FILL_THIS_FORM_FRAUD_PHISH: No DKIM or SPF?

[GraysonPeddie]

My Postfix server discards fraudulent e-mail when it comes to phishing attacks and Nigeria spammers and the password recovery e-mail got caught and labeled by SpamAssassin which gets discarded.

I've had to go into my Postfix server and comment out:

/FRAUD/ DISCARD

in /etc/postfix/header_checks.

I've had to require a password recovery a second time, but once I use KeePass2 for password management, I got it under control. So I checked to see what is going on:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
server1.graysonpeddie.com
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=0.7 tests=FILL_THIS_FORM_FRAUD_PHISH,
HTML_MESSAGE,T_FILL_THIS_FORM_SHORT autolearn=no version=3.3.2
Received-SPF: None (no SPF record) identity=mailfrom; client-ip=209.59.172.71; helo=www.cocoontech.com; envelope-from=www-data(at)www.cocoontech.com; [email protected] 
Received: from www.cocoontech.com (x.cocoontech.com [209.59.172.71])
by graysonpeddie.com (Postfix) with ESMTP id 1289AE62767

I think what triggers FILL_THIS_FORM_FRAUD_PHISH is if there's no SPF or DKIM record for cocoontech.com. I checked your SPF record and there is none for cocoontech.com and x.cocoontech.com.

In my opinion, I really think it won't hurt to add an SPF record to a TXT record in your DNS provider's DNS settings.

I can add cocoontech.com to my SpamAssassin whitelist, but I don't think it will do any good if I see FILL_THIS_FORM_FRAUD_PHISH in my mail log even with a SpamAssassin score of -100. If anyone asked me a question "why am I making such a big deal out of this?" Well, I could work around it by maybe taking out "/FRAUD/ OK" in my header check since just about all the e-mails that are phishing-related will be blocked by Barracuda or Sorbs realtime blackhole list, but if e-mail were to slip through the RBLs, the e-mail can be checked by SpamAssassin and if there's no SPF and I will get an e-mail claiming to be from the bank (or maybe even CocoonTech), I'm pretty sure my spam filter will mark it with FILL_THIS_FORM_FRAUD_PHISH and can have Postfix discard it for me. So as far as you can tell, I am very tough against spam. Sometimes I can be too tough against spam and I may have to compromise my mail server just a tiny little bit.

 

[drvnbysound]

lol, wut?

 

[Dean Roddey]

SPF records allow the owner of a domain to indicate the list of IP addresses that are allowed to send e-mail with addresses of that domain. Receiving servers (or clients) can use this to check against he IP address of the source e-mail packets. If they aren't a valid source address listed on the SPF record, then it can be rejected. This means that you can't just send out spam and put my e-mail address as the sender. You'd actually have to spoof my IP address, which is a lot more trouble to do. As this stand now, anyone can send out millions of spam e-mails with your e-mail address in them, and get you blacklisted all over the place. It happens a lot, particularly to companies.
 
If you own your own domain, and can set up an SPF record, you can at least allow those servers that use that feature, to reject spammers trying to send e-mail with your e-mail addresses. I'll have to check to see if I my ISP supports us adding SPF records as well. Since we have a dedicated server we only have to add the one server address as a valid source, presumably, since all our e-mails would go out through that.
 
It guess it would also allow ISPs to catch spammers using their service, since the ISP could check the record when they do the lookup to forward the e-mail outwards, and see if their customers are trying to spoof e-mail addresses.