I know what I want to do ... BUT ...

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

I know what I want to do ... BUT ...

hospice admin

Hi Team,


There's a particularly annoying ESP bugging us. Their clients always include a reference to them in their SPF records, which look something like this:


 text = "v=spf1 exists:%{i}._spf.xyz.com ~all"


So, if a message is dropped from 1.2.3.4


nslookup 1.2.3.4._spf.xyz.com


returns


Non-authoritative answer:
Name:   1.2.3.4._spf.xyz.com
Address: 1.2.3.4

if the IP is on the ESP's SPF list.

What I'd like to do is turn this into an RBL check, but  

eval:check_rbl('Evil-ESP','_spf.xyz.com')

Is going to flip the IP address around.

Is there an easy way of doing this in SA, or is this a job for MimeDefang?

Thanks

Judy



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: I know what I want to do ... BUT ...

Dianne Skoll
On Fri, 11 Aug 2017 15:27:52 +0000
hospice admin <[hidden email]> wrote:

> text = "v=spf1 exists:%{i}._spf.xyz.com ~all"
> What I'd like to do is turn this into an RBL check, but
> eval:check_rbl('Evil-ESP','_spf.xyz.com')

I understand what you're trying to do, but have you thought about the
implications?  You are allowing an evil (your word) organization to be
an RBL for you.  They may very well put every possible IPv4 address in
their exists: SPF record which would not bode well for your spam
filtering...

If you still want to do it, I suspect it'd have to be done outside of
SpamAssassin in the glue code you're using.

Regards,

Dianne.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: I know what I want to do ... BUT ...

John Hardin
On Fri, 11 Aug 2017, Dianne Skoll wrote:

> On Fri, 11 Aug 2017 15:27:52 +0000
> hospice admin <[hidden email]> wrote:
>
>> text = "v=spf1 exists:%{i}._spf.xyz.com ~all"
>> What I'd like to do is turn this into an RBL check, but
>> eval:check_rbl('Evil-ESP','_spf.xyz.com')
>
> I understand what you're trying to do, but have you thought about the
> implications?  You are allowing an evil (your word) organization to be
> an RBL for you.  They may very well put every possible IPv4 address in
> their exists: SPF record which would not bode well for your spam
> filtering...

Indeed.

If it's an email service provider, then you might be better served
checking for a specific domain name or IP(s) in the Received header chain,
or potentially doing MTA checks to reject them up front if you don't want
their garbage at all.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  4 days until the 72nd anniversary of the end of World War II
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: I know what I want to do ... BUT ...

RW-15
In reply to this post by Dianne Skoll
On Fri, 11 Aug 2017 11:49:29 -0400
Dianne Skoll wrote:

> On Fri, 11 Aug 2017 15:27:52 +0000
> hospice admin <[hidden email]> wrote:
>
> > text = "v=spf1 exists:%{i}._spf.xyz.com ~all"
> > What I'd like to do is turn this into an RBL check, but
> > eval:check_rbl('Evil-ESP','_spf.xyz.com')  
>
> I understand what you're trying to do, but have you thought about the
> implications?  You are allowing an evil (your word) organization to be
> an RBL for you.  They may very well put every possible IPv4 address in
> their exists: SPF record which would not bode well for your spam
> filtering...
>
> If you still want to do it, I suspect it'd have to be done outside of
> SpamAssassin in the glue code you're using.

It's not quite the questioned asked, but it is possible to run a regex
match on the actual text record using AskDNS. See the documentation for
Mail::SpamAssassin::Plugin::AskDNS.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: I know what I want to do ... BUT ...

RW-15
On Fri, 11 Aug 2017 17:25:59 +0100
RW wrote:

> On Fri, 11 Aug 2017 11:49:29 -0400
> Dianne Skoll wrote:
>
> > On Fri, 11 Aug 2017 15:27:52 +0000
> > hospice admin <[hidden email]> wrote:
> >  
> > > text = "v=spf1 exists:%{i}._spf.xyz.com ~all"
> > > What I'd like to do is turn this into an RBL check, but
> > > eval:check_rbl('Evil-ESP','_spf.xyz.com')    
> >
> > I understand what you're trying to do, but have you thought about
> > the implications?  You are allowing an evil (your word)
> > organization to be an RBL for you.  They may very well put every
> > possible IPv4 address in their exists: SPF record which would not
> > bode well for your spam filtering...
> >
> > If you still want to do it, I suspect it'd have to be done outside
> > of SpamAssassin in the glue code you're using.  
>
> It's not quite the questioned asked, but it is possible to run a regex
> match on the actual text record using AskDNS. See the documentation
> for Mail::SpamAssassin::Plugin::AskDNS.

or if you want to get a hit with domains that don't use that style of
SPF but use the same addresses, you can do the IP lookup using AskDNS
with the _LASTEXTERNALIP_ tag.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: I know what I want to do ... BUT ...

hospice admin

Nice!


I'll take a look at this.


Thanks!




From: RW <[hidden email]>
Sent: 11 August 2017 18:29
To: [hidden email]
Subject: Re: I know what I want to do ... BUT ...
 
On Fri, 11 Aug 2017 17:25:59 +0100
RW wrote:

> On Fri, 11 Aug 2017 11:49:29 -0400
> Dianne Skoll wrote:
>
> > On Fri, 11 Aug 2017 15:27:52 +0000
> > hospice admin <[hidden email]> wrote:
> >  
> > > text = "v=spf1 exists:%{i}._spf.xyz.com ~all"
> > > What I'd like to do is turn this into an RBL check, but
> > > eval:check_rbl('Evil-ESP','_spf.xyz.com')   
> >
> > I understand what you're trying to do, but have you thought about
> > the implications?  You are allowing an evil (your word)
> > organization to be an RBL for you.  They may very well put every
> > possible IPv4 address in their exists: SPF record which would not
> > bode well for your spam filtering...
> >
> > If you still want to do it, I suspect it'd have to be done outside
> > of SpamAssassin in the glue code you're using. 
>
> It's not quite the questioned asked, but it is possible to run a regex
> match on the actual text record using AskDNS. See the documentation
> for Mail::SpamAssassin::Plugin::AskDNS.

or if you want to get a hit with domains that don't use that style of
SPF but use the same addresses, you can do the IP lookup using AskDNS
with the _LASTEXTERNALIP_ tag.
Loading...