Cr?=
> =?us-ascii?Q?Vh7kppkZ7A=2F6kiTgrwHMNPpzdG6AuDzwWvQ6kEB?=
> =?us-ascii?Q?MO4SRttyHoWu3ILaf0TaUxRVJeckcR6BeoTE1xX?=
> =?us-ascii?Q?4pDsp6BX4mp6H=2F0dE5pxtt9xpbAnVXAhRWn=2FNpV?=
> =?us-ascii?Q?23at3HdyRYfnbrS7QGNLw6=2F62aJ3q0nPU6WD0Xf?=
> =?us-ascii?Q?J0TtFlA8=2Fsp=2FC7AfYYvr3SBAQIO6Lc5EwetgQ0i?=
> =?us-ascii?Q?R34qVWkrMon+WZRUu36toGbC19DACvzpa8=2FZbLM?=
> =?us-ascii?Q?1bPSFCWyI1bi9=2FDVVt0JaX2kTVFQvJa55JAUWT0?=
> =?us-ascii?Q?awO+R9n92HN3?=
> To: Matthew Corallo <vmstfpodc@mattcorallo.com>
> X-Entity-ID: IhRJlkz40SfErzamwKHkAA==
> X-Spam-Report: Yes, score=6.3 required=5.0 autolearn=disabled version=3.4.6
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> [score: 0.4944]
> -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
> [149.72.221.62 listed in wl.mailspike.net]
> 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
> mail domains are different
> -0.0 SPF_PASS SPF: sender matches SPF record
> 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
> identical to background
> 0.0 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image
> area
> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
> envelope-from domain
> -0.1 DKIM_VALID Message has at least one valid DKIM or
> DK signature
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily
> valid
> 0.8 RDNS_NONE Delivered to internal network by a host
> with no rDNS
> 2.0 HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
> 2.5 SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not
> from Shopify
> 0.0 NORDNS_LOW_CONTRAST No rDNS + hidden text
> X-Spam-Score: 6.3


----- End message from Matt Corallo <saaul@mattcorallo.com> -----

I've had issues with this one before, and have this note in my local.cf:

## This rule is triggering a lot on emails which are not Spam,
reducing score from 2.497
score SHOPIFY_IMG_NOT_RCVD_SFY 1.8


Simon


--
Simon Wilson
M: 0400 12 11 16
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify [ In reply to ]
On 2021-11-15 at 20:06:22 UTC-0500 (Mon, 15 Nov 2021 20:06:22 -0500)
Matt Corallo <saaul@mattcorallo.com>
is rumored to have said:

> Full headers follow, but it seems the shopify detection in the above
> isn't quite correct;
>
> Return-path:
> <bounces+11006833-f9b2-vmstfpodc=mattcorallo.com@mailer.shopifyemail.com>
> Envelope-to: vmstfpodc@mattcorallo.com
> Delivery-date: Mon, 15 Nov 2021 21:10:55 +0000
> Received: from o13.mailer.shopify.com ([149.72.221.62])
> by mail.as397444.net with esmtps TLS1.3 id 1mmjFb-0034Ki-02
> (envelope-from
> <bounces+11006833-f9b2-vmstfpodc=mattcorallo.com@mailer.shopifyemail.com>)
> for vmstfpodc@mattcorallo.com; Mon, 15 Nov 2021 21:10:54 +0000

The lack of any name inside the parentheses before the bracketed IP in
that Received header implies that mail.as397444.net could not get a
verifiable rDNS name for that relay.

In short, SA trusts your MTA's indication that this may not really be a
shopify relay.

Even shorter: It's DNS. It's ALWAYS DNS.

[...]

> 0.8 RDNS_NONE Delivered to internal network by a host
> with no rDNS
> 2.0 HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
> 2.5 SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not
> from Shopify
> 0.0 NORDNS_LOW_CONTRAST No rDNS + hidden text
> X-Spam-Score: 6.3

That's 5.3 out of 6.3 caused by the inability of mail.as397444.net to
get a verifiable rDNS name for 149.72.221.62 at delivery time.

It's ALWAYS DNS.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify [ In reply to ]
On Mon, 15 Nov 2021, Matt Corallo wrote:

> Full headers follow, but it seems the shopify detection in the above isn't
> quite correct;

Thanks for the report, will fix.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Never forget, even for an instant, that the one and only reason
anyone has for taking your gun away is to make you weaker than
he is, so he can do something to you that you wouldn’t let him
do if you were equipped to prevent it. This goes for burglars,
muggers, and rapists, and even more so for policemen,
bureaucrats, and politicians. -- Alexander Pope
-----------------------------------------------------------------------
535 days since the first private commercial manned orbital mission (SpaceX)
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify [ In reply to ]
On Tue, 16 Nov 2021, Bill Cole wrote:

> On 2021-11-15 at 20:06:22 UTC-0500 (Mon, 15 Nov 2021 20:06:22 -0500)
> Matt Corallo <saaul@mattcorallo.com>
> is rumored to have said:
>
>> Full headers follow, but it seems the shopify detection in the above isn't
>> quite correct;
>>
>> Return-path:
>> <bounces+11006833-f9b2-vmstfpodc=mattcorallo.com@mailer.shopifyemail.com>
>> Envelope-to: vmstfpodc@mattcorallo.com
>> Delivery-date: Mon, 15 Nov 2021 21:10:55 +0000
>> Received: from o13.mailer.shopify.com ([149.72.221.62])
>> by mail.as397444.net with esmtps TLS1.3 id 1mmjFb-0034Ki-02
>> (envelope-from
>> <bounces+11006833-f9b2-vmstfpodc=mattcorallo.com@mailer.shopifyemail.com>)
>> for vmstfpodc@mattcorallo.com; Mon, 15 Nov 2021 21:10:54 +0000
>
> The lack of any name inside the parentheses before the bracketed IP in that
> Received header implies that mail.as397444.net could not get a verifiable
> rDNS name for that relay.
>
> In short, SA trusts your MTA's indication that this may not really be a
> shopify relay.
>
> Even shorter: It's DNS. It's ALWAYS DNS.
>
> [...]
>
>> 0.8 RDNS_NONE Delivered to internal network by a host with
>> no rDNS
>> 2.0 HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
>> 2.5 SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not
>> from Shopify
>> 0.0 NORDNS_LOW_CONTRAST No rDNS + hidden text
>> X-Spam-Score: 6.3
>
> That's 5.3 out of 6.3 caused by the inability of mail.as397444.net to get a
> verifiable rDNS name for 149.72.221.62 at delivery time.
>
> It's ALWAYS DNS.

...then again, nothing can be done to fix the rule...

Complain to Shopify that their lack of rDNS is causing their mail to be
considered spam.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Never forget, even for an instant, that the one and only reason
anyone has for taking your gun away is to make you weaker than
he is, so he can do something to you that you wouldn?t let him
do if you were equipped to prevent it. This goes for burglars,
muggers, and rapists, and even more so for policemen,
bureaucrats, and politicians. -- Alexander Pope
-----------------------------------------------------------------------
535 days since the first private commercial manned orbital mission (SpaceX)
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify [ In reply to ]
On 11/16/21 00:26, Bill Cole wrote:
> On 2021-11-15 at 20:06:22 UTC-0500 (Mon, 15 Nov 2021 20:06:22 -0500)
> Matt Corallo <saaul@mattcorallo.com>
> is rumored to have said:
>
>> Full headers follow, but it seems the shopify detection in the above isn't quite correct;
>>
>> Return-path: <bounces+11006833-f9b2-vmstfpodc=mattcorallo.com@mailer.shopifyemail.com>
>> Envelope-to: vmstfpodc@mattcorallo.com
>> Delivery-date: Mon, 15 Nov 2021 21:10:55 +0000
>> Received: from o13.mailer.shopify.com ([149.72.221.62])
>>     by mail.as397444.net with esmtps TLS1.3 id 1mmjFb-0034Ki-02
>>     (envelope-from <bounces+11006833-f9b2-vmstfpodc=mattcorallo.com@mailer.shopifyemail.com>)
>>     for vmstfpodc@mattcorallo.com; Mon, 15 Nov 2021 21:10:54 +0000
>
> The lack of any name inside the parentheses before the bracketed IP in that Received header implies
> that mail.as397444.net could not get a verifiable rDNS name for that relay.
>
> In short, SA trusts your MTA's indication that this may not really be a shopify relay.
>
> Even shorter: It's DNS. It's ALWAYS DNS.

Huh! Thanks, sorry for the noise I hadn't caught that. Somehow exim seems confused, it does the DNS
queries and they return the right RDNS, but then the Receive line is wrong...
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify [ In reply to ]
>
> -----------------------------------------------------------------------
> Never forget, even for an instant, that the one and only reason
> anyone has for taking your gun away is to make you weaker than
> he is, so he can do something to you that you wouldn’t let him
> do if you were equipped to prevent it. This goes for burglars,
> muggers, and rapists, and even more so for policemen,
> bureaucrats, and politicians. -- Alexander Pope
> -----------------------------------------------------------------------
>

-- L. Neil Smith, actually. So far right that he went
around the dial and wanted to defund police.

Joseph Brennan
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify [ In reply to ]
(resending due to broken from email, sorry bill if you see this twice)

On 11/16/21 00:26, Bill Cole wrote:
> The lack of any name inside the parentheses before the bracketed IP in that Received header
implies that mail.as397444.net could not get a verifiable rDNS name for that relay.
>
> In short, SA trusts your MTA's indication that this may not really be a shopify relay.
>
> Even shorter: It's DNS. It's ALWAYS DNS.

I followed up on the exim-users list on this - Exim *did* verify the FcRDNS here and the above
header line is what it generates by default for FcRDNS. The RFC quote they responded with is at [1].
A FcRDNS-failed received line is at [2].

It seems maybe SA's Received parser should be tweaked to support exim? Is there some way to do so in
the config, otherwise I can change the Received line generated by Exim but it seems strange the
defaults fail here.

Thanks,
Matt

[1] https://lists.exim.org/lurker/message/20211118.151417.19b10d55.en.html
[2] Received: from [2620:6e:a000:1000:5032:f151:67fb:662b] (helo=eyeballs.as397444.net)
by mail.as397444.net with smtp id 1mnk27-003mD4-EI
(envelope-from <...>)
for ...; Thu, 18 Nov 2021 16:13:07 +0000
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify [ In reply to ]
On Thu, 18 Nov 2021, Matt Corallo wrote:

> I followed up on the exim-users list on this - Exim *did* verify the FcRDNS
> here and the above header line is what it generates by default for FcRDNS.
> The RFC quote they responded with is at [1]. A FcRDNS-failed received line is
> at [2].

I've modified that rule a bit to also look at the HELO and envelope From
address to see if they are from Shopify. Granted that's less reliable than
rDNS, but it's probably Good Enough.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
These Sarah Brady types must be educated to understand that
because we have an armed citizenry, that a dictatorship has not
yet happened in America. These anti-gun fools are more dangerous
to Liberty than street criminals or foreign spies.
-- Theodore Haas, Dachau survivor
-----------------------------------------------------------------------
537 days since the first private commercial manned orbital mission (SpaceX)
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify [ In reply to ]
On 11/18/21 16:49, John Hardin wrote:
> On Thu, 18 Nov 2021, Matt Corallo wrote:
>
>> I followed up on the exim-users list on this - Exim *did* verify the FcRDNS here and the above
>> header line is what it generates by default for FcRDNS. The RFC quote they responded with is at
>> [1]. A FcRDNS-failed received line is at [2].
>
> I've modified that rule a bit to also look at the HELO and envelope From address to see if they are
> from Shopify. Granted that's less reliable than rDNS, but it's probably Good Enough.

Note that the subject is, in hindsight, a bit of a misnomer. Obviously there's a ton of rules that
rely on FcRDNS, and in this case it seems like Exim's Received lines just do not match SA's current
detection, causing this and many other rules to fail.

Matt
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify [ In reply to ]
On 11/18/21 12:08, Bill Cole wrote:
> On 2021-11-18 at 11:14:27 UTC-0500 (Thu, 18 Nov 2021 11:14:27 -0500)
>> Is there some way to do so in the config, otherwise I can change the Received line generated by
>> Exim but it seems strange the defaults fail here.
>
> It can't be done in config, because there needs to be complex logic to parse out elements.
>
> What I do not see yet, despite reading the thread on the Exim list, is how to identify a *confirmed*
> client reverse DNS hostname in Exim's Received headers, vs. a HELO argument vs. a PTR result that
> doesn't have an A record pointing back to the client IP.
>
> Sendmail & Postfix do this, making a very explicit statement when the rDNS name doesn't exist or
> isn't right:
>
> Received: from HELO_Name ({confirmed hostname|'unknown'} [client IP])
>
> I believe that making Exim do that would fix the issue for existing SA 3.4.x installations. If I can
> work out how to detect missing or wrong rDNS in the Received header, that should be fixed for 4.0.

Yea, I can override it locally, just interested in helping out reporting issues for 4.0 now.

>> Thanks,
>> Matt
>>
>> [1] https://lists.exim.org/lurker/message/20211118.151417.19b10d55.en.html
>> [2] Received: from [2620:6e:a000:1000:5032:f151:67fb:662b] (helo=eyeballs.as397444.net)
>>     by mail.as397444.net with smtp id 1mnk27-003mD4-EI
>>     (envelope-from <...>)
>>     for ...; Thu, 18 Nov 2021 16:13:07 +0000
>
> So, if the rDNS name does not resolve, you get 'from  [ip-literal] (helo=HELO_Name)' ?
>
> If the rDNS name resolves back to the client IP, how is it different?
> If the rDNS name resolves to some other IP, how is it different?


The above is with an IP which *does* RDNS resolve to the HELO hostname, but which does not have a
FcRDNS match. I believe it looks the same whether RDNS resolves or not, it only changes if FcRDNS
matches.

Quoting from the exim documentation, the default Received line starts with (edited to remove the RFC
1413 bits):

Received: \
${if def:sender_rcvhost {from $sender_rcvhost\n\t}\
{${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
by $primary_hostname \

sender_rcvhost is defined as:

This is provided specifically for use in Received: headers. It starts with either the verified
host name (as obtained from a reverse DNS lookup) or, if there is no verified host name, the IP
address in square brackets. After that there may be text in parentheses. When the first item is a
verified host name, the first thing in the parentheses is the IP address in square brackets,
followed by a colon and a port number if port logging is enabled. When the first item is an IP
address, the port is recorded as “port=xxxx” inside the parentheses.

There may also be items of the form “helo=xxxx” if HELO or EHLO was used and its argument was
not identical to the real host name or IP address, and “ident=xxxx” if an RFC 1413 ident string is
available. If all three items are present in the parentheses, a newline and tab are inserted into
the string, to improve the formatting of the Received: header.
Re: SHOPIFY_IMG_NOT_RCVD_SFY but from Shopify [ In reply to ]
On Thu, 18 Nov 2021, Matt Corallo wrote:
> On 11/18/21 16:49, John Hardin wrote:
>> On Thu, 18 Nov 2021, Matt Corallo wrote:
>>
>>> I followed up on the exim-users list on this - Exim *did* verify the
>>> FcRDNS here and the above header line is what it generates by default for
>>> FcRDNS. The RFC quote they responded with is at [1]. A FcRDNS-failed
>>> received line is at [2].
>>
>> I've modified that rule a bit to also look at the HELO and envelope From
>> address to see if they are from Shopify. Granted that's less reliable than
>> rDNS, but it's probably Good Enough.
>
> Note that the subject is, in hindsight, a bit of a misnomer.

Not really - it is accurate, but the scope was found to be larger. If this
discussion continues, it might be reasonable to re-title the thread to be
more representative. Perhaps "SA mis-parsing Exim Received headers".

> Obviously
> there's a ton of rules that rely on FcRDNS, and in this case it seems like
> Exim's Received lines just do not match SA's current detection, causing this
> and many other rules to fail.

Recognized. Sadly, it won't be fixed in 3.4.x


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Taking my gun away because I *might* shoot someone is like cutting
my tongue out because I *might* yell "Fire!" in a crowded theater.
-- Peter Venetoklis
-----------------------------------------------------------------------
537 days since the first private commercial manned orbital mission (SpaceX)