Re: USER_IN_SPF_WHITELIST vs freemails

Thu, 12 Nov 2020 10:32:23 -0800 

On Thu, 12 Nov 2020, Darrell Budic wrote:


On Nov 12, 2020, at 11:54 AM, John Hardin <jhar...@impsec.org> wrote:


On Thu, 12 Nov 2020, Darrell Budic wrote:


Got a few of these 411 google form spams recently and was wondering why they 
weren’t getting caught by SA. Looks like the Return-Path: is triggering a 
whitelist rule on google.com so the rest of the tests aren’t enough to get it 
tagged. Anything I can do to keep the whitelist rule from firing when the free 
mail rules have been tripped?


You can't keep it from firing beyond removing google.com from the whitelist, 
which would impact non-gmail google mails. What you *can* do is define a meta 
to offset the whitelist score:

 meta     FREEM_WLIST_OFFSET  USER_IN_SPF_WHITELIST && FREEMAIL_FROM
 score    FREEM_WLIST_OFFSET  100.000   # offset whitelist score
 describe FREEM_WLIST_OFFSET  Offset SPF whitelist on freemail From

Of course, that would prevent you from auth-whitelisting any freemail provider, 
if you wanted to do such a thing.


Thanks, figured it would be something like that.

Would this make sense for something a bit more granular?

uri         GOOGLE_FORMS /docs\.google\.com\/forms\//
meta     FREEM_WLIST_OFFSET_GOOGLE  GOOGLE_FORMS && USER_IN_SPF_WHITELIST && 
FREEMAIL_FROM
score    FREEM_WLIST_OFFSET_GOOGLE  100.000   # offset whitelist score
describe FREEM_WLIST_OFFSET_GOOGLE  Offset SPF whitelist on freemail From for 
google forms


There's already a google doc subrule in the base ruleset, try using that:

meta  FREEM_GDOC_WLIST_OFFSET  USER_IN_SPF_WHITELIST && FREEMAIL_FROM && 
__URI_GOOGLE_DOC


I'd have to see a spample to tell whether that would hit your particular 
case, though. Can you upload an example to pastebin for us?




X-Spam-Tests: 
BAYES_60,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,FREEMAIL_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,LOTS_OF_MONEY,MONEY_FRAUD_8,NOT_FROM_SENDER,NOT_SENDER_MSGID,SO_PUB_SNDR_DOMAIN_DKIM_50,SPF_HELO_NONE,SPF_PASS,TXREP,T_GB_FREEM_FROM_NOT_REPLY,USER_IN_SPF_WHITELIST


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org                         pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  We have to realize that people who run the government can and do
  change. Our society and laws must assume that bad people -
  criminals even - will run the government, at least part of the
  time.                                               -- John Gilmore
-----------------------------------------------------------------------
 166 days since the first private commercial manned orbital mission (SpaceX)





















					Reply via email to