From: Matus UHLAR - fantomas <[email protected]> >On 06.05.17 15:49, Thore Boedecker wrote: >>After looking at the headers it became clear what the issue was: >> >>It seems that Yahoo (at least yahoo.co.jp) is allowing emails from >>@gmail.com senders to be sent through their servers.
>@gmail.com From: and envelope from. Sender: was yahoo... The headers imply that this was sent from the Yahoo webmail interface which must allow users to setup an "identity" like Thunderbird does that allows custom From: and Return-Path: headers. They shouldn't allow this in their webmail interface. BTW, their webmail interface should also add an X-Originating-IP: header of the client so we could tell which country it was sent from. I bet it wasn't Japan. >>The funny thing is, that there is a @gmail.com address in both the >>'From:' and 'Return-Path:' headers, but a @yahoo.com address in the >>'Reply-To:' and 'Sender:' headers. >>Somehow Yahoo sees no problem in that and is happy to DKIM sign those >>emails with a correct *Yahoo* signature. >I wonder why didn't THE mail hit SPF_SOFTFAIL, since it was supposed to... The email didn't go through a Google mail server and the envelope-from was yahoo.co.jp so SPF should have passed based on IP 183.79.57.110. >>Over on my side, the receiving end of these emails, there is my >>spamassassin. SA discovers the DKIM signature and is able to validate >>this signature against the Yahoo server which is totally undesirable >>in my opinion. >>Maybe strict DKIM alignment is not always the best choice, because >>sometimes the emails are signed by different servers without sharing >>one signing key for the entire domain. >yes: while we can agree that gmail.com is not yahoo's domain, how can DKIM >validator know? Yahoo should stop allowing their webmail interface to control the From: and Return-Path: headers. I bet this spammer tried to send the email out from Google which blocked it so this is a way to abuse the Yahoo mail servers that are not good at blocking the outbound spam. >I don't think this problem lies at DKIM verification, more on >trustworthinedd of yahoo who signs such mail, >and the fact of missing SPF checks that I pointed out above. DKIM does authentication and this email was from Yahoo. Note no DKIM_VALID_AU since the From: header was gmail.com. >>So is there any way to make SA perform at least a relaxed DKIM >>alignment check on the headers so that the DKIM signature domain has >>to belong to the 'From:' address? >every domain using yahoo mail servers would have to delegate DKIM to >yahoo and yahoo would need to sign under all those domains. >the same applies about any domain that does DKIM signing (e.g. gmail) Interestingly, _dmarc.yahoo.com TXT record has "p=reject" which would have caused a DMARC fail with a bounce. Looks like this spammer noticed that yahoo.co.jp does not have a DMARC record which allowed them to send this spam even to recipients with DMARC checks enabled and honoring "p=reject" like my mails filters do. >that is in fact change in requirements on DKIM itself... I bet as we see DMARC gain traction like SPF has this will force these major mail hosting providers like Yahoo to shape up. Right now they are so big that we can't make them act responsibly. Yahoo should start rejecting email that is sent through them like this to prevent spammers abusing them. Google is slowly turning up the heat with DMARC which forces the Internet to implement it. I know this is a pain but I went through this pain a few years ago and now I am glad to see Google using their influence for good. In a few more years all of our spam filtering will be better because of this.
