Milter-greylist

Hi,

I 've just configured yesterday milter-greylist 4.6.1 to use tarpit with

racl whitelist tarpit 65s     <<< ACL 898


I don't understand the following log (many mails are same)

Aug 22 20:31:25 emix2 milter-greylist: u7MIV0em022983: skipping greylist
because address 80.78.253.76 matches MX record, sender is
DKIM-compliant, tarpit is requested, (from=<no-reply@...>,
rcpt=<pelissier@...>, addr=vm24571.hv8.ru[80.78.253.76]) ACL 898



In this log hhe reason invoked of skipping greylist 

==> 80.78.253.76 matches MX record true (but I have no such declaration
inside greylist.conf)

# dig +short mx makequickmed.com
10 mail.makequickmed.com.

==> sender is DKIM-compliant
Sender as a SPF declaration with 0.0.0.0/0 what does it mean ?

# dig +short txt makequickmed.com
"spf2.0/pra ip4:0.0.0.0/0 ?all"
"v=spf1 ip4:0.0.0.0/0 ?all"

but I found no DKIM for makequickmed.com

The timestamps 20:31:25 and later 20:32:31 show that the message is
effectively delayed 65s.



Aug 22 20:32:31 emix2 sendmail[22983]: u7MIV0em022983:
from=<no-reply@...>, size=2398, class=0, nrcpts=1,
msgid=<0AF0BF2C4D99B704D8DD94283C75643A@...>, proto=ESMTP,
daemon=MTA, relay=vm24571.hv8.ru [80.78.253.76]
Aug 22 20:32:31 emix2 sendmail[23375]: u7MIV0em022983:
to=<pelissier@...>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp,
pri=122398, relay=onera.onera.fr. [144.204.65.4], dsn=2.0.0, stat=Sent
(u7MIWVJW013990 Message accepted for delivery)


The headers show :

Authentication-Results: emix2.onera.fr; spf=pass
 smtp.mailfrom=no-reply@...
DKIM-Filter: OpenDKIM Filter v2.10.3 emix2.onera.fr u7MIV0em022983
Authentication-Results: emix2.onera.fr; dkim=none <<<<<<<<<

X-Greylist: Sender passed DKIM test, Sender IP whitelisted by MX,
Message
 whitelisted by tarpit 65s, ACL 898 matched, not delayed by
 milter-greylist-4.6.1 (emix2.onera.fr [144.204.16.6]); Mon, 22 Aug 2016
 20:32:31 +0200 (CEST)

-- 
Christian P�lissier / 34419
ONERA DRI/RSC
BP72 92322 Chatillon CEDEX

The DKIM passing is what I’m confused about also.

The rest looks correct, but not legit.

I assume that 0.0.0.0/0 = ‘the internet’ or every server on the planet

Also note that the domain (no spaces) make quick med.com is flagged by spam assassin, so I don’t know who has actually read the original email

Bill

> On Aug 23, 2016, at 2:17 AM, Christian Pélissier Christian.Pelissier@... [milter-greylist] <milter-greylist@yahoogroups.com> wrote:
> 
> Hi,
> 
> I 've just configured yesterday milter-greylist 4.6.1 to use tarpit with
> 
> racl whitelist tarpit 65s <<< ACL 898
> 
> I don't understand the following log (many mails are same)
> 
> Aug 22 20:31:25 emix2 milter-greylist: u7MIV0em022983: skipping greylist
> because address 80.78.253.76 matches MX record, sender is
> DKIM-compliant, tarpit is requested, (from=<no-reply@make quick med.com>,
> rcpt=<pelissier@...>, addr=vm24571.hv8.ru[80.78.253.76]) ACL 898
> 
> In this log hhe reason invoked of skipping greylist 
> 
> ==> 80.78.253.76 matches MX record true (but I have no such declaration
> inside greylist.conf)
> 
> # dig +short mx make quick med.com
> 10 mail.make quick med.com.
> 
> ==> sender is DKIM-compliant
> Sender as a SPF declaration with 0.0.0.0/0 what does it mean ?
> 
> # dig +short txt make quick med.com
> "spf2.0/pra ip4:0.0.0.0/0 ?all"
> "v=spf1 ip4:0.0.0.0/0 ?all"
> 
> but I found no DKIM for make quick med.com
> 
> The timestamps 20:31:25 and later 20:32:31 show that the message is
> effectively delayed 65s.
> 
> Aug 22 20:32:31 emix2 sendmail[22983]: u7MIV0em022983:
> from=<no-reply@make quick med.com>, size=2398, class=0, nrcpts=1,
> msgid=<0AF0BF2C4D99B704D8DD94283C75643A@make quick med.com>, proto=ESMTP,
> daemon=MTA, relay=vm24571.hv8.ru [80.78.253.76]
> Aug 22 20:32:31 emix2 sendmail[23375]: u7MIV0em022983:
> to=<pelissier@...>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp,
> pri=122398, relay=onera.onera.fr. [144.204.65.4], dsn=2.0.0, stat=Sent
> (u7MIWVJW013990 Message accepted for delivery)
> 
> The headers show :
> 
> Authentication-Results: emix2.onera.fr; spf=pass
> smtp.mailfrom=no-reply@make quick med.com
> DKIM-Filter: OpenDKIM Filter v2.10.3 emix2.onera.fr u7MIV0em022983
> Authentication-Results: emix2.onera.fr; dkim=none <<<<<<<<<
> 
> X-Greylist: Sender passed DKIM test, Sender IP whitelisted by MX,
> Message
> whitelisted by tarpit 65s, ACL 898 matched, not delayed by
> milter-greylist-4.6.1 (emix2.onera.fr [144.204.16.6]); Mon, 22 Aug 2016
> 20:32:31 +0200 (CEST)
> 
> -- 
> Christian Pélissier / 34419
> ONERA DRI/RSC
> BP72 92322 Chatillon CEDEX
> 
> 
>

Le mardi 23 ao�t 2016 � 07:45 -0700, Bill Levering yidbill@...
[milter-greylist] a �crit :
>   
> The DKIM passing is what I\u2019m confused about also.
To be DKIM compliant a DKIM-Signature header is required and
I have no DKIM-Signature signature header in the mail. So
sender is DKIM-compliant is wrong.

> 
> The rest looks correct, but not legit.
> 
> I assume that 0.0.0.0/0 = \u2018the internet\u2019 or every server on the planet


# dig +short txt makequickmed.com
"spf2.0/pra ip4:0.0.0.0/0 ?all"
"v=spf1 ip4:0.0.0.0/0 ?all"

I think a SPF record with ip4:0.0.0.0/0 should be considered to be
the opposite what SPF is for and a such misappropriation should be
treated on the contrary as a strong indication that the sender is a
spammer and should conduct to a spf=fail result.
Same for all too permissive records as  a=.com ip4:124.0.0.0/8 an so on
(less than /16 for ipv4 should be treated as a SPF misappropriation)

For exemple here are the gmail spf

# dig +short TXT gmail.com
"v=spf1 redirect=_spf.google.com"

# dig +short TXT _spf.google.com
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com
include:_netblocks3.google.com ~all"

# dig +short TXT _netblocks.google.com
"v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20
ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16
ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:207.126.144.0/20
ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"

# dig +short TXT _netblocks2.google.com
"v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36
ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36
ip6:2c0f:fb50:4000::/36 ~all"

# dig +short TXT _netblocks3.google.com
"v=spf1 ip4:172.217.0.0/19 ~all"



> Also note that the domain (no spaces) make quick med.com is flagged by
> spam assassin, so I don\u2019t know who has actually read the original
> email
> 
> Bill
> 
> > On Aug 23, 2016, at 2:17 AM, Christian P�lissier
> Christian.Pelissier@... [milter-greylist]
> <milter-greylist@yahoogroups.com> wrote:
> > 
> > Hi,
> > 
> > I 've just configured yesterday milter-greylist 4.6.1 to use tarpit
> with
> > 
> > racl whitelist tarpit 65s <<< ACL 898
> > 
> > I don't understand the following log (many mails are same)
> > 
> > Aug 22 20:31:25 emix2 milter-greylist: u7MIV0em022983: skipping
> greylist
> > because address 80.78.253.76 matches MX record, sender is
> > DKIM-compliant, tarpit is requested, (from=<no-reply@make quick
> med.com>,
> > rcpt=<pelissier@...>, addr=vm24571.hv8.ru[80.78.253.76]) ACL
> 898
> > 
> > In this log hhe reason invoked of skipping greylist 
> > 
> > ==> 80.78.253.76 matches MX record true (but I have no such
> declaration
> > inside greylist.conf)
> > 
> > # dig +short mx make quick med.com
> > 10 mail.make quick med.com.
> > 
> > ==> sender is DKIM-compliant
> > Sender as a SPF declaration with 0.0.0.0/0 what does it mean ?
> > 
> > # dig +short txt make quick med.com
> > "spf2.0/pra ip4:0.0.0.0/0 ?all"
> > "v=spf1 ip4:0.0.0.0/0 ?all"
> > 
> > but I found no DKIM for make quick med.com
> > 
> > The timestamps 20:31:25 and later 20:32:31 show that the message is
> > effectively delayed 65s.
> > 
> > Aug 22 20:32:31 emix2 sendmail[22983]: u7MIV0em022983:
> > from=<no-reply@make quick med.com>, size=2398, class=0, nrcpts=1,
> > msgid=<0AF0BF2C4D99B704D8DD94283C75643A@make quick med.com>,
> proto=ESMTP,
> > daemon=MTA, relay=vm24571.hv8.ru [80.78.253.76]
> > Aug 22 20:32:31 emix2 sendmail[23375]: u7MIV0em022983:
> > to=<pelissier@...>, delay=00:00:00, xdelay=00:00:00,
> mailer=esmtp,
> > pri=122398, relay=onera.onera.fr. [144.204.65.4], dsn=2.0.0,
> stat=Sent
> > (u7MIWVJW013990 Message accepted for delivery)
> > 
> > The headers show :
> > 
> > Authentication-Results: emix2.onera.fr; spf=pass
> > smtp.mailfrom=no-reply@make quick med.com
> > DKIM-Filter: OpenDKIM Filter v2.10.3 emix2.onera.fr u7MIV0em022983
> > Authentication-Results: emix2.onera.fr; dkim=none <<<<<<<<<
> > 
> > X-Greylist: Sender passed DKIM test, Sender IP whitelisted by MX,
> > Message
> > whitelisted by tarpit 65s, ACL 898 matched, not delayed by
> > milter-greylist-4.6.1 (emix2.onera.fr [144.204.16.6]); Mon, 22 Aug
> 2016
> > 20:32:31 +0200 (CEST)
> > 
> > -- 
> > Christian P�lissier / 34419
> > ONERA DRI/RSC
> > BP72 92322 Chatillon CEDEX
> > 
> > 
> > 
> 
> 
> 
> 
> 

-- 
Christian P�lissier / 34419
ONERA DRI/RSC
BP72 92322 Chatillon CEDEX

Christian Pélissier Christian.Pelissier@... [milter-greylist]
<milter-greylist@yahoogroups.com> wrote:

> I think a SPF record with ip4:0.0.0.0/0 should be considered to be
> the opposite what SPF is for and a such misappropriation should be
> treated on the contrary as a strong indication that the sender is a
> spammer and should conduct to a spf=fail result.

This is why you have the spf self clause: it matches if your own IP is
SPF-compliant, which suggests the sender's mask is broad.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Le mercredi 24 ao�t 2016 � 15:37 +0200, manu@...
[milter-greylist] a �crit :
>   
> Christian P�lissier Christian.Pelissier@... [milter-greylist]
> <milter-greylist@yahoogroups.com> wrote:
> 
> > I think a SPF record with ip4:0.0.0.0/0 should be considered to be
> > the opposite what SPF is for and a such misappropriation should be
> > treated on the contrary as a strong indication that the sender is a
> > spammer and should conduct to a spf=fail result.
> 
> This is why you have the spf self clause: it matches if your own IP is
> SPF-compliant, which suggests the sender's mask is broad.

So if my IP matches the SPF of a sender
either my IP is in this SPF sender list
or the SPF IP range look like ip4=0.0.0.0/0 or a=fr ...
So I think I have to add 

racl greylist spf self delay 3d
or
racl blacklist spf self msg "your SPF record is open"


My other question was about the log "DKIM-Compliant" when I have no 
DKIM-Signature: in the headers

Aug 24 16:38:40 emix2 milter-greylist: u7OEcYxK005972: skipping greylist
because address 194.250.121.16 matches MX record, sender is
DKIM-compliant, tarpit is requested,

 




> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
> 
> 
> 
> 

-- 
Christian P�lissier / 34419
ONERA DRI/RSC
BP72 92322 Chatillon CEDEX

24 \u0430\u0432\u0433\u0443\u0441\u0442\u0430 2016�\u0433. 16:49:01 CEST, "Christian P�lissier Christian.Pelissier@... [milter-greylist]" <milter-greylist@yahoogroups.com> \u043f\u0438\u0448\u0435\u0442:
>Le mercredi 24 ao�t 2016 � 15:37 +0200, manu@...
>[milter-greylist] a �crit :
>>   
>> Christian P�lissier Christian.Pelissier@... [milter-greylist]
>> <milter-greylist@yahoogroups.com> wrote:
>> 
>> > I think a SPF record with ip4:0.0.0.0/0 should be considered to be
>> > the opposite what SPF is for and a such misappropriation should be
>> > treated on the contrary as a strong indication that the sender is a
>> > spammer and should conduct to a spf=fail result.
>> 
>> This is why you have the spf self clause: it matches if your own IP
>is
>> SPF-compliant, which suggests the sender's mask is broad.
>
>So if my IP matches the SPF of a sender
>either my IP is in this SPF sender list
>or the SPF IP range look like ip4=0.0.0.0/0 or a=fr ...
>So I think I have to add 
>
>racl greylist spf self delay 3d
>or
>racl blacklist spf self msg "your SPF record is open"
>
>
>My other question was about the log "DKIM-Compliant" when I have no 
>DKIM-Signature: in the headers
>
>Aug 24 16:38:40 emix2 milter-greylist: u7OEcYxK005972: skipping
>greylist
>because address 194.250.121.16 matches MX record, sender is
>DKIM-compliant, tarpit is requested,
>
> 
>
>
>
>
>> -- 
>> Emmanuel Dreyfus
>> http://hcpnet.free.fr/pubz
>> manu@...
>> 
>> 
>> 
>> 

I wouldn't be too harsh on too-permissive spfs. Just add more delay (e.g. 8hrs) so by the time it expires they might be in a dnsbl. It is different with negatives (source IP not in the defined and allowed SPF pattern) which can be blacklisted quickly.

Many orgs do publish explicit IP ranges for their relays or even workstations, and then add 'all' just in case, at least while they are testing (and corporate IT may take years to move a bit).

Jim
--
Typos courtesy of K-9 Mail on my Samsung Android

Christian Pélissier Christian.Pelissier@... [milter-greylist]
<milter-greylist@yahoogroups.com> wrote:

> My other question was about the log "DKIM-Compliant" when I have no 
> DKIM-Signature: in the headers
> 
> Aug 24 16:38:40 emix2 milter-greylist: u7OEcYxK005972: skipping greylist
> because address 194.250.121.16 matches MX record, sender is
> DKIM-compliant, tarpit is requested,

I have no idea. I suspect it is a bug.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...