On 25 Feb 2020, at 20:28, Robert A. Ober wrote:
Hey Folks,
I have a user that is getting many emails with obscene subjects.
Someone is spoofing the From to include the users domain so the email
is hitting "USER_IN_WHITELIST". I have installed the plugins from
extremeshok and it has not stopped the problem.
I have no idea how good or bad or trustworthy the "extremeshok" plugins
may be, but nothing is going to overcome the "USER_IN_WHITELIST"
misconfiguration with its default score of -100. You should NOT fully
whitelist *any* domain on a domain-wide basis without authentication of
the sender of some sort. At worst, use 'def_whitelist_from' instead,
which only scores -15 by default.
Emails have header info such as:
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail
So: only 9 years out of date and with about a half-dozen publicly
documented significant security issues as well as about a dozen other
unpleasant bugs that can cause scans to just abort or run forever. And
hundreds of other bugs. Also: in a few weeks we will no longer publish
rule updates with verification hashes that 3.3.2 can use, so if this
system is getting rule updates, it won't be for long.
X-Spam-Status: No, score=-60.8 required=5.0
tests=ALL_CODING,ALL_OZ,BAYES_99,
The message would have scored 39.2 without the USER_IN_WHITELIST hit.
Modern SpamAssassin has the 'whitelist_from_auth' mechanism (and that
requires the whitelisted address to pass either SPF or DKIM testing,
which reduces the risk of whitelisting. I believe that dates back to
v3.1.x, so you should definitely change any system-wide 'whitelist_from'
directives to 'whitelist_from_auth' where the domains have working SPF
or DKIM, and to 'def_whitelist_from' You can also adjust the scores of
USER_IN_WHITELIST and USER_IN_DEF_WHITELIST to less overpowering values,
e.g. -10 and -5 instead of -100 and -15
[...]
If I send a test email with Fuckbuddy in the subject from my GMail
account spamassassin catches it and it and sends it to the spam
folder.
Yes, because no one in their right minds would whitelist all of GMail.
Ideas?
1. Update to SA 3.4.4. It has an anti-spoofing plugin that is in active
maintenance and which we believe to be good enough to distribute with
the project distribution.
2. Add lines like these (with whatever scores you deem reasonable...) to
your local.cf file:
score USER_IN_WHITELIST -10
score USER_IN_DEF_WHITELIST -5
3. Switch any system-wide whitelisting to mechanisms that are tighter
and/or weaker: whitelist_from_rcvd, whitelist_from_auth, and their
weaker def_* variants.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
