On Wed, 2025-01-29 at 11:23 -0500, Alan via users wrote:
>
> As far as I can tell, they're valid notifications from PayPal, and
> probably useful for legitimate purposes. What the messages are
> doing is attempting to trigger sufficient anxiety that the
> recipient calls the phone number in the m
On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> How do I stop this? paypal.com is in the default DKIM whitelist!
>
That message really looks like it came from Paypal and then was
forwarded by Microsoft to your server. Was it really a fake? That's a
lot of headers to fake if so.
If it
On Mon, 2022-05-09 at 14:35 -0400, Alex wrote:
> Hi,
>
> I'm trying to understand why this email from a bank fails DMARC
> when mxlookup says the DMARC record is just fine.
>
> https://pastebin.com/0T4Gjn3v
>
> * 1.8 DMARC_REJECT DMARC reject policy
> * 6.0 KAM_DMARC_REJECT DKIM has Failed o
On Fri, 2022-03-04 at 13:01 +, Marc wrote:
> Is anyone blocking already connections from outbound-
> mail.sendgrid.net? Does that generate a lot of false positives?
> PS. just posting this so it is on web archives and people searching
> for sendgrid hopefully chose a better service.
>
Unfort
On Wed, 2021-12-15 at 10:55 -0800, Alan Hodgson wrote:
>
> I got a couple to an actual human who answered
> ab...@princeton.edu. I can forward them privately.
Let me rephrase that; I complained to ab...@princeton.edu and
actually heard back from a human, to whom I have since sent copi
On Wed, 2021-12-15 at 13:24 -0500, Charles Sprickman wrote:
> Does anyone have a sample of one of their emails?
>
> I’m composing a brief nastygram and would like to get my eyes on
> one before finishing up.
>
I got a couple to an actual human who answered ab...@princeton.edu. I
can forward them
On Wed, 2021-12-15 at 11:39 -0500, Bill Cole wrote:
>
> A customer has expressed mild dismay at the concept that a fine
> research institution should be "punished for doing research." I'm
> less attached to Princeton than my NJ-based customer and (having
> worked in a NIH-funded lab) less idolizin
On Thu, 2021-05-20 at 16:12 -0400, Alex wrote:
>
> X-Envelope-From:
>
>
>
> Perhaps it's because Return-Path is null?
> Return-Path: <>
Return-Path is supposed to be where your MTA stores the envelope sender. That
it doesn't match is probably a problem.
And yes, SPF falls back to tes
On Tue, 2020-10-20 at 20:38 +0100, Miki wrote:
> Thanks for quick reply, but blacklist what?
> The problem is I do not know this spammy domains.
> I want to give a score when To: field is NOT in anyaddr...@mydomain.com
Not tested, but something like this should work:
header __LOCAL_TO_ME To =~ /\
>
> > Or is there some criteria to determine which domain name
> > should have the DKIM signature? Is there a penalty score if one or
> > the other is missing?
>
> It's doesn't make much difference, unless there's a whitelist involved.
If you publish a DMARC record, DMARC requires that the DKI
On Wed, 2020-09-23 at 14:46 -0500, Jerry Malcolm wrote:
> On 9/23/2020 2:33 PM, iulian stan wrote:
> > Most of the time the IPs from AWS are already blacklisted and you
> > cannot do anything.
>
> I'm curious why such a blanket statement. Why does AWS have such a bad
> reputation? With compani
On Fri, 2020-02-07 at 16:29 -0600, Benjamin Toll wrote:
> I'm seeing a lot of spam with base64 encoded subjects:
>
> Subject:
> =?UTF-8?B?RnVsbCBkZW50YWwgY292ZXJhZ2UgZm9yIGZhbWlsaWVzIGFuZCBzZW5pb3JzLCBjb3ZlcnMgYWxsIHByb2NlZHVyZXM=?=
>
> Subject: =?UTF-8?B?V2VhciB5b3VyIE11bHRpLVRvb2wgYXJvdW5kIHlvd
On Wed, 2020-01-15 at 11:02 -0500, AJ Weber wrote:
> I'm hoping this is a relatively simple test...
> I'm seeing emails "From Me, To Me", typically extortion types. I'm not
> even seeing which of the SA tests are getting hit, because I have my
> own email in my Whitelist.
> Is there a way I can che
On Thu, 2019-11-21 at 13:24 -0500, Dave Goodrich wrote:
> Good day,
> I know I will incur some wrath for this but I have the Mayor breathing
> down my neck. We stop nearly all spam now, but some does get through.
> Mostly it has been mail from gmail and outlook servers that pass DKIM
> and SPF.
> T
On Mon, 2018-12-10 at 04:57 -0700, ozgurerdogan wrote:
> I simply need to write custom rules to block certain mails, domain names. Do
> I have to learn programming language for this? Is not it easy like create a
> conf file and let Sa update rules from that source remotely via http?
>
>
cron + w
On Wed, 2018-12-05 at 00:17 +, David Jones wrote:
>
I think he meant that DKIM related to DMARC means the DKIM signature has
> to align/match the From: header domain to pass which is DKIM_VALID_AU in SA.
>
> In the case of SPF, DMARC will pass if the envelope-from domain check
> hits SPF_PA
On Mon, 2018-12-03 at 13:17 -0600, sha...@shanew.net wrote:
> Yeah, I see all these same things. Better to test against From:addr
> rather than the full From: Perhaps something like:
>
> From:addr =~ /\@[^\s]+\@/
>
> Of course, there might still be legit cases of that kind of usage.
>
The pro
On Mon, 2018-12-03 at 11:15 -0700, Grant Taylor wrote:
>
I don't think the multiple @ signs have worked in a very long time. So
> I see no reason not to add score based on multiple @ signs. Or if there
> is a legitimate use for it, it should be extremely rare and the false
> positive rate sho
On Tue, 2018-11-27 at 11:22 -0600, Rick Gutierrez wrote:
> El mar., 27 nov. 2018 a las 11:14, Alan Hodgson
> () escribió:
>
> > Wow, that's hard to read.
> >
> > It was close to being tagged because of the Pakistan relay. Just
> > add a few points for Word
On Tue, 2018-11-27 at 10:42 -0600, Rick Gutierrez wrote:
> Hi , I have a situation a little complicated, I have emails from
> spammers that come with the name of one of my users, but the email
> address is not from my domain , they send it from a valid domain,
> which complies with spf, DKIM etc et
On Thu, 2018-04-26 at 13:41 -0700, L A Walsh wrote:
> To my way of thinking, dropping someone else's email,
> telling the sender the email is being rejected for having
> spam-like characteristics and telling the recipient nothing
> seems like it might have legal liability for the for the
> user pot
On Sun, 2018-03-18 at 17:14 -0500, David Jones wrote:
>
I have Steve Freegard's DecodeShortURLs.pm installed but didn't get any
> HAS_SHORT_URL hits on this one:
>
> https://pastebin.com/t85b0Bns
Is it getting any hits? It definitely hits on that one in a test here.
Note it needs Perl's LWP::
On Thu, 2018-01-18 at 18:49 -0500, Chip wrote:
> Very well stated. Bravo!
>
> The end point here is to examine the email headers that specifically
> refer to dkim and spf signatures. Based on fail or pass, or some
> combination in concert with the sender's email address, they get moved
> into fa
On Wed, 2018-01-17 at 13:31 -0600, David Jones wrote:
> Would a plugin need to be created (or an existing one enhanced) to
> be
> able to detect this type of spoofed From header?
>
> From: "h...@hulumail.com !"
>
> https://pastebin.com/vVhGjC8H
>
> Does anyone else think this would be a good i
On Mon, 2018-01-01 at 10:29 -0500, Bill Cole wrote:
> On 1 Jan 2018, at 9:59 (-0500), David Jones wrote:
>
> > I think some mail systems will keep the same message-ID per email
> > thread so your system must reject some replies.
>
> I have not seen such behavior in the past 20 years...
>
> Inte
On Mon, 2017-12-04 at 15:20 -0500, Joseph Brennan wrote:
> New rule: TO_NO_BRKTS_DYNIP
>
> Since TO_NO_BRKTS_DYNIP is 2.361 and its component RDNS_DYNAMIC is
> 2.639, one gets an even 5.0 score just for sending from ec2-54-225-
> 189-51.compute-1.amazonaws.com without < > around the To address.
>
On Wed, 2017-09-27 at 11:42 -0700, Miles Fidelman wrote:
> This could also be an attempt to get a mailing list to work.
>
> There's a continuing problem with email list traffic getting bounced by
> DKIM, and various work-arounds - the gist is that the mail has to come
> from the list manager, bu
On Friday 19 May 2017 20:11:42 David Jones wrote:
> >Urgg, I see that now. I looked at a few of David Jones' posts to this list
> >and saw that they weren't DKIM signed, so I extrapolated that to a general
> >asumption.
>
> They are DKIM signed so something must be striping the headers.
>
Well,
On Friday 19 May 2017 14:47:56 Dianne Skoll wrote:
> On Fri, 19 May 2017 20:43:39 +0200
>
> Benny Pedersen wrote:
> > some maillists break DKIM, forkus on that first, not last !
>
> Thank you for not adding any value to the conversation. The
> domain in question is not using DKIM.
>
This is a
On Thursday 04 May 2017 17:07:31 John Hardin wrote:
> I expect a basic accounts.google.com URI rule would be a good idea even if
> a redirector pattern for this was added - is there any legitimate reason
> for a "log in to your google account" URL to be in an email?
>
Not from anyone who isn't wh
On Tuesday 28 March 2017 13:58:43 Alex wrote:
> I'd like to be able to use the fact that the To address is not the
> same as the address shown in the Received header in a meta of some
> kind.
>
> How frequent would you think that would appear in ham alone? It's the
> basis for a number of phishing
On Monday 06 March 2017 11:58:25 David B Funk wrote:
> On Mon, 6 Mar 2017, Alan Hodgson wrote:
> >> It seems it should be easy to setup “If mail claims to be From:
> >> PayPal.com
> >> and is not from PayPal, score +100” but it is not.
> >
> > This is wh
> It seems it should be easy to setup “If mail claims to be From: PayPal.com
> and is not from PayPal, score +100” but it is not.
This is what DMARC is for.
Run opendmarc as a milter and reject failures. Or score later on DMARC
failure, even if just selectively for highly phished domains.
PayP
On Wednesday 11 January 2017 14:31:15 John Hardin wrote:
> That's more complex than needed. The message subject is automatically
> included in body rules, so you only need __LOCAL_BODY_PRODUCTS.
>
Cool, I did not know that. txs.
On Wednesday 11 January 2017 16:58:39 Michael B Allen wrote:
> Is there a way to add a rule that simply matches specific key words?
>
> For example, if someone actually names my product it's basically
> guaranteed not to be spam. In this case, I want to just whitelist it
> (or maybe apply -10 to t
On Thursday 09 June 2016 16:26:26 Yu Qian wrote:
> Yes, I am sure the path is correct, also, if the path is not correct, it
> will show 'db not present'.
>
> I tried to write a small perl script to open the db file, it failed too. so
> I think it maybe the file damaged during the mounting. but I d
On Monday, April 04, 2016 11:09:12 PM A. Schulze wrote:
> really?
>
> I know DMARC as
> "example.com may dkim sign with example.com. relax alignment will
> match even for RFC5322.From sub.example.com"
>
> but you claim
> "sub.example.com may dkim sign with sub.example.com a message with
> RFC5322
On Monday, April 04, 2016 09:34:56 PM RW wrote:
> On Mon, 04 Apr 2016 13:18:54 -0700
>
> Alan Hodgson wrote:
> > On Monday, April 04, 2016 08:59:51 PM RW wrote:
> > > I'm assuming that you are using these rules:
> > >
> > > https://blog.laussat.d
On Monday, April 04, 2016 08:59:51 PM RW wrote:
> I'm assuming that you are using these rules:
>
> https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/
>
>
> meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
> __DMARC_POLICY_REJECT
>
> __DMARC_POLICY_REJECT comes from a
On Thursday, February 04, 2016 08:05:59 PM Reindl Harald wrote:
> in context of "DKIM and DMARC are the present and near future" how do
> you imaine that to work if you have no clue who is sending on behalf of
> yours?
>
Well you obviously have something emotionally invested in SPF.
But anyways
On Thursday, February 04, 2016 07:41:44 PM Reindl Harald wrote:
> which people don't know this?
> admins?
> don't maintain services then!
>
> users?
>
> just use the SMTP server your mailprovider tells you and no other one
> and for smtp-admins: just don't accept enevlope senders for which you
>
On Thursday, February 04, 2016 04:36:14 PM Reindl Harald wrote:
>
> wait i tell you something (for you) new: DMARC and mailing-lists is a
> awful topic - what do you think would have happened with you mail to the
> list if your domain would enforce DMARC and my MX reject mails violating
> the poli
On Thursday, February 04, 2016 06:06:14 PM Reindl Harald wrote:
> before Google ist telling somebody something they should better learn
> the difference between "~" and "-" in a SPF record to make gmail.com at
> least on envelope-level spoofing protected
>
> i high percentage of spam here would no
43 matches
Mail list logo
