Page 1 of 1

How to whitelist this one

Posted: 21 Jan 2019 11:29
by gregecslo
Hi!

Weird one.
Spamassasing says that SPF pass but score shows spf fail:

Code: Select all

Received: from mail-183-59.mailgun.info (mail-183-59.mailgun.info [23.253.183.59])
     (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
     (No client certificate requested)
     by mailhub.domain.com (Postfix) with ESMTPS id 829042009C
     for <name.surname@domain.com>; Mon, 21 Jan 2019 09:20:12 +0100 (CET)
DMARC-Filter: OpenDMARC Filter v1.3.2 mailhub.domain.com 829042009C
Authentication-Results: mailhub.domain.com; dmarc=pass (p=none dis=none) header.from=domain.com
Authentication-Results: mailhub.domain.com; spf=pass smtp.mailfrom=bounce+f14147.3f008e2-name.surname=domain.com@mailer.domain.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mailhub.domain.com 829042009C
Authentication-Results: mailhub.domain.com;
     dkim=pass (1024-bit key) header.d=mailer.domain.com header.i=@mailer.domain.com header.b="dWvxHEOW"
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mailer.domain.com; q=dns/txt;
s=k1; t=1548058811; h=Content-Type: Mime-Version: Subject: From: To:
Reply-To: Message-Id: Sender: Date: List-Unsubscribe;
bh=k7X1xPdzlG6EYG1qGKupq6LGexQNgcoMcJwjXsBXMWU=; b=dWvxHEOWNjqbYvgi8clVivGCK7QZ10FsedpjVx+RdIM7YxKC6hlyu5csuodpuNMlnCjilJ7k
K3howWRe/GO325b+HAXrsPRIwVqljF5lDvs9Vx+S77ddSQcKREHV5pg7cSby0gAN62HKZtGI
tcBrvEIneXbDxoQGhrgleY5hJrQ=
X-Mailgun-Sending-Ip: 23.253.183.59
X-Mailgun-Sid: WyIzOTcwYiIsICJncmVnb3IubXVzdGFyQG1lZGlzLnNpIiwgIjNmMDA4ZTIiXQ==
List-Unsubscribe: <mailto:u+mq6tgzrqga4gkmrgne6tembrheydcmrrga4dembrgaxdclsgha3ukmrzgnatqnkggyzukm2geu2da5tfmv3gc3lbnfwc43lfmruxglttnetgqplche4wcojsgfsgembzgjrwgnrrmeywgzlcmm3gcmdeme2gkyztgqtfqlkmmfrgk3b5eu3uejjsgjyhe33eovrxisleeuzdejjtiestemtbgaydc4rqgaydamdokntdezcbifbskmrseuzegjjsgjzgky3jobuwk3tueuzdejjtiestemthojswo33sfzwxk43umfzcknbqnvswi2ltfzzwsjjsgisteqzfgizgc4dqojxxmzleivwwc2lmjfsckmrseuzucjjsgjqteobroiydambqga4wi5rukbaucujfgizckmsdeuzdezlyorsxe3tbnrewijjsgistgqloovwgyjjsimstemtpojtuszbfgizckm2beuzdembqiqyxembqgaydamdqk5gworkbjustemrfg5ccm4r5m5zgkz3poixg25ltorqxejjugbwwkzdjomxhg2jgoq6tamcegfzdambqgayda4cxjvtukqkneuzucyjqgayxembqgayda3stmyzgiqkbim@mailer.domain.com>
Received: by luna.mailgun.net with HTTP; Mon, 21 Jan 2019 08:20:10 +0000
Date: Mon, 21 Jan 2019 08:20:10 +0000
Sender: name.surname=domain.com@mailer.domain.com
Message-Id: <20190121082010.1.F87E293A85F63E3F@mailer.domain.com>
X-Mailgun-Variables: {"X-Label": "{\"productId\":\"a001r00000nSf2dAAC\",\"recipient\":\"name.surname@domain.com\",\"approvedEmailId\":\"a281r000009dv4PAAQ\",\"externalId\":null,\"orgId\":\"00D1r000000pWMgEAM\"}"}
Reply-To: Veeva.admin@domain.com
X-Mailgun-Drop-Message: false
X-Mailgun-Tag: 00D1r000000pWMgEAM:a001r00000nSf2dAAC
X-Mailgun-Dkim: true
To: Name Surname <name.surname@domain.com>
From: eeee <name.surname@domain.com>
Subject: test
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="d9e76e7033704f908e182ea8fcf36b60"


From:	
bounce+f14147.3f008e2-name.surname=domain.com@domain.com 	[Add to Whitelist | Add to Blacklist]
To:	name.surname@domain.com
Score:
SpamAssassin Score: 6.24
Spam Report:
Score Matching Rule Description
-2.00 BAYES_00 Bayes spam probability is 0 to 1%
0.10 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.50 DKIM_VALID Message has at least one valid DKIM or DK signature
0.44 HTML_IMAGE_RATIO_02 HTML has a low ratio of text to image area
0.00 HTML_MESSAGE HTML included in message
1.10 KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls
-0.00 RCVD_IN_DNSWL_NONE Sender listed at http://www.dnswl.org/, no trust
6.00 SPF_FAIL SPF: sender does not match SPF record (fail)
1.00 TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed
0.09 TXREP Score normalizing based on sender's reputation
0.01 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML

Any ideas?

Thanks!

Re: How to whitelist this one

Posted: 22 Jan 2019 09:50
by gregecslo
Anyone please?
Can I somehow exclude IP ranges (18.18.18.0/24)
Tried but only IP works, range not.

Re: How to whitelist this one

Posted: 22 Jan 2019 11:40
by henk

Re: How to whitelist this one

Posted: 22 Jan 2019 11:47
by gregecslo
Well I used different approach.

Custom SA rule, which matches on header content which is always present and score it by -10.0 :)

perl regex gave me some trouble but I`ve managed it :)