On 13 Nov 2013, at 15:07, Jeremy Bowen wrote:
Over the last few months I've been receiving a lot of spam from
various
different DKIM and SPF verified senders. This tends to slide right
past
my anti-spam measures (SpamAssassin/Amavis/RBLs) and straight into my
inbox.
Another common feature of these emails is that the sender is *always*
"Mark" someone or other. Mark Smith, Mark Morgan, Mark Baxter. Mark
Random-name.
I'm not sure if these domains have been explicitly created with valid
DKIM
credentials or if the sites have been hacked, but I'm getting these
mails daily
from random different sources, and on multiple different email
accounts/servers.
Any suggestions on what I could do to mitigate this?
As Dr. Venema said: stop whitelisting mail just because it is
authenticated as being from a total stranger.
There's nothing about the process of registering a domain, creating a
valid DKIM key, and using it to correctly sign messages that certifies
the good behavior of the domain owner.
Thanks in advance.
Headers (slightly anonymised) below.
=============================================================================
Return-Path: <mark.mor...@idealils.com>
X-Spam-Flag: NO
X-Spam-Score: -1.829
X-Spam-Level:
X-Spam-Status: No, score=-1.829 tagged_above=-9999 required=5.31
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VERIFIED=-1.5,
HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001,
RCVD_IN_BRBL_LASTEXT=1.449, RP_MATCHES_RCVD=-1.324, SPF_PASS=-0.001]
4 addressable issues are indicated in your SpamAssassin headers:
1. You are using SpamAssassin with the DKIM_VERIFIED rule set to a score
of "-1.5". That rule has a default score of 0 in SA 3.3x, and only still
exists to maintain backward compatibility. It is defined as functionally
identical to DKIM_VALID which has a -0.1 score and this spam also has a
sender in the signing domain which means DKIM_VALID_AU adds another
-0.1. So you are effectively knocking 1.7 points off the score based on
a signature that only tells you the sender can work the machinery of
domain registration and signing. Change your local.cf to remove the
score for DKIM_VERIFIED.
2. RP_MATCHES_RCVD means the Return-Path (envelope sender address)
matches the trustable Received header(s) and while that is something
seen in much non-spam, it is really not at all rare in spam and is
mostly useful in "meta" rules. That's why the default score is -0.001,
not -1.324 as shown here. Again, that non-default score is probably in
your local.cf and you should remove it.
3. The BAYES_00 score is a more complex problem; your -1.9 is the
perfectly reasonable default score. The failure here is that this sort
of spam should not be getting a BAYES_00 result, which implies that your
Bayesian database is not being properly fed. It it useful to routinely
use the 'sa-learn' tool to learn all of the spam that slips past SA as
spam, making sure to run it as the user that does your spam filtering.
It is also essential to feed it a regular stream of your 'ham', because
if you only feed it spam, the Bayes module starts to score anything
looking like email as spam. SA has an "autolearn" function to do some of
this but the default thresholds are very conservative, which poorly fits
the way most sites use SA (behind more lightweight tactics that spare SA
from seeing the worst spam.) How exactly any particular site should set
those thresholds is best determined by local scoring patterns, which
vary widely.
4. Your "required" setting (the ham/spam score threshold) of 5.31 seems
high to me. You may have sound local reasons to have it that high, but
in my experience those are rather rare. Non-spam scoring in the 4-6
range often is the result of some idiosyncratic pattern in your
particular mail stream that can (and should) be corrected by adding
local rules to protect known-good mail and/or adjusting scores on
default SA rules. Feeding your "ham" with positive scores to the Bayes
database is also useful, especially if you can't find good patterns to
turn into local rules. For the systems I've worked on in recent years
using SA I've always eventually been able to safely reduce the threshold
to 4.5 or lower after a month or two of tuning, but exactly how low you
can make yours depends on your mail stream and how much risk of false
positives you are willing to take.
