MALFORMED_FREEMAIL

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

MALFORMED_FREEMAIL

Joseph Brennan

MALFORMED_FREEMAIL is a meta on:
(MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM

So that and MISSING_HEADERS itself add up to 3.0 points. This seems high.

We rejected a message from gmail that hit MALFORMED_FREEMAIL and MISSING_HEADERS, and a few other low-scoring things. Because it was rejected I do not have the message. I believe the sender tried to BCC a group of people. If I recall correctly MISSING_HEADERS, which refers only to the To: header, hits when To: exists but is blank. People (ab)using BCC instead of a list for legit mail is not that uncommon.

The case with  __HDRS_LCASE strikes me as very different and much more likely to be faked mail. I don't know of any freemail providers that write header names in all lower case. A check against the corpus obviously needs to back up my guess but I think I'm right.

--
Joseph Brennan
Lead, Email and Systems Applications


Reply | Threaded
Open this post in threaded view
|

Re: MALFORMED_FREEMAIL

Joseph Brennan
Oh, replying to myself...

I just tested sending from a Gmail account to my regular columbia.edu address, using BCC and with no address in "To:". This did not hit MISSING_HEADERS, and in fact had /To: undisclosed-recipients:;/.  So now I don't know what the sender did in the case I was writing about.

--
Joseph Brennan
Lead, Email and Systems Applications



Reply | Threaded
Open this post in threaded view
|

Re: MALFORMED_FREEMAIL

Kris Deugau
Joseph Brennan wrote:
> Oh, replying to myself...
>
> I just tested sending from a Gmail account to my regular columbia.edu
> <http://columbia.edu> address, using BCC and with no address in "To:".
> This did not hit MISSING_HEADERS, and in fact had /To:
> undisclosed-recipients:;/.  So now I don't know what the sender did in
> the case I was writing about.

Based on odd but legitimate things I've seen, likely using their GMail
address with some other outbound relay, and/or some webform-ish thing or
bulk-mail widget or service that barely manages to send minimally
RFC-compliant email at all - never mind following most best practices.

There are altogether too many of the latter around.  :(

-kgd
Axb
Reply | Threaded
Open this post in threaded view
|

Re: MALFORMED_FREEMAIL

Axb
In reply to this post by Joseph Brennan
What is a "faked mail" ?

On 11/1/19 3:15 PM, Joseph Brennan wrote:

> MALFORMED_FREEMAIL is a meta on:
> (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM
>
> So that and MISSING_HEADERS itself add up to 3.0 points. This seems high.
>
> We rejected a message from gmail that hit MALFORMED_FREEMAIL and
> MISSING_HEADERS, and a few other low-scoring things. Because it was
> rejected I do not have the message. I believe the sender tried to BCC a
> group of people. If I recall correctly MISSING_HEADERS, which refers only
> to the To: header, hits when To: exists but is blank. People (ab)using BCC
> instead of a list for legit mail is not that uncommon.
>
> The case with  __HDRS_LCASE strikes me as very different and much more
> likely to be faked mail. I don't know of any freemail providers that write
> header names in all lower case. A check against the corpus obviously needs
> to back up my guess but I think I'm right.
>

Reply | Threaded
Open this post in threaded view
|

Re: MALFORMED_FREEMAIL

RW-15
In reply to this post by Joseph Brennan
On Fri, 1 Nov 2019 10:15:33 -0400
Joseph Brennan wrote:

>  If I recall correctly MISSING_HEADERS, which
> refers only to the To: header, hits when To: exists but is blank.

I just tested it and the To header has to be missing altogether.
Reply | Threaded
Open this post in threaded view
|

Re: MALFORMED_FREEMAIL

Dave Warren-2
In reply to this post by Axb
In general it is the concept of sending from a particular domain in a
format that the infrastructure on that domain will not send.

A really easy to grasp concept: I know that example.com's mail server
always adds a X-Yup-We-Sent-It: True header, so I will consider anything
claiming to be coming from example.com but missing that header to be
suspicious.

Similar to messages with a header indicating they were written in a
client but yet formatted in a way that that client does not produce.


On 2019-11-01 10:55, Axb wrote:

> What is a "faked mail" ?
>
> On 11/1/19 3:15 PM, Joseph Brennan wrote:
>> MALFORMED_FREEMAIL is a meta on:
>> (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM
>>
>> So that and MISSING_HEADERS itself add up to 3.0 points. This seems high.
>>
>> We rejected a message from gmail that hit MALFORMED_FREEMAIL and
>> MISSING_HEADERS, and a few other low-scoring things. Because it was
>> rejected I do not have the message. I believe the sender tried to BCC a
>> group of people. If I recall correctly MISSING_HEADERS, which refers only
>> to the To: header, hits when To: exists but is blank. People (ab)using
>> BCC
>> instead of a list for legit mail is not that uncommon.
>>
>> The case with  __HDRS_LCASE strikes me as very different and much more
>> likely to be faked mail. I don't know of any freemail providers that
>> write
>> header names in all lower case. A check against the corpus obviously
>> needs
>> to back up my guess but I think I'm right.
>>
>