Mailing List Archive

Alex skrev den 2022-12-16 21:18:

> https://pastebin.com/VpPmgGN4

> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
> -0.0 SPF_PASS SPF: sender matches SPF record

netblocks are authorized
505,425 individual IPv4 addresses

i think so many spamming ips is very spammy !

https://multirbl.valli.org/lookup/40.107.96.128.html 11 blacklisted
rbls, 8 welcome listed, still good prof imho not ham mail

> There's also a FP on KAM_ZWNJ, or at the least is not a malicious
> email intended to elude anything.

start removing fp rule sets if its not what you want :)

> Can someone help me understand what's happening here?

need non modified sample if more help is wanted

> The sender's SPF record includes the sending IP (40.107.96.128) in the
> secureserver.net <http://secureserver.net> entry, and SPF_PASS is hit.
>

Without even checking anything I can already remember that this secureserver.net is shit. I have blocked whole ranges of them, they send spam, try passwords etc. I have the impression that there is nothing secure about secureserver and everything seems to be hacked there.

You will always have false positives, and probably even more in the future, there is going to be more and more networks trying to mix spam with legitimate email.
For this you have to create some way to unmark / whitelist email addresses.

Hi,

On Fri, Dec 16, 2022 at 5:35 PM Marc <Marc@f1-outsourcing.eu> wrote:

> > The sender's SPF record includes the sending IP (40.107.96.128) in the
> > secureserver.net <http://secureserver.net> entry, and SPF_PASS is hit.
> >
>
> Without even checking anything I can already remember that this
> secureserver.net is shit. I have blocked whole ranges of them, they send
> spam, try passwords etc. I have the impression that there is nothing secure
> about secureserver and everything seems to be hacked there.
>
> You will always have false positives, and probably even more in the
> future, there is going to be more and more networks trying to mix spam with
> legitimate email.
> For this you have to create some way to unmark / whitelist email addresses.
>

Yes, GoDaddy is shit, but should that mean there's no expectation of being
able to add it to a trusted senders list for individual senders?

I'm now more curious why it says SPF_PASSed, yet my welcomelist entry
didn't work to keep it from being marked as spam.

Whether or not it's listed on the valli blocklists should also be
irrelevant - that GoDaddy is shit is the exact reason why I'm trying to add
this (unsuccessfully) to the welcomelist.

On 17/12/2022 08:35, Marc wrote:

>> The sender's SPF record includes the sending IP (40.107.96.128) in the
>> secureserver.net <http://secureserver.net> entry, and SPF_PASS is
>> hit.
>
> Without even checking anything I can already remember that this
> secureserver.net is shit. I have blocked whole ranges of them, they
> send spam, try passwords etc. I have the impression that there is
> nothing secure about secureserver and everything seems to be hacked
> there.

s/secureserver/google/

s/secureserver/amazon/

s /secureserver/microsoft/

s /secureserver/ ... /

I often have gmail accounts hit our honeypots, to the point that I now
deliberately take a week or more to clear the google smtp of the day off
the list, each time, I take longer and longer to remove - just like
other providers

and I currently have a large chunk of google/amazon/MS/linode/D.O/...
cloud ranges blocked.

My point is, they are all the same and if someone wishes to whitelist
them, that's the risk they take, they are answerable to their users, not
to you, me or anyone else.

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

>
>
> Yes, GoDaddy is shit, but should that mean there's no expectation of
> being able to add it to a trusted senders list for individual senders?

of course

whitelist_from *@christmasball.com

or you add some header

header TREE_WHITELIST X-Tree =~ /\bwhitelisted\b/
score TREE_WHITELIST -50

> I'm now more curious why it says SPF_PASSed, yet my welcomelist entry
> didn't work to keep it from being marked as spam.

SPF pass is just a result that gets processed in the general result. The general result decides if a message is marked as spam.

> Whether or not it's listed on the valli blocklists should also be
> irrelevant - that GoDaddy is shit is the exact reason why I'm trying to
> add this (unsuccessfully) to the welcomelist.

Maybe you have a version that still is racist? ;)

On 16.12.22 15:18, Alex wrote:
>This GoDaddy/M365 quarantined email passes SPF, but despite now adding it
>to my welcomelist, it is still marked as spam.
>
>https://pastebin.com/VpPmgGN4

* 6.0 KAM_ZWNJ Use of null characters indicates a goal to elude scanners

try finding out why this matches:

meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/
score KAM_ZWNJ 6.0


>Only when I create a welcomelist_from_rcvd does it get delivered.

what exactly did you add to your welcomelist that did not work?

>The sender's SPF record includes the sending IP (40.107.96.128) in the
>secureserver.net entry, and SPF_PASS is hit.
>
>-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
>-0.0 SPF_PASS SPF: sender matches SPF record
>
>There's also a FP on KAM_ZWNJ, or at the least is not a malicious email
>intended to elude anything.
>
>Can someone help me understand what's happening here?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.

>On 16.12.22 15:18, Alex wrote:
>>This GoDaddy/M365 quarantined email passes SPF, but despite now adding it
>>to my welcomelist, it is still marked as spam.
>>
>>https://pastebin.com/VpPmgGN4

On 19.12.22 09:54, Matus UHLAR - fantomas wrote:
> * 6.0 KAM_ZWNJ Use of null characters indicates a goal to elude scanners
>
>try finding out why this matches:
>
>meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
>body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/
>score KAM_ZWNJ 6.0

I haven't found anything about 9D character, but the other:

https://www.utf8-chartable.de/unicode-utf8-table.pl?start=8192&number=128

U+200C ? e2 80 8c ZERO WIDTH NON-JOINER


>>Only when I create a welcomelist_from_rcvd does it get delivered.
>
>what exactly did you add to your welcomelist that did not work?
>
>>The sender's SPF record includes the sending IP (40.107.96.128) in the
>>secureserver.net entry, and SPF_PASS is hit.
>>
>>-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
>>-0.0 SPF_PASS SPF: sender matches SPF record
>>
>>There's also a FP on KAM_ZWNJ, or at the least is not a malicious email
>>intended to elude anything.
>>
>>Can someone help me understand what's happening here?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse