Spam Filter ISP Forums : SPF filter should be higher up in the order

SPF filter should be higher up in the order : That is a very sweet solution...

Sun, 24 Jun 2012 04:57:10 +0000

Author: yapadu
Subject: 7013
Posted: 24 June 2012 at 4:57am

That is a very sweet solution for those who pass email through spamassassin after spamfilter.

SPF filter should be higher up in the order : Found a solution. I have spamassassin...

Sat, 09 Jun 2012 07:57:05 +0000

Author: WebGuyz
Subject: 7013
Posted: 09 June 2012 at 7:57am

Found a solution. I have spamassassin check after the SFE and the ability to do a 
content check of each email. Realized that in the header of each email that was whitelisted
there a rejection reason as well:

X-SF-WhiteListedReason: AutoWhiteList Force DeliveryX-Rejection-Reason: 15 - 550 The sender did not meet Sender Policy Framework rules. Please see http://spf.pobox.com - This email was rejected by our spamfilter. To notify the recipient go to http://spam.webguyz.net/freeme.aspX-Return-Path: onlinebanking@ealerts.bankofamerica.com

Going to do a filter check if whitelistesd &  rejection reason 'did not meet Sender Policy Framework Rules'

That should fix the problem quite elegantly.

SPF filter should be higher up in the order : You can keep after Roberto and...

Sat, 09 Jun 2012 03:16:36 +0000

Author: yapadu
Subject: 7013
Posted: 09 June 2012 at 3:16am

You can keep after Roberto and see if he changes the system for you, but I have another suggestion.

It does not fix the issue 100% but it certainly should help.

Your situation may be different, but we allow users to view messages in quarantine via a web interface. They can click a message and view the message details, including to options:

* Release from quarantine
* Release from quarantine and whitelist sender

You could do your own SPF lookup when someone is looking at the message online. If the message fails the SPF check the whitelist sender option would not be available.

As mentioned how well this works would depend on your setup. I think in our situation that would probably work quite well.

Users could still manually whitelist the sender on our website, but it should reduce the instances of false whitelisting.

Your mileage may vary...

SPF filter should be higher up in the order : How do I respond to customers...

Fri, 01 Jun 2012 15:20:41 +0000

Author: WebGuyz
Subject: 7013
Posted: 01 June 2012 at 3:20pm

How do I respond to customers like this who get Bank of America phishing attempts all the time because the scammers are using the same exact email address as what BofA uses. These was an official looking email asking them to log into their account and of course the links were somewhere overseas

Customers Email:

"This is the third one of these I’ve gotten. I’ve confirmed they are not legit. While I forward them to the real BOA, now I’m sending them to my e-mail provider to black-list them."

How do I explain to customer that I can't do a thing about it.

Whitelisting by IP should be before SPF but whitelisting by name before SPF is a problem. Looked at my logfile and had over 300 emails from bankofamerica.com and all but 4 had failed the spf test, but they were forwarded to my customers because they use BofA and have it in their whitelist. heck I have BofA in my whitelist and I get the same crap and can't stop it. Doesn't do any good to remove all the entries from whitelists and hard code the IPs because the first authentic looking email from them that ends up in quarantine will be retrieved (and whitelisted) by customers who don't know any better.

Can't beleive I'm the only one having this issue. I swear the spammers are targeting my customers because I use SFE.

SPF filter should be higher up in the order : Webguyz, i think you are not...

Fri, 04 May 2012 09:51:24 +0000

Author: AndrewD
Subject: 7013
Posted: 04 May 2012 at 9:51am

Webguyz, i think you are not thinking of the alternative.

a user receives an email from spoofed@legit.com however legit.com havnt implemented SPF correctly so the message goes to quarrantine. Everything good.

then the user receives a valid email from legit.com but it goes to their quarrantine. So they whitelist legit.com - Thats how it works now but the spoofed will come through as they are in the whitelist.

if we enforce SPF prior to whitelist then regardless of whitelisting then all the emails from legit.com will get quarantined and you will have users screaming "how come this always gets quarantined... I added it to my whitelist." This to me would b e a bigger problem.

1. The users should only be whitelisting the email (user@legit.com) not the domain (*@legit.com). I know this doesnt always help as some companies (constant contacts) utilize random users.

2. As has been said add the IP to the whitelist, and run a script to remove all email whitelist entries for the domain. I know the email servers may change their IP address but from the CIDR given above they have listed a large range of IP's so you could add them all. (i have written an app to convert CIDR to valid list of addresses if you want. I did this for greylisting companies like gmail.) Then if some time down the track they suddenly start getting caught again you know that the IP has gone outside the original SPF CIDR range and you simply adjust your script to include all the new CIDR's.

then as long as legit.com keep their network secure and dont allow spammers to open relay through them you should not have any problem.

Cheers.

SPF filter should be higher up in the order : I don't think I'm over...

Wed, 18 Apr 2012 03:42:55 +0000

Author: yapadu
Subject: 7013
Posted: 18 April 2012 at 3:42am

I don't think I'm over thinking this, but I don't think SPF should overrule a white list.

You come across as a bit hostile, so I will shut up now. Hopefully you come up with a solution.

SPF filter should be higher up in the order : yapadu wrote:If someone is...

Wed, 18 Apr 2012 00:53:09 +0000

Author: WebGuyz
Subject: 7013
Posted: 18 April 2012 at 12:53am

yapadu wrote:

If someone is spoofing paypal it would be rejected. You would also need a way to prevent someone from whitelisting paypal email addresses at the user level...

Gets complex quick.

But once they retrieve it from quarantine paypal.com is back in the whitelist and your blacklist entry is meaningless.

Your overthinking this. The idea is to whitelist a REAL actual domain, not a faked domain

SPF filter should be higher up in the order : IP addresses change. Most...

Wed, 18 Apr 2012 00:50:13 +0000

Author: WebGuyz
Subject: 7013
Posted: 18 April 2012 at 12:50am

IP addresses change. Most major companies do NOT want to be spoofed and know what a SPF record is and how to add one.

Not sure what your talking about confusing end users, they have no clue how it works now. All they know is they are getting phishing spam and sending it to me the admin to stop it and I have to tell them I can't without deleteing their autowhitelistentry's and then they next time they retrieve their paypal.com emails from quarantine they will be autowhitelisted again and that they will be allowing the same phishing email from faux paypal.com addresses.

SPF filter should be higher up in the order : So, expanding on that line of...

Wed, 18 Apr 2012 00:44:06 +0000

Author: yapadu
Subject: 7013
Posted: 18 April 2012 at 12:44am

So, expanding on that line of thought a bit more.

1) Blacklist paypal
2) Whitelist paypal domain, if SPF also validates.

If someone is spoofing paypal it would be rejected. You would also need a way to prevent someone from whitelisting paypal email addresses at the user level...

Gets complex quick.

SPF filter should be higher up in the order : They could be calculated from...

Wed, 18 Apr 2012 00:40:59 +0000

Author: yapadu
Subject: 7013
Posted: 18 April 2012 at 12:40am

They could be calculated from the SPF records. Here is PayPal.

ip4:216.113.188.96/27 ip4:66.211.168.230/31 ip4:173.0.84.224/28
ip4:208.201.241.163 ip4:67.72.99.26 ip4:206.165.246.80/29
ip4:64.127.115.252 ip4:194.64.234.129 ip4:65.110.161.77
ip4:204.13.11.48/29 ip4:63.80.14.0/23 ip4:208.64.132.0/22 ip4:81.223.46.0/27

etc. etc.

In reality though monitoring where real email comes from would give you a much smaller subset.

The ability to whitelist things in a different manner, one that the end users can not see would be good. For example if we could whitelist an email address and put a condition that is MUST also validate with SPF, then allow it through.

That would be way to confusing for end users but we we had the power to add server wide whitelisting with a more advanced rule-set that would be be powerful.