On 4/10/2013 9:00 PM, Alex wrote: > Hi, > > > Would someone put some samples of Yahoo single link spam on > PasteBin. > >> > I am trying to test my rules and I seem to be missing >> some of the variations. >> > >> Here's an example: it is the message I developed the >> following rule >> against: http://pastebin.com/VRvtDfER >> >> I've obfuscated all e-mail addresses in it and verified >> that my rule >> catches the obfuscated version. The rule is this: >> >> describe MG_YAHOO_FS Yahoo message-ID but not From: yahoo >> header __MG_YAHFS1 Message-id =~ /yahoo\.com>$/ >> header __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/ >> meta MG_YAHOO_FS (__MG_YAHFS1 && ! __MG_YAHFS2) >> score MG_YAHOO_FS 50 >> >> >> Some time ago Martin posted his rules for blocking yahoo link >> spam, and it's been working relatively well for my system. >> However, I'm now noticing a number of FPs that are "From" >> bellsouth.net <http://bellsouth.net> addresses but pass >> through yahoo servers. They have DKIM and DomainKey >> signatures from bellsouth, yet otherwise appear to have no >> association with bellsouth.net <http://bellsouth.net>. >> >> Is it just possible that bellsouth is using yahoo's servers? >> If so, could there be other "affiliates" that use yahoo that >> could also cause FPs? > > I can confirm that bellsouth uses yahoo mail services for at > least some of their customer mail. Legit @bellsouth.net > <http://bellsouth.net> mail may arrive via a yahoo server. > > > I looked at a handful of others that are in the quarantine, and > there's also quite a bit of actual junk there as expected, not > just FPs. > > So, I've lowered the score to something that should require at > least a few other rules to trigger before it's considered spam. I > think this is actually a better option than adding bellsouth.net > <http://bellsouth.net> to the "From" header rule to categorically > allow all bellsouth mail through. Even found one message with 67 > points, yikes! > > There are also a few with DKIM signature failures, yet DKIM_VALID > is triggered: > > Authentication-Results: mail01.example.com > <http://mail01.example.com> (amavisd-new); dkim=pass > header.i=@bellsouth.net <http://bellsouth.net> > Authentication-Results: mail01.example.com > <http://mail01.example.com> (amavisd-new); > domainkeys=softfail (fail, message has been altered) > header.from=joepatfan...@bellsouth.net > <mailto:joepatfan...@bellsouth.net> > > Is this because it's only a softfail?
domainkeys is not DKIM. Generally, domainkeys can be ignored. See wikipedia for more details. My crystal ball suggests that domainkeys failed because some part of the message not protected by DKIM was altered, such as a footer being added, or a header mangled. -- Noel Jones
