spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip <jeffsch...@gmail.com>
Subject Re: From name containing a spoofed email address
Date Mon, 22 Jan 2018 22:44:00 GMT
Following is the full header with identifiable information anonymized. 
I have other examples of commercial bulk senders suggesting - even
promoting - the idea that it's okay to input your external email address
in the From: of the message editor.

I actually did notice the dmarc=fail as well as dkim=fail and figured
that was meant to indicate something was amiss.  But many legitimate
senders take advantage of using their external email addresses in the
From: field because through the course of their business dealings, they
have been known as "external email address" and do not want to use an
email address setup by the bulk sender just so the email passes as ham
(which would be an example of the technology creating the business
rather than the business creating the technology, at least in my view
anyway).

>From - Mon Jan  8 11:12:07 2018
X-Account-Key: account8
X-UIDL: GmailId160d6874a8cc3b63
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                

Delivered-To: recipient-name@gmail.com
Received: by 10.80.170.60 with SMTP id o57csp19987edc;
        Mon, 8 Jan 2018 08:07:59 -0800 (PST)
X-Google-Smtp-Source:
ACJfBos0ZEjYGCUohKc4D3Mjmx3Camt6rGbH3R5gevRWB7L7IaHBRie+EWMe3NapqMNqX3UTl2Mf
X-Received: by 10.99.170.13 with SMTP id e13mr9830140pgf.59.1515427678945;
        Mon, 08 Jan 2018 08:07:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1515427678; cv=none;
        d=google.com; s=arc-20160816;
        b=tJEHT+wo4VTi4+6kjBaAMDHymGY2TYeUOMFHq9SgUSfbgMLxoM4c+50i+EgzeB6jgN
        
ckukID8K6wyK2wEVzWzJO7gG8kuHZs+HAPbBs0abu2KAmKYw6cx8Hl6ZpIijQM5JIdao
        
xW3vtEiruey37eh1E3rOFGpvn8wI0Eto2fIFTg+zxQwzw5DivVZDz5DO9NC2SVpCKW1o
        
6w9SZG2eoMcxR/z7EsdWslH7/pEdsYX9vL9It+I0BjsUA0h2RHjbwGiMfnk/8rehj2IC
        
yVOdvNSN1hlaIPQd+xfom1UDIEdXM6iPjE8CgQFzdew92TXS/JOnrB7mM6daGVYXPIhO
         KhAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=arc-20160816;
        h=list-unsubscribe:precedence:content-transfer-encoding:mime-version
         :subject:message-id:to:from:date:dkim-signature
         :arc-authentication-results;
        bh=GGN7SrgQk2MoB6O8G3NoJ6r78aPmWaWLd5McGOiHhN0=;
        b=iCJAAsuyGq7GJ5yxMaQfuh9q+lpkpxANOhB4LwzvZozFZZQfB37kD8xPo0wQAz+t0t
        
hEPdrGDlpaDjqoAEQ5nT5fL4V/1gjaB1wlWvzUxjX7d/IG6VCbvthPK+Og4GZuKt3N7I
        
7mKyHfjodHfs6xh2tJp9HOVoVOvSHUrshDGwI13cU++7gWH6cWS+pL5D053qfKyuxwb0
        
B8OTXJqm3t4zAmuTJe8YoTBSqvgdsyMpTNPnGIlh2Y35LBnOEL+5jfWgouSSZJl1lvrN
        
lKk5c3UHwyJv1RtbfpO0dGPZXH43lwvPXFqhKvtxlmv+KThW6C3MHbDVAzXUzBO97H0M
         AVGg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@em.secureserver.net header.s=aug05em
header.b=CbQPsrTP;
       spf=pass (google.com: domain of
sp_xxxxx.4209.1.d2b5f620ffe1xxxxxxxe5d93421ff@bounces.em.secureserver.net
designates 198.71.244.36 as permitted sender)
smtp.mailfrom=sp_xxxxx.4209.1.d2b5f620ffe1xxxxxxxe5d93421ff@bounces.em.secureserver.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path:
<sp_xxxxx.4209.1.d2b5f620ffe1xxxxxxxe5d93421ff@bounces.em.secureserver.net>
Received: from m205.em.secureserver.net (m205.em.secureserver.net.
[198.71.244.36])
        by mx.google.com with ESMTPS id
d62si6851150pga.576.2018.01.08.08.07.44
        for <recipient-name@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 08 Jan 2018 08:07:58 -0800 (PST)
Received-SPF: pass (google.com: domain of
sp_xxxxx.4209.1.d2b5f620ffe1xxxxxxxe5d93421ff@bounces.em.secureserver.net
designates 198.71.244.36 as permitted sender) client-ip=198.71.244.36;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@em.secureserver.net header.s=aug05em
header.b=CbQPsrTP;
       spf=pass (google.com: domain of
sp_xxxxx.4209.1.d2b5f620ffe1xxxxxxxe5d93421ff@bounces.em.secureserver.net
designates 198.71.244.36 as permitted sender)
smtp.mailfrom=sp_xxxxx.4209.1.d2b5f620ffe1xxxxxxxe5d93421ff@bounces.em.secureserver.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=aug05em;
d=em.secureserver.net;
 h=Date:From:To:Message-ID:Subject:Mime-Version:Content-Type:
 Content-Transfer-Encoding:List-Unsubscribe;
 bh=AHOMFUv53O915X4eZO2WOfU/8qI=;
 b=CbQPsrTPHETqtlok+3m22uvErHoo7tUpr2ATU2lyTCw9BMSmvhf9CL2Tuqd8YHQyDW6PQf68/CRI
  
yRL/gEUoqovWXpbWeDxwanDI8c+l4sQfs4nS1VznDTVo0O85Jhgzrn2eW3wpuENBs75qHceow89l
   TWu+oEzaVGTPIg3F9cA=
Received: by m205.em.secureserver.net id haebl429tqgj for
<recipient-name@gmail.com>; Mon, 8 Jan 2018 09:06:33 -0700
(envelope-from
<sp_xxxxx.4209.1.d2b5f620ffe1xxxxxxxe5d93421ff@bounces.em.secureserver.net>)
Return-Path:
<sp_xxxxx.4209.1.d2b5f620ffe1xxxxxxxe5d93421ff@bounces.em.secureserver.net>
Date: Mon, 08 Jan 2018 09:06:33 -0700
From: blablabla <blablabla@gmail.com>
To: recipient-name@gmail.com
Message-ID:
<X1.xxxxx.121.4209.1515427593.9005513.3vs@a2plmmsworker07.prod.iad2.gdg.mail>
Subject: 2018 Happenings!
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--==_mimepart_5a539709cfabf_986c3ff3c23bc2fc562928ed";
 charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Personalized-By: Temple
X-Mimiaid:
4209-143484028-3396415218-63e97190b1f569cb93ae49eded6fb238c712a605
X-Member-ID: 3396415218
X-Feedback-ID: 143484028:madmimi
Precedence: bulk
X-Sable-ID: sp_xxxxx.4209.1.d2b5f620ffe1xxxxxxxe5d93421ff
X-Report-Abuse: You can also report abuse here:
 https://sable.madmimi.com/abuse/new?id=xxxxx.4209.1.d2b5f620ffe1xxxxxxxe5d93421ff
X-Virtual-MTA: m205
List-Unsubscribe:
<mailto:sp_xxxxx.4209.1.d2b5f620ffe1xxxxxxxe5d93421ff@unsubscribes.em.secureserver.net?subject=Unsubscribe
 xxxxx.4209.1.d2b5f620ffe1xxxxxxxe5d93421ff>




On 01/22/2018 05:30 PM, shanew@shanew.net wrote:
> This particular effort is looking at the From header, not the EnvFrom
> header (though there is a check From==EnvFrom as well).  What we're
> looking for here are things like:
>
> From: "bob@usaa.com" <bgef453@gmail.com>
>
> Or look at the pastebin example at the start of the thread.
>
> Also, without seeing the full email, I can't say for sure, while your
> example may be legitimate email, the "dmarc=fail" suggests that the
> sender is, in fact, spoofing that gmail address (as in, it lacks a
> valid DKIM and/or doesn't come from a server approved by gmail's SPF
> record).  It's just that spoofing isn't a sure-fire way to determine
> that something is spam (if only...).
>
>
>
> On Mon, 22 Jan 2018, Chip wrote:
>
>> So it's my understanding that SA does the following with this rule,
>> which is it is checking the From:addr and From:name values in SA to find
>> their domain and triggering a rule hit if there is a domain in the
>> From:name that doesn't match the domain in the From:addr.
>>
>> However, when I examine the headers from many legitimate non-spoofed
>> emails from bulk senders such as constantcontact, madmimi, sendgrid,
>> etc. it is very common to find a legitimate sender with a From:addr such
>> as name@gmail.com which clearly conflicts with the domain name in the
>> From:addr, address being, for example, with madmini bulk sending as an
>> example:
>>
>> smtp.mailfrom=sp_12xxxxx.55xx.1.d2b655xxxxxxxx21fe5d93421ff@bounces.em.secureserver.net;
>>
>>        dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
>> Return-Path:
>> <sp_12xxxxx.55xx.1.d2b655xxxxxxxx21fe5d93421ff@bounces.em.secureserver.net;>
>>
>> Received: from m205.em.secureserver.net (m205.em.secureserver.net.
>> [1xx.xx.xxx.xx])
>>
>> From: balblabla <blablabla@gmail.com>
>>
>> would this rule classify that email as probably spam when in fact it
>> most certainly is not.
>>
>> So what am I not understand here?
>>
>> On 01/22/2018 10:20 AM, David Jones wrote:
>>> On 01/22/2018 09:05 AM, Rupert Gallagher wrote:
>>>> This is my current solution for a problem that has been discussed
>>>> many times in this list.
>>>> I wrote it last year, and it serves me well. Feel free to use it, if
>>>> you find it useful.
>>>>
>>>> This part goes into your local.cf:
>>>>
>>>> header   __F_DM1 eval:from_domains_mismatch()
>>>> header   __F_DM2 From:addr =~
>>>> /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
>>>> meta       F_DM ( __F_DM1 && ! __F_DM2 )
>>>> describe   F_DM From:name domain mismatches From:addr domain
>>>> priority   F_DM -1
>>>> score      F_DM 5.0
>>>>
>>>> This part goes into the general HeaderEval.pm:
>>>>
>>>> $self->register_eval_rule("from_domains_mismatch");
>>>> [...]
>>>> sub from_domains_mismatch {
>>>>    my ($self, $pms) = @_;
>>>>    my $temp;
>>>>    $temp = $pms->get('From:addr');
>>>>    $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
>>>>    $temp = $pms->get('From:name');
>>>>    $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain =
>>>> "$1";
>>>>    dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain,
>>>> fromAddrDomain=$fromAddrDomain");
>>>>    if ( $fromNameDomain eq "" ) {
>>>>       return 0; # all well
>>>>    } else {
>>>>       if( $fromNameDomain eq $fromAddrDomain ) {
>>>>          return 0; # all well, they match
>>>>       } else {
>>>>          return 1; # mismatch, possibly spam
>>>>       }
>>>>    }
>>>> }
>>>>
>>>> R.G.
>>>>
>>>>
>>>
>>> This looks like a simple and valuable approach that should be
>>> considered for inclusion into SA for everyone.  Do you mind opening up
>>> a bug at https://bz.apache.org/SpamAssassin/ in the Plugins section?
>>>
>>> We could put this in for everyone with a low score and give it a trial
>>> run before increasing the score.  I will run it locally as well and
>>> see how it goes.
>>>
>>>
>>>>
>>>> Sent with ProtonMail <https://protonmail.com> Secure Email.
>>>>
>>>> -------- Original Message --------
>>>> On 17 January 2018 8:31 PM, David Jones <djones@ena.com> wrote:
>>>>
>>>>> Would a plugin need to be created (or an existing one enhanced) to be
>>>>> able to detect this type of spoofed From header?
>>>>>
>>>>> From: "hulu@hulumail.com <mailto:%22hulu@hulumail.com> !"
>>>>> lanya-f@hotmail.com <mailto:lanya-f@hotmail.com>
>>>>>
>>>>>
>>>>>
>>>>>     https://pastebin.com/vVhGjC8H
>>>>>
>>>>>     Does anyone else think this would be a good idea to make a rule
>>>>>     that at
>>>>>     least checks both the From:name and From:addr to see if there
>>>>> is an
>>>>>     email address in the From:name and if the domain is different
>>>>> add some
>>>>>     points?
>>>>>
>>>>>     We are seeing more and more of this now that SPF, DKIM, and
>>>>> DMARC are
>>>>>     making it harder to spoof common/major brands that have properly
>>>>>     implemented some or all of them.
>>>>>
>>>>> David Jones
>>>>
>>>
>>
>


Mime
View raw message