could this spam score be spoofed
We recieved an email today from what appears to be an official government email, but due to my custom spam score got spammed out.
I've considered giving the following score a minus number to alleviate this.
Could the spm assasin score 'FROM_GOV_DKIM_AU' be spoofed.
eg if i gave this a minus score, it would cancel out the custom high scores.
-
You might like to use your favorite search engine for "FROM_GOV_DKIM_AU" and have a look at the svn commits that show how that rule is built, and has evolved. 0 -
I did but i'll be honest, it doesn't mean much to me. 0 -
The rule is here: ##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV tflags FROM_GOV_DKIM_AU net nice publish describe FROM_GOV_DKIM_AU From Government address and DKIM signed #score FROM_GOV_DKIM_AU -1.0 # limit endif endif ##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
This essentially combines the DKIM_VALID_AU informational rule and the FROM_ADDRLIST_GOV list and scores based on the output. What each one of those rules does is included below: [SPOILER="DKIM_VALID_AU"># Note: DKIM_SIGNED, DKIM_VALID and DKIM_VALID_AU are mainly informational # rules, and can serve as a basis for meta rules; it is not difficult for a # sender to cause hits on them or to prevent them from firing, so their score # should be kept low.
full DKIM_VALID_AU eval:check_dkim_valid_author_sig() describe DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain tflags DKIM_VALID_AU net nice reuse DKIM_VALID_AU
[SPOILER="FROM_ADDRLIST_GOV">if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV') endif endif
enlist_addrlist (GOV) *@*.gov enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk reuse __FROM_ADDRLIST_GOV
[SPOILER="WLBLEval"> [CODE=bash] # the important bit! $self->register_eval_rule("check_from_in_blacklist"); $self->register_eval_rule("check_to_in_blacklist"); $self->register_eval_rule("check_to_in_whitelist"); $self->register_eval_rule("check_to_in_more_spam"); $self->register_eval_rule("check_to_in_all_spam"); $self->register_eval_rule("check_from_in_list"); $self->register_eval_rule("check_replyto_in_list"); $self->register_eval_rule("check_to_in_list"); $self->register_eval_rule("check_from_in_whitelist"); $self->register_eval_rule("check_forged_in_whitelist"); $self->register_eval_rule("check_from_in_default_whitelist"); $self->register_eval_rule("check_forged_in_default_whitelist"); $self->register_eval_rule("check_mailfrom_matches_rcvd"); $self->register_eval_rule("check_uri_host_listed"); # same as: eval:check_uri_host_listed('BLACK') : $self->register_eval_rule("check_uri_host_in_blacklist"); # same as: eval:check_uri_host_listed('WHITE') : $self->register_eval_rule("check_uri_host_in_whitelist");
0 -
We get a ton of email which contain the word 'UNSUBSCRIBE' and the from address contains the word BOUNCE or BOUNCES. Working on the basis that 99.9% of these are unsolicited marketting emails, I have a few custom rules, each phrase gathering 2.5 points. Combine this with any other spam scores and they are spammed out. It works quite well for us, we see very few unsolicited marketting emails in inboxes. Only in this instance it caught the government one. I've given 'FROM_GOV_DKIM_AU a minus score for now 0
Please sign in to leave a comment.
Comments
4 comments