Problems regarding Spam that fakes the From: Header

Hi all.

I'm experiencing some problems on a Maia installation here,
it seems
like spam that fakes the From: header is whitelisted.

Example: Our domain is xxx.de, and we received a lot of
spam-mails that
had yyyxxx.de as the recipient. These mails where
whitelisted and
recieved ca. -85 points, -100 for whitelist, +15 for
spam-stuff.

Looking at Maia's ham-list, From: was set to yyyxxx.de,
To: was also
set to yyyxxx.de
Going deeper into the details, From: was displayed as
"Troy Gonzalez"
<clcmkeaparx.org>, To: as yyyxxx.de.
The source-code-view also displayed this.

Now my question: why does maia think this mail is
whitelisted, and why
are there differences in the list-view and the detail-view?

I hope I made my problem clear, it's kinda difficult 

Bye, Stephan
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephan Wentz wrote:

> I'm experiencing some problems on a Maia installation
here, it seems
> like spam that fakes the From: header is whitelisted.
> 
> Example: Our domain is xxx.de, and we received a lot of
spam-mails that
> had yyyxxx.de as the recipient. These mails where
whitelisted and
> recieved ca. -85 points, -100 for whitelist, +15 for
spam-stuff.

That's not Maia's whitelist, that's SpamAssassin's
whitelist.  Maia's
whitelist prevents mail from being spam-checked in the first
place;
SpamAssassin's whitelist merely biases the score downward by
100 points.

If you've added any whitelist entries to your local.cf file,
that could
certainly be the cause.  Otherwise it may be that the forged
"From:"
header address is in SpamAssassin's default whitelist, or in
the SARE
whitelist.  The proper solution is to disable the
SpamAssassin whitelist
rules altogether, and just use Maia's whitelists.  To do
this, set the
scores of those rules to 0 in your local.cf file and restart
amavisd-maia.


> Looking at Maia's ham-list, From: was set to yyyxxx.de,
To: was also
> set to yyyxxx.de
> Going deeper into the details, From: was displayed as
"Troy Gonzalez"
> <clcmkeaparx.org>, To: as yyyxxx.de.
> The source-code-view also displayed this.
> 
> Now my question: why does maia think this mail is
whitelisted, and why
> are there differences in the list-view and the
detail-view?

You're seeing the difference between the envelope sender
address and the
"From:" header address, that's all.  Maia (and
amavisd-maia) works only
with the envelope sender address, since it is at least
cursorily
verifiable by your MTA, whereas the "From:" header
is part of the
message body and is never subject to any tests by MTAs (and
is therefore
trivial to forge).  If you're still not clear on the
difference, see
this FAQ: <ht
tp://www.maiamailguard.com/maia/wiki/WBList>.

- --
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF5CYQGmqOER2NHewRAhdIAJ44JDyST8UD4UUyyAQ0pHNGERvE2wCe
NSSx
4wnmjz4q3SeiehyiGyIqUEM=
=zGPA
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

Thanks for your quick respond, Robert, that fixed it.

There was a whitelist.conf from the previous spamassassin
install, which
had the domain whitelisted.

Bye, Stephan


Robert LeBlanc schrieb:
> Stephan Wentz wrote:
> 
>> I'm experiencing some problems on a Maia
installation here, it seems
>> like spam that fakes the From: header is
whitelisted.
> 
>> Example: Our domain is xxx.de, and we received a
lot of spam-mails that
>> had yyyxxx.de as the recipient. These mails where
whitelisted and
>> recieved ca. -85 points, -100 for whitelist, +15
for spam-stuff.
> 
> That's not Maia's whitelist, that's SpamAssassin's
whitelist.  Maia's
> whitelist prevents mail from being spam-checked in the
first place;
> SpamAssassin's whitelist merely biases the score
downward by 100 points.
> 
> If you've added any whitelist entries to your local.cf
file, that could
> certainly be the cause.  Otherwise it may be that the
forged "From:"
> header address is in SpamAssassin's default whitelist,
or in the SARE
> whitelist.  The proper solution is to disable the
SpamAssassin whitelist
> rules altogether, and just use Maia's whitelists.  To
do this, set the
> scores of those rules to 0 in your local.cf file and
restart amavisd-maia.
> 
> 
>> Looking at Maia's ham-list, From: was set to
yyyxxx.de, To: was also
>> set to yyyxxx.de
>> Going deeper into the details, From: was displayed
as "Troy Gonzalez"
>> <clcmkeaparx.org>, To: as yyyxxx.de.
>> The source-code-view also displayed this.
> 
>> Now my question: why does maia think this mail is
whitelisted, and why
>> are there differences in the list-view and the
detail-view?
> 
> You're seeing the difference between the envelope
sender address and the
> "From:" header address, that's all.  Maia
(and amavisd-maia) works only
> with the envelope sender address, since it is at least
cursorily
> verifiable by your MTA, whereas the "From:"
header is part of the
> message body and is never subject to any tests by MTAs
(and is therefore
> trivial to forge).  If you're still not clear on the
difference, see
> this FAQ: <ht
tp://www.maiamailguard.com/maia/wiki/WBList>.
> 
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users