Why not Validate Trusted Senders?
Idea shared by kevind - September 1, 2015 at 2:14 PM
Completed
Most experts agree that adding an email address or domain to the global Trusted Senders is not good practice. It's an open door -- anyone can spoof the address or domain.
 
So I suggest qualifying Trusted Senders with SPF or DKIM so that if the name matches AND it passes the test (sent from correct IP, etc.) then let the message through.
 
Example: add facebookmail.com to Trusted Senders and if it passes SPF and/or DKIM, bypass Greylisting and SpamAssassin. Greylisting delays delivery and SA eats up CPU and could send it to Junk folder. Maybe there's a way to do this already?  Like if spam score < 0, don't run SA?
 
Kevin

12 Replies

Reply to Thread
6
Let's expand on this idea and make SmarterMail's spam processing more efficient:
 
If we eliminate this duplicate processing, SmarterMail will run more efficiently with more users & messages.
 
Thanks,
Kevin
5
SpamAssassin is a nice spam-fighting tool; unfortunately it's a resource hog.
 
Looking for a way to bypass SpamAssassin for known, legitmate, trusted email, which could account for > 50% of mail passing through server. Tried global trusted senders and gateways, but SM still runs SA on every message.
 
Can we add something to SM to bypass SA for either:
  • global trusted senders that pass DMARC or
  • messages from remote gateways that already have a SA score?
Thanks,
Kevin
2
Von-Austin See Replied
Employee Post
Kevin, I've generated a ticket off of this thread so we can track it internally. I'll make sure this gets brought up in our next dev meeting.
 
In our other post, we'll be messing with the same code most likely so I'll see if we can sneak this in as well. 
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
3
Von-Austin See Replied
Employee Post
Kevin,
 
I met with the dev's this morning. They have added this into our tracking system as a feature request, unfortunately I cannot give an ETA on implementation as it needs to go through our standard dev process. 
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
2
Von, appreciate your effort here. But just a little confused with your post on another thread earlier today:
CCC, our developers have added a feature request for specifying a domain and having the whitelist entries dynamically added based on SPF record. They are in agreement that this would benefit a majority of our customers.
Actually it sounds like the solution we're looking for here.
4
Recently in another thread, Tim Uzzanti wrote:
Why not Validate Trusted Senders
- We do not see the value.
Here's a simple example to help explain the value:
  1. You have a very important customer or vendor, XYZ.com, whose email needs to be delivered immediately (no greylisting) and to the Inbox (no quarantine).
  2. So you add XYZ.com to your global Trusted Senders. (note, this could be @ebay.com or @facebookmail.com for consumer-oriented mailboxes)
  3. Now, when you receive email from this domain, everything works great, right? PROBLEM: What if XYZ.com is spoofed?
  4. SOLUTION: SmarterMail adds a check for SPF or DKIM so when email comes in from XYZ.com, the sending IP is verified, mail is delivered, and it works as intended.
This beats adding dozens of IP addresses to the whitelist and maintaining them. With 18 votes for this thread, it seems like some people in the community see the value. Thanks!
2
Hello. Just following up on this idea. Recently we ran into a problem with Amazon SES trying to deliver messages to SmarterMail and they were delayed for hours because greylisting couldn't handle the multiple IPs. More info here:
 
I think the ideas outlined in this thread could help. Instead of adding multiple IP address ranges and having to maintain them, you could just add 'amazonses.com' and SmarterMail could lookup the valid IP ranges to bypass greylisting. See: https://aws.amazon.com/blogs/ses/amazon-ses-ip-addresses/
2
I agree. More effort can be put into the spam check routines. It would be nice with an option in the "Anti-Spam administration" where we could select if trusted senders should use the classic spam / trusted sender checks like SPF, DKIM, Reverse Lookup too. Or at least a way to add domain names exceptions to grey listing, so mail aren't delayed. My problem is that it's easier to add an email domain to the trusted senders list, than it is to find and add a lot of mail servers IP-addresses to greylisting. This results in fake senders (spam) from apple.com, gmail.com etc. is received without even checking the reverse lookup which I think is the most important one that I have given a value of 20 in the spam check list.
1
We had a client that received email from a spoofed domain. Was a trusted sender as well. However, the RDNS check should have stopped them, the server had RDNS setup, but was not forward confirmed. PLEASE ST FIX THIS!!!! And of course, the domain has no SPF (we've worked with them to fix this now).
 
The only reason the customer called BS on the email was because the email had the business name spelled wrong in the signature. Which made their accounts payable department forward to the IT department for verification, then the customer directly for verification they sent the email, then ultimately us to see where it came from.
 
The link on the company name was also linked to a spoofed site as well, they did a really good job on it, would Cyren or other URIBL checks caught it? Who knows, since it was a trusted sender these checks were not executed.
 
Ultimately though, if the RDNS check was better, this email would have been kicked back and the customer never would have noticed. The customer rightly is worried about when they receive invoices and requests to pay for materials etc. are they real? Do they have to contact everyone each time to verify?

Christopher

2
Well this happened to me today. SmarterMail did SMTP level checks against...
 
Return-Path: <www-data@jrsacesso211ria01.cloudapp.net>
 
However delivery checks were done against the "From" header, which they spoofed and used my corporate email address.
 
X-SmarterMail-Spam: Commtouch 30 [value: Confirmed], DKIM_None
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Contact)
 
So they were able to get through the SMTP checks (because SPF would have failed this email) by using the return path, but then used the from address of my email directly which passed the trusted senders because my email is a contact.
 
Though this further questions, I've seen some emails that are trusted senders with no spam checks executed, however this email had spam checks executed, then shows as a trusted sender... I thought the point of the trusted senders was to have no checks executed period.

Christopher

0
Matt Petty Replied
Employee Post
Our new SMTP/Spam changes in version 16 should prevent this from occurring now.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
2
Are V15 users being hung out to dry again?
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP

Reply to Thread