On 1/29/2025 07:28:13, Greg Troxel wrote:
Niamh Holding<ni...@fullbore.co.uk> writes:
Given the From: address can be so easily faked is a rule testing its validity a
great idea?
This seems tricky to figure out.
The message's routing is obviously very sketchy.
But, it also appears that spamassassin has validated the DKIM signature
from paypal.com. So the key question is whether
- 1) this email was emitted from paypal's mail system
- 2) paypal's DKIM signing key is compromised
- 3) spamassassin is misparsing DKIM
- 4) something else
I would take the message and run it through SA with -D -t.
I am guessing we are in case 1.
To be clear: if this is case 1, then it is not true that "the From:
address [is] faked".
If paypal is emitting user-generated content with DKIM signatures, then
they should be summarily removed from DKIM WL. The point of those WL
entries are to cover mail that is really from those companies, believed
to be essentially never spam.
Also there is DKIMWL at high, and if you have a message with a valid
DKIM signature reporting it there as well would be good.
FWIW, I have seen these in several messages of this type:
. . .
* -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM
. . .
* 0.0 POSSIBLE_PAYPAL_PHISH_02 Claims to be from paypal but not
* processed by any paypal MTA
* 1.0 POSSIBLE_PAYPAL_PHISH_03 Claims to be from paypal, sent to
* Microsoft365 domain - likely fraud if you don't use MSFT365!
