Mailing List Archive

Understanding FORGED_GMAIL_RCVD and other rules
Hello,

There is one mailchimp user (an org sending mail news by leveraging
mailchimp services), whose mails are flagged by our mail gateway servers
(postfix with amavis and spamassassin) with "FORGED_GMAIL_RCVD".

I am trying to understand what is wrong with these mails and they
trigger the "FORGED_GMAIL_RCVD" rule.

Here are the headers of one such mail (mail local parts and mailchimp
codes modified consistently):

==============================================================================
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From:
<bounce-mcsys.us14_169988169.8021e7b523.NA-userx=noa.gr@mail21.atl161.mctxapp.net>
X-Envelope-To: <userx@noa.gr>
X-Envelope-To-Blocked: <userx@noa.gr>
X-Quarantine-ID: <SPEvHfP1qu5C>
X-Spam-Flag: YES
X-Spam-Score: 6.446
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.446 tag=-999 tag2=3.4 kill=5.2
        tests=[.BAYES_50=0.8, DKIM_ADSP_CUSTOM_MED=0.001, DKIM_SIGNED=0.1,
        DKIM_VALID=-0.1, FORGED_GMAIL_RCVD=4,
FREEMAIL_FORGED_FROMDOMAIN=0.5,
        FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25,
        HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001,
        MIME_HTML_ONLY=0.1, NML_ADSP_CUSTOM_MED=0.9,
        RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_IADB_DK=-0.095,
        RCVD_IN_IADB_LISTED=-0.001, RCVD_IN_IADB_SENDERID=-0.001,
        RCVD_IN_IADB_SPF=-0.059, SPF_HELO_PASS=-0.1, SPF_PASS=-0.1]
        autolearn=disabled
Authentication-Results: mailgw1.noa.gr (amavisd-new); dkim=pass
(2048-bit key)
        header.d=mailchimpapp.net
Received: from mailgw1.noa.gr ([127.0.0.1])
        by localhost (mailgw1.noa.gr [127.0.0.1]) (amavisd-new, port 10024)
        with LMTP id SPEvHfP1qu5C for <userx@noa.gr>;
        Thu, 16 Jun 2022 18:53:40 +0300 (EEST)
Received: from mail21.atl161.mctxapp.net (mail21.atl161.mctxapp.net
[198.2.140.21])
        by mailgw1.noa.gr (NOA MAIL ICXC-NIKA) with ESMTPS id
4LP6Cl5g3wzMHHc
        for <userx@noa.gr>; Thu, 16 Jun 2022 18:53:39 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchimpapp.net;
        s=k3; t=1655394817; x=1655697217;
        i=geologicalsociety52=3Dgmail.com@mailchimpapp.net;
        bh=sglTLcy5acviMc1jwNJzu3D3fvoIN5jx0MaJ2gqNLL0=;
h=From:Reply-To:To:Date:Message-ID:X-MC-User:Subject:MIME-Version:
Content-Type:Content-Transfer-Encoding:CC:Date:Subject:From;
b=SQNNnPuZp08+GcvBxyEdKfb3RfOpkb0Gn0lXIXKLqzgbt0FsjSirmhlSSaA0JfnIt
PbxfpjtBorjZ/RuVqarc8QuGO5c36buSqUmfaKtiGG4Bg421y58fkzM7b5oH3vzYNl
YAcM3dSgFJh/hyFgP1DxDCeVdymxTJEj9m8GHAFVQN6XR7jvBnW8Q1nmIvmtsmfwyE
TQWyN+pkbIe2UZWZwBx0c95CZhb8r3DsBqEp0qTo+Md66ox/cxE4lYecsSbzabIWpA
dmZ4cIoZ5bHIYaQIvsgNpDButCcbwzhUlI1ID7PVUvjrbCZN8567JSc8hNFG6S13Kr
         Xr0GvSnxW0bjw==
Received: from 127.0.0.1 (localhost [127.0.0.1])
        by mail21.atl161.mctxapp.net (Mailchimp) with ESMTP id
4LP6Cj4p59zNCpSj3
        for <userx@noa.gr>; Thu, 16 Jun 2022 15:53:37 +0000 (GMT)
From:  <geoxxx@gmail.com>
Reply-To:  <geoxxx@gmail.com>
To:  <userx@noa.gr>
Date: Thu, 16 Jun 2022 15:53:37 +0000
Message-ID:
<c462fabb8419fd9e90a977dab020df72g1e.20220616155337@mail21.atl161.mctxapp.net>
X-Mailer: Mailchimp Mailer - **CID8021e7b523020df72g1e**
X-Campaign: mailchimpc462fabb8419fd9e90a977dab.8021e7b523
X-campaignid: mailchimpc462fabb8419fd9e90a977dab.8021e7b523
X-Report-Abuse: Please report abuse for this campaign here:
https://mailchimp.com/contact/abuse/?u=c462fabb8419fd9e90a977dab&id=8021e7b523&e=020df72g1e
X-MC-User: c462fabb8419fd9e90a977dab
X-Feedback-ID: 169988169:169988169.8021e7b523:us14:mc

X-Auto-Response-Suppress: OOF, AutoReply
X-Accounttype: ff
Subject: Mailchimp Template Test - "Untitled Template"
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"; format="fixed"
Content-Transfer-Encoding: quoted-printable
...
==============================================================================

Can you please help me understand why the rule was triggered? I have
done my search but I have not really understood why.

Secondarily, if I understand right, the following rules:

FREEMAIL_FORGED_FROMDOMAIN

HEADER_FROM_DIFFERENT_DOMAINS

were also triggered because the Envelope-From is different from "From:"
but this is expectable from mailing lists.

How should these (and possibly other ones too) rules be treated in
production systems to avoid banning legitimate mailing list mails?

Thanks in advance,
Nick
RE: Understanding FORGED_GMAIL_RCVD and other rules [ In reply to ]
>
> There is one mailchimp user (an org sending mail news by leveraging

only one???? ;)


> mailchimp services), whose mails are flagged by our mail gateway servers
> (postfix with amavis and spamassassin) with "FORGED_GMAIL_RCVD".
>
> I am trying to understand what is wrong with these mails and they
> trigger the "FORGED_GMAIL_RCVD" rule.

I didn't write these rules, but my guess would be because the Host network is mailchimp, and the email address is @gmail.com ?

> How should these (and possibly other ones too) rules be treated in
> production systems to avoid banning legitimate mailing list mails?
>

It is very difficult to separate 'legitimate' email from spam, especially at mailchimp. I have decided to just block ranges that are emitting spam/newsletters that people did not sign up for.
If legitimate email is blocked, though luck for the sender. Should they have chosen a more professional (not free) service.
Re: Understanding FORGED_GMAIL_RCVD and other rules [ In reply to ]
Nikolaos Milas <nmilas@noa.gr> writes:

> I am trying to understand what is wrong with these mails and they
> trigger the "FORGED_GMAIL_RCVD" rule.

What is wrong with them is that they have a From: of gmail and do not
have a gmail DKIM signature. They are in fact forged -- even if the
user that owns the email address agreed to this.


> Can you please help me understand why the rule was triggered? I have
> done my search but I have not really understood why.

Did you read the rules? 20_head_tests.cf has

if (version >= 3.004002)
header FORGED_GMAIL_RCVD eval:check_for_forged_gmail_received_headers()
describe FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers
endif

But I do not see a score assigned. In my own system, the score for
this rule (as seen in debug output) is 1.0. That seems entirely
reasonable for a fairly common but irregular situation.

> Secondarily, if I understand right, the following rules:
>
> FREEMAIL_FORGED_FROMDOMAIN
>
> HEADER_FROM_DIFFERENT_DOMAINS
>
> were also triggered because the Envelope-From is different from
> "From:" but this is expectable from mailing lists.
>
> How should these (and possibly other ones too) rules be treated in
> production systems to avoid banning legitimate mailing list mails?

If you want to welcomelist mailchip, you can do that.

I suspect your real problem is that there is config to increase the
score for FORGED_GMAIL_RCVD. Your example shows 4.0 which I think
everyone would say is too high.
Re: Understanding FORGED_GMAIL_RCVD and other rules [ In reply to ]
On 22/6/2022 1:53 ?.?., Greg Troxel wrote:
> ...
> I suspect your real problem is that there is config to increase the
> score for FORGED_GMAIL_RCVD. Your example shows 4.0 which I think
> everyone would say is too high.
> ...

Hi Greg and Marc, who were both prompt to help!

Sorry for my delayed feedback.

Thanks for your kind assistance. You really helped me by pointing to my
custom FORGED_GMAIL_RCVD score (4.0).

(I can't remember any more how I had decided or where I had found a
suggestion for that score.)

I reduced the score to the half (2.0) as well as that of
PDS_FROM_2_EMAILS rule (2.0).

I thought I should probably keep it above the default value of 1.0, at
least for the time being.

Thanks again!

Cheers,
Nick