Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
More Sendgrid trouble?
kdeugau at vianet
Sep 28, 2022, 3:13 PM
Post #1 of 5 (463 views)
Permalink
Is anyone else seeing intermittent FNs on mail sent through Sendgrid
where the nominal sender has a default welcomelist_* entry?

Today's spample is a Mcafee scam email, pretty clearly sent through
Intuit's Sendgrid account based on the rDNS. On testing in my sandbox
it was only allowed through due to the stock welcomelist entry for Intuit.

Not 100% sure whether this is a Sendgrid issue, or an Intuit issue -
I've reported the message to both of them, for whatever good it will do.

-kgd
Re: More Sendgrid trouble? [ In reply to ]
gdt at lexort
Sep 28, 2022, 3:24 PM
Post #2 of 5 (463 views)
Permalink
Kris Deugau <kdeugau@vianet.ca> writes:

> Is anyone else seeing intermittent FNs on mail sent through Sendgrid
> where the nominal sender has a default welcomelist_* entry?
>
> Today's spample is a Mcafee scam email, pretty clearly sent through
> Intuit's Sendgrid account based on the rDNS. On testing in my sandbox
> it was only allowed through due to the stock welcomelist entry for
> Intuit.
>
> Not 100% sure whether this is a Sendgrid issue, or an Intuit issue -
> I've reported the message to both of them, for whatever good it will do.

very interesting. was this DKIM signed?

Attached Files:

Re: More Sendgrid trouble? [ In reply to ]
kdeugau at vianet
Sep 29, 2022, 7:40 AM
Post #3 of 5 (460 views)
Permalink
(Please keep followups onlist)

Greg Troxel wrote:
>
> Kris Deugau <kdeugau@vianet.ca> writes:
>
>> Is anyone else seeing intermittent FNs on mail sent through Sendgrid
>> where the nominal sender has a default welcomelist_* entry?
>>
>> Today's spample is a Mcafee scam email, pretty clearly sent through
>> Intuit's Sendgrid account based on the rDNS. On testing in my sandbox
>> it was only allowed through due to the stock welcomelist entry for
>> Intuit.
>>
>> Not 100% sure whether this is a Sendgrid issue, or an Intuit issue -
>> I've reported the message to both of them, for whatever good it will do.
>
> very interesting. was this DKIM signed?


Yes:

Return-Path:
<bounces+28782483-fdb3-someuser=vianet.ca@e.notification.intuit.com>
Received: from o4.e.notification.intuit.com (o4.e.notification.intuit.com
[167.89.82.160]) by mx1.vianet.ca (Postfix) with ESMTPS id E4302E2772 for
<someuser@vianet.ca>; Wed, 28 Sep 2022 14:24:06 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=notification.intuit.com;
h=content-type:from:mime-version:subject:reply-to:to:cc; s=s1;
bh=cem614y7LjhCakVm2PClbzzDPtLgkUnWZufjB4BFAXo=;
b=BTa5rYwH+gyMfdKhDMQ15X9iFaAdLBFhAiRCJwzxBvx42ZmbqQCbfC30ql1u51jxZKiT
iUpIb/ARRtec87L/7Nz48dT74BcDdyAN/mPL7swD+9XPcY0guTmM5ZavQrJ7AH/prFYObp
4qJkZw9vDxi5Yjr8NFs3uHLyT7cJvim6WYLLGOU06/9Ua24RnakigWgAMiUp0xvsQEK4FJ
mtMP+z/XF1q2gBY0iR7YGbMuUqoiv8b5tEdUdb8GjGV1Vz2qUA9z38wlUHDPpibwRbQC7l
nIQNREZFjtewsE9oWo9aMeZUApLDsgA7YUlLAgllMoMmZyLBnq+6/kgxS6Hns4fQ==
Received: by filterdrecv-5df9649458-lk4n8 with SMTP id
filterdrecv-5df9649458-lk4n8-1-63349146-3 2022-09-28
18:24:06.106760561 +0000
UTC m=+74162.886769780
Received: from Mjg3ODI0ODM (unknown) by geopod-ismtpd-2-0 (SG) with HTTP id
JJelQZe8RUWAZNkCxHBvWQ Wed, 28 Sep 2022 18:24:05.991 +0000 (UTC)

spamd/main[22469]: spamd: result: . -18.593 -
BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,EXCESSIVE_BASE64_TEXT,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL

(I've patched spamd to show more numeric precision in several fields for
easier log analysis.)

The Bayes result is not great, but the USER_IN_DEF_*_WL hits between
them account for most of that negative score anyway.

-kgd
Re: More Sendgrid trouble? [ In reply to ]
gdt at lexort
Sep 29, 2022, 10:26 AM
Post #4 of 5 (460 views)
Permalink
Kris Deugau <kdeugau@vianet.ca> writes:

> The Bayes result is not great, but the USER_IN_DEF_*_WL hits between
> them account for most of that negative score anyway.

With dkim-signed spam, I think the only two paths forward are:
- hope they fix their apparently compromised system
- take them out the default WL (locally now, and via a rule update in
a few weeks)

Attached Files:

Re: More Sendgrid trouble? [ In reply to ]
sausers-20150205 at billmail
Sep 29, 2022, 11:27 AM
Post #5 of 5 (460 views)
Permalink
On 2022-09-29 at 13:26:45 UTC-0400 (Thu, 29 Sep 2022 13:26:45 -0400)
Greg Troxel <gdt@lexort.com>
is rumored to have said:

> Kris Deugau <kdeugau@vianet.ca> writes:
>
>> The Bayes result is not great, but the USER_IN_DEF_*_WL hits between
>> them account for most of that negative score anyway.
>
> With dkim-signed spam, I think the only two paths forward are:
> - hope they fix their apparently compromised system
> - take them out the default WL (locally now, and via a rule update in
> a few weeks)

Or a few days...

# svn commit -m "Intuit reported as spamming on Users ML" 60_welcomelist_auth.cf
Authentication realm: <https://svn.apache.org:443> ASF Committers
Password for 'billcole': ***************

Sending 60_welcomelist_auth.cf
Transmitting file data .done
Committing transaction...
Committed revision 1904337.

I believe that means it will be gone before Monday.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal