On 25/03/16 00:55, Alex wrote:
> Hi,
>
> First, I'm wondering why parking.ru isn't among the freemail domains?
Probably because the FreeMail plugin is designed to detect the
right-hand side of email addresses for providers like Gmail and AOL, and
parking.ru looks like a general-purpose web host. Does it offer free
email service @parking.ru?
> Perhaps it should be added?
You could do that in your config with
freemail_domains parking.ru
> Received: from mail05.parking.ru (mail05.parking.ru [195.128.120.25])
> by mail02.example.com (Postfix) with ESMTP id 6ED82347D26
> for <pa...@example.com>; Wed, 23 Mar 2016 17:42:50 -0400 (EDT)
>
> I'm reading through the FREEMAIL_* rules, and wondered, how can I
> build a rule that looks to see if email was passed through a freemail
> domain?
>
> I realize there's FREEMAIL_FROM, etc. I'm interested in something like
> FREEMAIL_RECVD or something similar.
There's no man page for Mail::SpamAssassin::Plugin::FreeMail, but the
comments include
# header FREEMAIL_HDRX eval:check_freemail_header('header' [, 'regex'])
#
# Searches defined header for freemail address. Optional regex to match
# the found address (like in check_freemail_from).
So you could do
eval:check_freemail_header('Received')
However, this looks for full email addresses, so I don't think it's of
use to you, unless you want to catch 'example.com'.
[BTW I wrote an incomplete patch to this function in bug 6664 so it
could be used as:
header FREEMAIL_FORGED_REPLYTO4
eval:check_freemail_header('Reply-To','\@','From')
describe FREEMAIL_FORGED_REPLYTO4 Any Reply-To freemail not in From
and then exclude __HAS_IN_REPLY_TO __DOS_HAS_LIST_UNSUB etc, which
improves accuracy in picking up 419s.
I still mean to upload a correct patch.]
So isn't what you want something like this?
header RCVD_DIRTY_SERVERS Received =~ /\.parking\.ru/
or
header RCVD_DIRTY_SERVERS X-Spam-Relays-Untrusted =~ /
helo=\S+\.(?:parking\.ru|dirty\.tld)/
> We're experiencing a higher than normal level of spoofing attempts,
> and don't have the ability to implement DKIM/DMARC at the moment. SPF
> is being worked on.
>
> Having knowledge that a freemail sender was used in a spoof/phish
> attempt I believe would be helpful.
I'm seeing some 419s from parking.ru, but not what I'd call phish. Do
you mean you're getting a lot of spam that comes from your own domain?
IMHO it's usually a mistake to focus on that characteristic, as it's
incidental. It's better to check the first-level checks are working,
like RBLs. Maybe pastebin some full samples?
HTH
CK
