Mailing List Archive

On Fri, Nov 20, 2009 at 18:03, Tim Kloos <tkloos@ncdcorp.com> wrote:
> I received an email the other day from support@sample.com (and this was
> clearly spoofed).  I put in my spamassassin local.cf file the following
> line:
> whitelist_from_spf support@sample.com
> and restarted spamassassin.
> Yet, the following day, I still received an email from support@sample.com
> that was again clearly a spoof.  Any idea what I am doing wrong?

Well, starting with the fact that we don't know your real domain so we
can't check the SPF record - no. Further, without the headers of the
problem email it's hard to say why it got through.

Also, AFAIK the whitelist settings in SpamAssassin are used to allow
emails through filtering (they add 100 to the score).

Note too that, as covered in the FAQ, SPF is not an anti-spam
mechanism - it's an anti-forgery one.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Hi Tim,

As many on this list will point out, SPF is an anti-forgery tool, not an
anti-spam tool as your subject implies. Although helping stop spam is
sometimes a nice side effect.

First of all, sample.com doesn't have an SPF record. But I'll continue,
assuming you've replaced the real domain with "sample.com" ...

SPF works on the SMTP envelope MAIL FROM command and the HELO command.
It does not check the From: header. Was support@sample.com used in the
MAIL FROM command (check the Return-Path: in the message source for
something like: Return-path: <aculver@uwo.ca> -- this is the MAIL FROM
address), or was it just used in the From: header?

By whitelisting support@sample.com, you're specifically allowing it
through your SPF checks. You probably don't want this.

Andrew


Tim Kloos wrote:
> I received an email the other day from support@sample.com (and this was
> clearly spoofed). I put in my spamassassin local.cf file the following
> line:
> whitelist_from_spf support@sample.com
> and restarted spamassassin.
> Yet, the following day, I still received an email from
> support@sample.com that was again clearly a spoof. Any idea what I am
> doing wrong?
>
> Thanks
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/
> [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

At 18:03 20/11/2009 Friday, Tim Kloos wrote:
>I received an email the other day from support@sample.com (and this was clearly spoofed). I put in my spamassassin local.cf file the following line:
>whitelist_from_spf support@sample.com
>and restarted spamassassin.
>Yet, the following day, I still received an email from support@sample.com that was again clearly a spoof. Any idea what I am doing wrong?

1 SPF dosn't check the From address it checks the envelope-sender or return-path address in the smtp instruction "mail from:xxx@yyy"
{so assuming that address was non-spoofed it would pass SPF}

2 sample.com {if this is the correct domain, has no SPF record thus SPF has to PASS all mail from sample.com as probably legit}
their domain, their choice as to whether to avail of SPF or not to protect their domain from forgery

3 spamassasin dosn't block spam and is a poor choice to check SPF, it scores it, thus failing spf will only raise its spammyness score, its up to your client or mailserver to spanmfolder or reject mail with a high enough score

if you actually intend to reject mail that is provably forged due to the "forgee" having SPF it should be done within your mailserver at RCPT time before the DATA portion and long before spamassain is capable of running

{this also cuts down the processor and bandwith load due to these forged spams}

oh and 5 most importantly!!!!!!!!!!!!!
whitelist_from_spf support@sample.com

means {whitelist} ie do not check/fail mail from support@sample.com
thus even if sample.com had an SPF record you told your spamassasin to not bother checking it for mail from support@sample.com


>Thanks
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com