Re: SPOOFED_FREEMAIL hitting non-spoofed freemail?

Wed, 18 Sep 2019 13:38:28 -0700 

On Wed, 18 Sep 2019, RW wrote:


On Wed, 18 Sep 2019 15:30:46 +0200
Dan Malm wrote:


Ok, I'm pretty sure this is mostly on my end, but I think there are
also some issues with the __NOT_SPOOFED meta rule.

1: I was able to reproduce getting the SPOOFED_FREEMAIL locally on my
machine when running spammassassin with the -L parameter.

2: The reason (I assume) that I get the rule hit on my servers is this
which I get when I run a manual spamassassin check with debugging
enabled: dbg: dkim: cannot load Mail::DKIM module, DKIM checks
disabled: Can't locate Mail/DKIM/Verifier.pm in @INC (you may need to
install the Mail::DKIM::Verifier module) (@INC contains: lib
/usr/local/lib/perl5/site_perl
/usr/local/lib/perl5/site_perl/mach/5.28
/usr/local/lib/perl5/5.28/mach /usr/local/lib/perl5/5.28) at
/usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/DKIM.pm line
675.

So, given that the Mail::SpamAssassin::Plugin::DKIM plugin is loaded,
__NOT_SPOOFED will check DKIM_VALID and ignore the -L parameter and
ignore errors with the DKIM validity check.


The rules will work around the DKIM plugin not being loaded by switching
to a a simple header test for the signature, but they can't cope with
DKIM being otherwise disabled. __NOT_SPOOFED is still checking for
SPF_PASS.

The rule QA webpage shows results for score set 0 (no net, no Bayes).

From other results I've seen, I think this has net plugins loaded, but

unused. That means that !__NOT_SPOOFED is unconditionally true, so
SPOOFED_FREEMAIL is effectivly then FREEMAIL_FROM && !__FS_SUBJ_RE.
Added tflags net to the SPOOFED_FREEM family and one or two others relying on !__NOT_SPOOFED as part of the basic logic. 

Sending        svn/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Sending        svn/trunk/rulesrc/sandbox/jhardin/20_shared_subrules.cf
Transmitting file data ..done
Committing transaction...
Committed revision 1867148.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Windows Genuine Advantage (WGA) means that now you use your
  computer at the sufferance of Microsoft Corporation. They can
  kill it remotely without your consent at any time for any reason;
  it also shuts down in sympathy when the servers at Microsoft crash.
-----------------------------------------------------------------------
 Tomorrow: Talk Like a Pirate day

Reply via email to