On Thu, 2013-08-29 at 05:42 -0700, Neil Schwartzman wrote: > On Aug 29, 2013, at 4:40 AM, RW <rwmailli...@googlemail.com> wrote: > > > On Thu, 29 Aug 2013 00:55:29 +0200 > > Michael Schaap wrote: > > > >> On 29-Aug-2013 00:30, John Hardin wrote: > >>> On Wed, 28 Aug 2013, Michael Schaap wrote: > >>> > >>>> Hi, > >>>> > >>>> I'm getting loads of fake LinkedIn invites, most of which aren't > >>>> caught by SpamAssassin. > >>>> Does anyone have a good SpamAssassin rule to catch those, while > >>>> letting real LinkedIn invites through? > >>> Do they fail SPF or DKIM? > >>> > >> The "From:" header is at linkedin dot com, but the envelope sender is > >> a random address > > > > I'm guessing that legitimate linkedin mail has something other than a > > random address in its envelope sender. > > > no need to guess > The headers you've sent don't contain an envelope sender (the "From" header) or a "From:" header.
What is the domain name in the "Message-ID:" header of a genuine LinkedIn message? Another possibility would be to reject anything that claims to be "From:" LinkedIn but doesn't have the appropriate domain name in its message id. > Received: by 10.217.45.68 with SMTP id a46csp19989wew; Wed, 28 Aug 2013 > 13:57:59 -0700 (PDT) > Received: from leila.iecc.com (leila6.iecc.com. > [2001:470:1f07:1126:0:4c:6569:6c61]) by mx.google.com with ESMTPS id > x3si106237qas.146.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA > bits=128/128); Wed, 28 Aug 2013 13:57:58 -0700 (PDT) > Received: (qmail 12685 invoked by uid 1014); 28 Aug 2013 20:57:57 -0000 > Received: (qmail 12680 invoked from network); 28 Aug 2013 20:57:57 -0000 > Received: from mailc-fa.linkedin.com (mailc-fa.linkedin.com [199.101.162.77]) > by smtp.abuse.net ([64.57.183.109]) with ESMTP via TCP port 34167/25 id > 539419450; 28 Aug 2013 20:57:53 -0000 > X-Received: by 10.229.179.137 with SMTP id bq9mr10582950qcb.11.1377723478996; > Wed, 28 Aug 2013 13:57:58 -0700 (PDT) > Return-Path: > <m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com> > Received-Spf: softfail (google.com: domain of transitioning > m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com > does not designate 2001:470:1f07:1126:0:4c:6569:6c61 as permitted sender) > client-ip=2001:470:1f07:1126:0:4c:6569:6c61; > Authentication-Results: mx.google.com; spf=softfail (google.com: domain of > transitioning > m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com > does not designate 2001:470:1f07:1126:0:4c:6569:6c61 as permitted sender) > smtp.mail=m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com; > dkim=pass header.i=@linkedin.com; dmarc=pass (p=REJECT dis=NONE) > d=linkedin.com > Authentication-Results: iecc.com; spf=pass > spf.mailfrom=m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com > spf.helo=mailc-fa.linkedin.com; dkim=pass header.d=linkedin.com > header.b="yTQxEigD"; dmarc=pass header.from=linkedin.com policy=reject > X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on leila.iecc.com > X-Spam-Level: > X-Spam-Status: No, score=-12.6 required=4.4 tests=DKIM_SIGNED,DKIM_VALID, > DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_RP_CERTIFIED, > RCVD_IN_RP_SAFE,RP_MATCHES_RCVD autolearn=unavailable version=3.3.2 > Domainkey-Signature: q=dns; a=rsa-sha1; c=nofws; s=prod; d=linkedin.com; > h=DKIM-Signature:Sender:Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:X-LinkedIn-Template:X-LinkedIn-Class:X-LinkedIn-fbl; > b=LeVz8j1vCA5eInVlQoy1R2cc1m/KJfCNOIy5A2oT9InYxvEtsqqPICJbTROiCnxV > XhZhEtvh/z/E9qxYnqjrs8jsPNaiPoS3k/2giZoCAviri4PtQUa0ItD2SpYN3iUh > Dkim-Signature: v=1; a=rsa-sha1; d=linkedin.com; s=proddkim1024; > c=relaxed/relaxed; q=dns/txt; i=@linkedin.com; t=1377723459; > h=From:Subject:Date:To:MIME-Version:Content-Type:X-LinkedIn-Class:X-LinkedIn-fbl: > X-LinkedIn-Template; bh=M1AJY3ogQKLz5Vc1bK3tB2dbd58=; > b=yTQxEigDySwE9gynJ5UlILn2G6myZ9XiHShT5BhUjukBwllSRqgBaf/7BAiDD4Ku > 7OPkXtp14RZzykua0KXcIayOc+xpL2EriMQVX5mDkjbriBF5sFGK1kk+WqnGIIjk > HRgzzsg2CDIY34jlet+qfM9+BiEEs3WYi+q5hmun0m0=; > Sender: messages-nore...@bounce.linkedin.com > Message-Id: <1271127196.48543013.1377723459176.javamail....@ela4-app2520.prod> > Mime-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_Part_48543007_1435785298.1377723459174" > X-Linkedin-Template: anet_digest_type > X-Linkedin-Class: GROUPDIGEST > X-Linkedin-Fbl: m-pNHvq1bOcYM0uxG7j38mb1bv9RRMgop7tfdwzEyGlxBMrDufU1n > X-Dcc-Iecc-Metrics: leila.iecc.com 1107; Body=1 Fuz1=1 Fuz2=1 > >
