[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???
From: |
Bob Carragher |
Subject: |
Re: [Nmh-workers] Emails being tagged as spam -- NMH solution??? |
Date: |
Mon, 02 Mar 2015 23:52:45 -0800 |
On Mon, 02 Mar 2015 22:19:42 -0500 Ken Hornstein <address@hidden> sez:
> >There are three occurrences of the following, associated with
> >Received: entries, in the header:
> >
> > (No client certificate requested)
> >
> >I'm guessing that those are harmless.
>
> Yeah, I suspect that's from a TLS connection between client and
> server, and the client didn't provide a certificate which is
> normal.
This seems to be a common occurrence in emails I send to
@stanford.edu, at least.
> >There's also an "spf=softfail" in there.
> >
> > Authentication-Results: mx.google.com <http://mx.google.com>;
> > spf=softfail (google.com <http://google.com>: domain of
> > transitioning address@hidden <address@hidden> does not designate
> > 171.67.219.78 as permitted sender) address@hidden <address@hidden>;
> > dkim=fail address@hidden <http://gmail.com>;
> > dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
> > <http://gmail.com>
> >
> >Note that 171.67.219.78 is smtp-grey.stanford.edu.
>
> Huh. I'd be interested in looking at the whole Received:
> header chain, but maybe I don't understand what is going wrong;
> it almost seems like smtp-grey.stanford.edu is the one
> originating the email and that doesn't make sense to me, if
> you're submitting directly to gmail. But yeah, I suspect the
> failing SPF, DKIM, and DMARC tests is what is causing the
> problem.
Appended to the bottom of this message. I redacted all the
personal information I could see. Hopefully I didn't go too far.
NOTE: the same spf=softfail message as above also appeared in a
message I sent while still using sendmail for outbound email!
> Okay, this header is actually defined in RFC 5451, see here:
>
> https://tools.ietf.org/html/rfc5451
Is that still valid? The top of the linked page indicates that
RFC 5451 is obsoleted by RFC 7001 (in turn updated by RFC 7410).
> But I am still puzzled.
I think your original point about Proofpoint being stingy is key.
One of my messages tagged as spam had just this for its body:
--047d7bfcf7d06fb18e050dadac3b
Content-Type: text/plain; charset=ISO-8859-1
ETA: 19:45. Sorry about this!
--047d7bfcf7d06fb18e050dadac3b
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<p dir=3D"ltr">ETA:=A0 19:45.=A0 Sorry about this!</p>
--047d7bfcf7d06fb18e050dadac3b--
The Proofpoint bit in the header was:
X-Proofpoint-Virus-Version: vendor=fsecure
engine=2.50.10432:5.13.68,1.0.33,0.0.0000
definitions=2015-01-27_04:2015-01-27,2015-01-26,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=spam policy=default score=75 spamscore=75
suspectscore=1 phishscore=1
adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
engine=7.0.1-1402240000 definitions=main-1501280032
The Subject: was tagged with a triple-score SPAM:
Subject: [SPAM:###] Waaaaay late!
This was sent using GMail's web interface, so it's about as
"legitimate" as it can be. No failing SPF, DKIM, and DMARC tests
(as far as I can tell).
I'm beginning to think that Stanford assumes all email from
outside @stanford.edu is automatically suspect. (But why a
message that looks *more* like it's coming from a compromised
user should pass is beyond me.)
Bob
------------------------------ Cut Here ------------------------------
> Delivered-To: address@hidden <address@hidden>
> Received: by 10.140.34.41 with SMTP id k38csp5438122qgk;
> Sun, 1 Mar 2015 14:04:15 -0800 (PST)
> X-Received: by 10.68.217.103 with SMTP id ox7mr42477279pbc.56.1425247454837;
> Sun, 01 Mar 2015 14:04:14 -0800 (PST)
> Return-Path: <address@hidden <address@hidden>>
> Received: from smtp-grey.stanford.edu <http://smtp-grey.stanford.edu>
> (smtp-grey.stanford.edu <http://smtp-grey.stanford.edu>. [171.67.219.78])
> by mx.google.com <http://mx.google.com> with ESMTPS id
> bd5si10126741pbb.59.2015.03.01.14.04.12
> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
> Sun, 01 Mar 2015 14:04:14 -0800 (PST)
> Received-SPF: softfail (google.com <http://google.com>: domain of
> transitioning address@hidden <address@hidden> does not designate
> 171.67.219.78 as permitted sender) client-ip=171.67.219.78;
> Authentication-Results: mx.google.com <http://mx.google.com>;
> spf=softfail (google.com <http://google.com>: domain of transitioning
> address@hidden <address@hidden> does not designate 171.67.219.78 as permitted
> sender) address@hidden <address@hidden>;
> dkim=fail address@hidden <http://gmail.com>;
> dmarc=fail (p=NONE dis=NONE) header.from=gmail.com <http://gmail.com>
> Received: from mx4.stanford.edu <http://mx4.stanford.edu> (mx4.stanford.edu
> <http://mx4.stanford.edu> [171.67.219.87])
> (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
> (No client certificate requested)
> by smtp-grey.stanford.edu <http://smtp-grey.stanford.edu> (Postfix) with
> ESMTPS id AB17E20B81;
> Sun, 1 Mar 2015 14:04:12 -0800 (PST)
> Received: from pps01.stanford.edu <http://pps01.stanford.edu>
> (pps01.stanford.edu <http://pps01.stanford.edu> [171.67.214.163])
> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
> (No client certificate requested)
> by mx4.stanford.edu <http://mx4.stanford.edu> (Postfix) with ESMTPS id
> 9A8DC80CD1;
> Sun, 1 Mar 2015 14:04:12 -0800 (PST)
> Received: from pps.filterd (pps01.stanford.edu <http://pps01.stanford.edu>
> [127.0.0.1])
> by pps01.stanford.edu <http://pps01.stanford.edu> (8.14.5/8.14.5) with SMTP
> id t21M03ir010851;
> Sun, 1 Mar 2015 14:04:14 -0800
> Received: from mx3.stanford.edu <http://mx3.stanford.edu> (mx3.stanford.edu
> <http://mx3.stanford.edu> [171.67.219.73])
> by pps01.stanford.edu <http://pps01.stanford.edu> with ESMTP id 1sva6d059f-1
> (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
> Sun, 01 Mar 2015 14:04:13 -0800
> Received: from mail-pd0-f179.google.com <http://mail-pd0-f179.google.com>
> (mail-pd0-f179.google.com <http://mail-pd0-f179.google.com> [209.85.192.179])
> (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
> (No client certificate requested)
> by mx3.stanford.edu <http://mx3.stanford.edu> (Postfix) with ESMTPS id
> 5585080B25;
> Sun, 1 Mar 2015 14:04:11 -0800 (PST)
> Received: by pdbfl12 with SMTP id fl12so3394322pdb.5;
> Sun, 01 Mar 2015 14:04:10 -0800 (PST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> d=gmail.com <http://gmail.com>; s=20120113;
> h=message-id:from:originator:to:cc:reply-to:subject:in-reply-to
> :references:mime-version:content-type:content-transfer-encoding:date;
> ________
> ________
> ________
> X-Received: by 10.70.44.203 with SMTP id g11mr42282044pdm.130.1425247450905;
> Sun, 01 Mar 2015 14:04:10 -0800 (PST)
> Received: from localhost.localdomain (c-71-202-61-143.hsd1.ca.comcast.net
> <http://c-71-202-61-143.hsd1.ca.comcast.net>. [71.202.61.143])
> by mx.google.com <http://mx.google.com> with ESMTPSA id
> dx6sm10044832pab.14.2015.03.01.14.04.09
> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
> Sun, 01 Mar 2015 14:04:09 -0800 (PST)
> Message-ID: <nnnnnnnn <nnnnnnnn>>
> From: Bob Carragher <address@hidden <address@hidden>>
> Originator: Bob Carragher <address@hidden <address@hidden>>
> To: XXXXXXXX <address@hidden <address@hidden>>
> Cc: YYYYYYYY <address@hidden <address@hidden>>,
> ZZZZZZZZ <address@hidden <address@hidden>>
> Reply-To: Bob Carragher <address@hidden <address@hidden>>
> In-reply-to: Message <MMMMMM <mmmmmmmm>>
> from XXXXXXXX <address@hidden <address@hidden>>
> on Sun, 01 Mar 2015 05:05:34 -0800.
> References: <MMMMMM <mmmmmmmm>>
> MIME-Version: 1.0
> Content-Type: text/plain; charset=iso-8859-1
> Content-Transfer-Encoding: 7bit
> Date: Sun, 01 Mar 2015 14:04:02 -0800
> X-Proofpoint-Virus-Version: vendor=fsecure
> engine=2.50.10432:5.13.68,1.0.33,0.0.0000
> definitions=2015-03-01_03:2015-02-27,2015-03-01,1970-01-01 signatures=0
> Subject: [SPAM:#####] SSSSSSSS
> X-Proofpoint-Spam-Details: rule=spam policy=default score=99 spamscore=99
> suspectscore=7 phishscore=0
> adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
> engine=7.0.1-1402240000 definitions=main-1503010244
> X-Grey: yes
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Bob Carragher, 2015/03/01
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, David Levine, 2015/03/01
- Message not available
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Bob Carragher, 2015/03/01
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Ken Hornstein, 2015/03/01
- Message not available
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Bob Carragher, 2015/03/02
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Ken Hornstein, 2015/03/02
- Message not available
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Bob Carragher, 2015/03/02
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Ken Hornstein, 2015/03/02
- Message not available
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???,
Bob Carragher <=
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Ken Hornstein, 2015/03/03
- Message not available
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Bob Carragher, 2015/03/03
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Ken Hornstein, 2015/03/03
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Ken Hornstein, 2015/03/03
- Message not available
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Bob Carragher, 2015/03/03
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Ken Hornstein, 2015/03/03
- Message not available
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Bob Carragher, 2015/03/03
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, David Levine, 2015/03/03
- Message not available
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Bob Carragher, 2015/03/10
- Re: [Nmh-workers] Emails being tagged as spam -- NMH solution???, Ken Hornstein, 2015/03/03