Re: Investigating facebook spam

On Thu, 8 Oct 2015 13:59:31 +0100 RW wrote: > On Thu, 8 Oct 2015 13:13:57 +0100 > RW wrote: > > > On Tue, 6 Oct 2015 17:05:48 -0400 > > Kevin A. McGrail wrote: > > > > > On 10/6/2015 5:01 PM, Jered Floyd wrote: > > > > Ah; good eyes! > > > > > > > > That KAM_FACEBOOK rule is dangerous. > > > The

Re: Investigating facebook spam

On Thu, 8 Oct 2015 13:13:57 +0100 RW wrote: > On Tue, 6 Oct 2015 17:05:48 -0400 > Kevin A. McGrail wrote: > > > On 10/6/2015 5:01 PM, Jered Floyd wrote: > > > Ah; good eyes! > > > > > > That KAM_FACEBOOK rule is dangerous. > > The behavior of forwarding content which effectively is the same as >

Re: Investigating facebook spam

On Tue, 6 Oct 2015 17:05:48 -0400 Kevin A. McGrail wrote: > On 10/6/2015 5:01 PM, Jered Floyd wrote: > > Ah; good eyes! > > > > That KAM_FACEBOOK rule is dangerous. > The behavior of forwarding content which effectively is the same as a > forgery is where the danger lies... If this is behavior th

Re: Investigating facebook spam

On October 7, 2015 11:40:07 PM Alex wrote: "Received: from mx-out.facebook.com" header, why not add the trust path entry? Great points. Thanks everyone for your comments. so if i add this to my postfix you will soon see the error ?

Re: Investigating facebook spam

Hi, On Wed, Oct 7, 2015 at 10:16 AM, Kris Deugau wrote: > Alex wrote: >> On Tue, Oct 6, 2015 at 5:05 PM, Kevin A. McGrail > > wrote: >> The behavior of forwarding content which effectively is the same as >> a forgery is where the danger lies... If this is behavio

Re: Investigating facebook spam

Alex wrote: > On Tue, Oct 6, 2015 at 5:05 PM, Kevin A. McGrail > wrote: > The behavior of forwarding content which effectively is the same as > a forgery is where the danger lies... If this is behavior that users > are performing, of course then there needs to

Re: Investigating facebook spam

David B Funk skrev den 2015-10-07 01:48: On Wed, 7 Oct 2015, Benny Pedersen wrote: meta FORGED_DOMAIN ((DKIM_VALID_AU + SPF_PASS) < 2) meta SPF_FORGED (!SPF_PASS && DKIM_VALID_AU) meta DKIM_FORGED (!DKIM_VALID_AU && SPF_PASS) dont know if it works or not, so just shareing it So you are goin

Re: Investigating facebook spam

On Wed, 7 Oct 2015, Benny Pedersen wrote: David B Funk skrev den 2015-10-07 01:25: Why do you say "forwarding hosts must use there own domain as envelope sender"? so you like me to use junc.eu domain to send maillists mail to you so spf does pass ? wishfull thinking I was explicitly tal

Re: Investigating facebook spam

On Wed, 7 Oct 2015, Benny Pedersen wrote: Jered Floyd skrev den 2015-10-07 01:16: I'm also really wary of rules that have scores as high as 8.0, but that's a separate (and debatable) matter. untested: meta FORGED_DOMAIN ((DKIM_VALID_AU + SPF_PASS) < 2) meta SPF_FORGED (!SPF_PASS && DKIM_VA

Re: Investigating facebook spam

David B Funk skrev den 2015-10-07 01:25: Why do you say "forwarding hosts must use there own domain as envelope sender"? so you like me to use junc.eu domain to send maillists mail to you so spf does pass ? wishfull thinking i am not responsible for what damage apache.org does to emails, a

Re: Investigating facebook spam

Jered Floyd skrev den 2015-10-07 01:17: It's a brain dead forwarder that does that, but most forwarders are brain dead. "aliases" and ".forward" are the most common things out there. +1

Re: Investigating facebook spam

Jered Floyd skrev den 2015-10-07 01:16: I'm also really wary of rules that have scores as high as 8.0, but that's a separate (and debatable) matter. untested: meta FORGED_DOMAIN ((DKIM_VALID_AU + SPF_PASS) < 2) meta SPF_FORGED (!SPF_PASS && DKIM_VALID_AU) meta DKIM_FORGED (!DKIM_VALID_AU &&

Re: Investigating facebook spam

On Wed, 7 Oct 2015, Benny Pedersen wrote: David B Funk skrev den 2015-10-06 22:33: So that explicit forward breaks the SPF chain, thus triggering that SPF fail. The valid DKIM signature indicates that the message is legit. its a brain dead forwarder that use the From: header so, if it used

Re: Investigating facebook spam

On Tue, 6 Oct 2015, Alex wrote: Hi, On Tue, Oct 6, 2015 at 5:05 PM, Kevin A. McGrail wrote: On 10/6/2015 5:01 PM, Jered Floyd wrote: Ah; good eyes! That KAM_FACEBOOK rule is dangerous. The behavior of forwarding content which effectively is the same as a forgery is where the danger l

Re: Investigating facebook spam

It's a brain dead forwarder that does that, but most forwarders are brain dead. "aliases" and ".forward" are the most common things out there. --Jered - On Oct 6, 2015, at 7:06 PM, Benny Pedersen m...@junc.eu wrote: > David B Funk skrev den 2015-10-06 22:33: > >> So that explicit forward

Re: Investigating facebook spam

>> Can we temper this rule with a check to see if the mail indeed did pass >> through >> a fb server? You're checking the From: header, which can obviously be easily >> spoofed, but perhaps if it originated from a facebook server? This would be of limited value. As an MTA, you can only believe th

Re: Investigating facebook spam

Alex skrev den 2015-10-07 00:42: Can we temper this rule with a check to see if the mail indeed did pass through a fb server? You're checking the From: header, which can obviously be easily spoofed, but perhaps if it originated from a facebook server? if DKIM pass, its not tempared

Re: Investigating facebook spam

David B Funk skrev den 2015-10-06 22:33: So that explicit forward breaks the SPF chain, thus triggering that SPF fail. The valid DKIM signature indicates that the message is legit. its a brain dead forwarder that use the From: header so, if it used the envelope sender it would not break spf,

Re: Investigating facebook spam

Hi, On Tue, Oct 6, 2015 at 5:05 PM, Kevin A. McGrail wrote: > On 10/6/2015 5:01 PM, Jered Floyd wrote: > > Ah; good eyes! > > That KAM_FACEBOOK rule is dangerous. > > The behavior of forwarding content which effectively is the same as a > forgery is where the danger lies... If this is behavior t

Re: Investigating facebook spam

Forwarding email loses a great deal of sender information and thus harms spam mitigation, but getting users to never do it will be difficult. There are too many things that require you to have (for example) a Google account with automatic GMail address that seems to leak out despite attempts to

Re: Investigating facebook spam

On 10/6/2015 5:01 PM, Jered Floyd wrote: Ah; good eyes! That KAM_FACEBOOK rule is dangerous. The behavior of forwarding content which effectively is the same as a forgery is where the danger lies... If this is behavior that users are performing, of course then there needs to be appropriate rea

Re: Investigating facebook spam

Hi, >> I've received a handful of messages that appear to be facebook >> notifications, but fail SPF. They otherwise look completely legit - >> links to profiles, only URLs to facebook.com and CDN caching sites, >> and even appears to have been routed through facebook's outgoing mail. >> >> All of

Re: Investigating facebook spam

Ah; good eyes! That KAM_FACEBOOK rule is dangerous. --Jered - On Oct 6, 2015, at 4:33 PM, David B Funk dbf...@engineering.uiowa.edu wrote: > On Tue, 6 Oct 2015, Alex wrote: > >> Hi, >> >> I've received a handful of messages that appear to be facebook >> notifications, but fail SPF. They

Re: Investigating facebook spam

On Tue, 6 Oct 2015, Alex wrote: Hi, I've received a handful of messages that appear to be facebook notifications, but fail SPF. They otherwise look completely legit - links to profiles, only URLs to facebook.com and CDN caching sites, and even appears to have been routed through facebook's outg

Re: Investigating facebook spam

Are you operating a backup MX at the cox.net address? If messages are delayed and retried to your backup MX, this would explain the SPF failures. --Jered - On Oct 6, 2015, at 1:38 PM, Alex mysqlstud...@gmail.com wrote: > Hi, > > I've received a handful of messages that appear to be faceb

Re: Investigating facebook spam

Am 06.10.2015 um 19:45 schrieb Joe Quinn: On 10/6/2015 1:38 PM, Alex wrote: Hi, I've received a handful of messages that appear to be facebook notifications, but fail SPF. They otherwise look completely legit - links to profiles, only URLs to facebook.com and CDN caching sites, and even appea

Re: Investigating facebook spam

Am 06.10.2015 um 19:44 schrieb Reindl Harald: Am 06.10.2015 um 19:38 schrieb Alex: I've received a handful of messages that appear to be facebook notifications, but fail SPF. They otherwise look completely legit - links to profiles, only URLs to facebook.com and CDN caching sites, and even appe

Re: Investigating facebook spam

HI, >> I've received a handful of messages that appear to be facebook >> notifications, but fail SPF. They otherwise look completely legit - >> links to profiles, only URLs to facebook.com and CDN caching sites, >> and even appears to have been routed through facebook's outgoing mail. >> >> All of

Re: Investigating facebook spam

On 10/6/2015 1:38 PM, Alex wrote: Hi, I've received a handful of messages that appear to be facebook notifications, but fail SPF. They otherwise look completely legit - links to profiles, only URLs to facebook.com and CDN caching sites, and even appears to have been routed through facebook's out

Re: Investigating facebook spam

Am 06.10.2015 um 19:38 schrieb Alex: I've received a handful of messages that appear to be facebook notifications, but fail SPF. They otherwise look completely legit - links to profiles, only URLs to facebook.com and CDN caching sites, and even appears to have been routed through facebook's out

Investigating facebook spam

Hi, I've received a handful of messages that appear to be facebook notifications, but fail SPF. They otherwise look completely legit - links to profiles, only URLs to facebook.com and CDN caching sites, and even appears to have been routed through facebook's outgoing mail. All of that could be fa