Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

Mon, 14 Nov 2022 13:39:42 -0800 

Corrected...

Default Whitelist Exceptions handling -- SJI 11/14/22
shortcircuit USER_IN_DKIM_WHITELIST off
score   USER_IN_DKIM_WHITELIST 0
score   USER_IN_DEF_DKIM_WL     0

header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
meta    CUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST &&
CUSTOM_FROM_PAYPAL
describe        CUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
whitelisting
score           CUSTOM_DKIM_WL_EXCEPTIONS  0.001

meta    CUSTOM_DKIM_OK     USER_IN_DKIM_WHITELIST &&
!CUSTOM_DKIM_WL_EXCEPTIONS
describe        CUSTOM_DKIM_OK     All other whitelisted senders
score           CUSTOM_DKIM_OK     -100

On Mon, Nov 14, 2022 at 4:38 PM Shawn Iverson <shawniver...@gmail.com>
wrote:

> For those fighting the same battles...
>
> # Default Whitelist Exceptions handling -- SJI 11/14/22
> shortcircuit USER_IN_DKIM_WHITELIST off
> score   USER_IN_DKIM_WHITELIST 0
> score   USER_IN_DEF_DKIM_WL     0
>
> header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
> meta    CUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST &&
> ENA_FROM_PAYPAL
> describe        CUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
> whitelisting
> score           CUSTOM_DKIM_WL_EXCEPTIONS  0.001
>
> meta    CUSTOM_DKIM_OK     USER_IN_DKIM_WHITELIST &&
> !CUSTOM_DKIM_WL_EXCEPTIONS
> describe        CUSTOM_DKIM_OK     All other whitelisted senders
> score           CUSTOM_DKIM_OK     -100
>
> On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson <shawniver...@gmail.com>
> wrote:
>
>> So what I'm going to do is turn shortcircuit off for
>> USER_IN_DKIM_WHITELIST
>>
>> Create a meta to catch papal.com as the from address and score
>> appropriately
>> Create a counter meta to score other deserving DKIM-signers appropriately
>>
>> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson <ahodg...@lists.simkin.ca>
>> wrote:
>>
>>> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
>>> > How do I stop this?  paypal.com is in the default DKIM whitelist!
>>> >
>>>
>>> That message really looks like it came from Paypal and then was
>>> forwarded by Microsoft to your server. Was it really a fake? That's a
>>> lot of headers to fake if so.
>>>
>>> If it was really fake and that paypal-supplied DKIM signature doesn't
>>> validate (I didn't check that), then checking DMARC when you receive
>>> mail and rejecting on p=reject failures would block it.
>>>
>>

Reply via email to