On Thu, 29 Aug 2013, Michael Schaap wrote:
On 29-Aug-2013 00:30, John Hardin wrote:
On Wed, 28 Aug 2013, Michael Schaap wrote:
Hi,
I'm getting loads of fake LinkedIn invites, most of which aren't caught by
SpamAssassin.
Does anyone have a good SpamAssassin rule to catch those, while letting
real LinkedIn invites through?
Do they fail SPF or DKIM?
Unfortunately not, for the most part. (The "From:" header is at linkedin dot
com, but the envelope sender is a random address, and I guess SPF and DKIM
run on the envelope sender only.)
If they do, and the legit ones pass SPF or DKIM, then the standard solution
is to add a header rule to detect that the message claims to be from that
domain (e.g. using the domain part of the From or Reply-To headers), and
then either give that rule some points and also define whitelist_from_auth
for the domain, or meta that rule with (SPF_FAIL || DKIM_FAIL) and give the
meta a some points.
There were some examples of doing this for facebook within the last couple
of weeks, check the list archives.
Hmm, legit ones have SPF_PASS.
So I guess I could set up a rule that punishes messages “From:” linkedin
which don't have SPF_PASS. I might give that a try, once I find some time to
figure out how...
Untested but try:
whitelist_auth *@bounce.linkedin.com
whitelist_auth *@linkedin.com
blacklist_from *@linkedin.com
The whitelist_auth will kick in on any message from @linkedin.com which
passes SPF or DKIM thus will null out the bad points from the
blacklist_from, and end up being neutral.
Any purported linkedin.com message not getting the whitelist_auth boost
will be clobbered by the blacklist_from.
One caveat, a transient DNS failure might cause the SPF/DKIM to not verify
thus not boosting legit linkedin messages.
There is a low-power version of whitelist_auth called def_whitelist_auth
which only boosts by +15 (I use it for a lot of stuff). However there
isn't a def_blacklist_from so you have to use the "full strength" versions
of both white/black list (+100/-100) to make them balance out each other.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
