could this spam score be spoofed

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
We recieved an email today from what appears to be an official government email, but due to my custom spam score got spammed out.
I've considered giving the following score a minus number to alleviate this.

Could the spm assasin score 'FROM_GOV_DKIM_AU' be spoofed.
eg if i gave this a minus score, it would cancel out the custom high scores.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
You might like to use your favorite search engine for "FROM_GOV_DKIM_AU" and have a look at the svn commits that show how that rule is built, and has evolved.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
The rule is here:

Code:
##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     FROM_GOV_DKIM_AU  DKIM_VALID_AU && __FROM_ADDRLIST_GOV
tflags   FROM_GOV_DKIM_AU  net nice publish
describe FROM_GOV_DKIM_AU  From Government address and DKIM signed
#score    FROM_GOV_DKIM_AU  -1.0 # limit
endif
endif
##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
This essentially combines the DKIM_VALID_AU informational rule and the FROM_ADDRLIST_GOV list and scores based on the output.

What each one of those rules does is included below:

Code:
# Note: DKIM_SIGNED, DKIM_VALID and DKIM_VALID_AU are mainly informational
# rules, and can serve as a basis for meta rules; it is not difficult for a
# sender to cause hits on them or to prevent them from firing, so their score
# should be kept low.

Code:
full     DKIM_VALID_AU          eval:check_dkim_valid_author_sig()
describe DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's domain
tflags   DKIM_VALID_AU          net nice
reuse    DKIM_VALID_AU

Code:
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header   __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV')
endif
endif
Code:
enlist_addrlist (GOV) *@*.gov
enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk
reuse    __FROM_ADDRLIST_GOV

Bash:
  # the important bit!
  $self->register_eval_rule("check_from_in_blacklist");
  $self->register_eval_rule("check_to_in_blacklist");
  $self->register_eval_rule("check_to_in_whitelist");
  $self->register_eval_rule("check_to_in_more_spam");
  $self->register_eval_rule("check_to_in_all_spam");
  $self->register_eval_rule("check_from_in_list");
  $self->register_eval_rule("check_replyto_in_list");
  $self->register_eval_rule("check_to_in_list");
  $self->register_eval_rule("check_from_in_whitelist");
  $self->register_eval_rule("check_forged_in_whitelist");
  $self->register_eval_rule("check_from_in_default_whitelist");
  $self->register_eval_rule("check_forged_in_default_whitelist");
  $self->register_eval_rule("check_mailfrom_matches_rcvd");
  $self->register_eval_rule("check_uri_host_listed");
  # same as: eval:check_uri_host_listed('BLACK') :
  $self->register_eval_rule("check_uri_host_in_blacklist");
  # same as: eval:check_uri_host_listed('WHITE') :
  $self->register_eval_rule("check_uri_host_in_whitelist");
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
We get a ton of email which contain the word 'UNSUBSCRIBE' and the from address contains the word BOUNCE or BOUNCES.
Working on the basis that 99.9% of these are unsolicited marketting emails, I have a few custom rules, each phrase gathering 2.5 points.
Combine this with any other spam scores and they are spammed out.
It works quite well for us, we see very few unsolicited marketting emails in inboxes.

Only in this instance it caught the government one.

I've given 'FROM_GOV_DKIM_AU a minus score for now
 
Last edited:
  • Like
Reactions: cPanelLauren