The bombHeaderRe with the DEFINE or list should be sufficient. I'm still worried about fake/invalid DKIM still getting the bonus score, but this will have to do. Thanks.
On Mon, Nov 8, 2021 at 12:01 PM Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > I told you to score such domains elsewhere - just do it and the result is > the same like you wanted. > > for example: > > bombHeaderRe: > > \nDKIM-Signature:(?:[ \t]*[^= \;]+=[^= \;]+\;(?:\r\n)?)+?[ \t]*([di]=\@?( > The_Wanted_IDENTITY))\;=>the_wanted_negative_score > > currently the (?(DEFINE).......) is not working with assp (is destroyed if > a-d-n-o-r is not set for the file) - but the next version will do it - > and you can use: > > (?(DEFINE)(?<IDENTITY10>the_wanted_identity|ident2|ident3|......))\nDKIM-Signature:(?:[ > \t]*[^= \;]+=[^= \;]+\;(?:\r\n)?)+?[ > \t]*([di]=\@?(?&IDENTITY10))\;=>the_wanted_negative_score > - e.g. -10 > (?(DEFINE)(?<IDENTITY20>the_wanted_identity|ident5|ident6|......))\nDKIM-Signature:(?:[ > \t]*[^= \;]+=[^= \;]+\;(?:\r\n)?)+?[ > \t]*([di]=\@?(?&IDENTITY20))\;=>the_wanted_negative_score > - eg -20 > ... > > CLOSED for me > > > Thomas > > > > Von: "K Post" <nntp.p...@gmail.com> > An: "ASSP development mailing list" < > assp-test@lists.sourceforge.net> > Datum: 05.11.2021 20:03 > Betreff: Re: [Assp-test] Another Concept Question: > DKIMBousScoreList > ------------------------------ > > > > Having the dkimBonusScoreList would be like applying > dkimBonusValancePB but ONLY for those that DKIM validate AND are on the > scorelist. Here's why I think that would be helpful and what you proposed > could be problematic. Essentially: I'm thinking: "look, this organization > usually sends good stuff, but not always. They might also have people > sending non-dkim signed messages through a myriad of channels. Deal with > them separately, but if we KNOW it's from them because of their DKIM > signature, help that message get through with the idea that it'll be > stored in okmail unless whitelisted through something other than dkim." > > > there is already dkimOkValencePB - increase it > But a high percentage of all messages that are received, spam and not, > have valid signatures. I don't think we should use that to give a bonus > regardless of who the signer is. All gmail messages are signed, almost > everyting from office365. Yes, I could do a univieral bonus then reduce > gmail and onmicroosft.com, but that doesn't get 365 users with their own > signatures and all of the millions of other domains out there. > > It was one thing when DKIM signing was a new concept and only legit > businesses signed messages. Now that most senders are signing, giving a > bonus would let an awful lot of spam slip through under the rejection > scoring threshold. > > >reduce the score for certain domains by blackListedDomains, SenderBase or > anywhere else - if needed > Senderbase won't work for those using AWS as an example - too many > spammers use them, so adding to senderbase can't be negated using > blacklist/bombs, etc because I obviously don't know all of the bad senders > using AWS. > > I could reduce the score based on a BombRe match on squaremktg, but then > I'm reducing when I haven't validated the signature. It would probably > work for this specific example, but it would be generally helpful to be > able to reduce the score on a message based solely on the signature when > I'm sure they're actually the sender Dare I say that I'm in love with > DKIM? > > Would it be life changing like DoDKIMWLAddresses? No absolutely not, but > if it's not a major task to add the functionality, I think there would be > wide appeal. > > I >>almost<< want to suggest that the dkimBonusValancePB feature be > removed altogether. I can't think of a scenario where you'd want to give a > bonus universally just because a message has a valid signature from > anyone. Same thing for the SPF pass bonus and it's default of -10!!! I'm > sure there are people using one or both, I just can't think of a > scenario in which it's a good idea. > > > > > On Fri, Nov 5, 2021 at 10:37 AM Thomas Eckardt < > *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote: > Another useless post about concepts without reading the manual. > > >dkimBonusValancePB > > there is already dkimOkValencePB - increase it > > and > > reduce the score for certain domains by blackListedDomains, SenderBase or > anywhere else - if needed > > Thomas > > > > > > Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>> > An: "ASSP development mailing list" < > *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>> > Datum: 04.11.2021 22:38 > Betreff: [Assp-test] Another Concept Question: DKIMBousScoreList > ------------------------------ > > > > > SUMMARY: Would there be benefit (that wouldn't be terrible to code) in > adding the ability for use to assign a score to emails that match a list of > DKIM signature identities? > > > The DKIMWLAddress and DKIMNPAddress functionality has been an absolute > game changer here. Thank you so much for implementing that (it was my > idea, but we all know that I could never code such a thing). > > I've combined that functionality with closely monitored SenderBase lists > to dramatically improve ASSP's accuracy. > > One place where Senderbase shines is it's scoring ability for bulk > senders. For example, I can give anything that Senderbase says is coming > from constant contact's network a -10 score, by adding it into > whiteSenderBase like > ^constantcontact\.com$=>-10 > I don't want to blindly let through constant contact signed messages, but > if it's coming from their network, make it a little easier for messages to > pass through. That's worked well for a long long time. > > > Recently, I'm seeing several bulk senders having legitimate messages DKIM > signed by the bulk sender them, but being sent through Amazon AWS ( > *amazonses.com* <http://amazonses.com/>) and is classified by senderbase > as being Amazon / *amazonses.com* <http://amazonses.com/>. There's a lot > of volume coming in from *amazonses.com* <http://amazonses.com/>, but > unfortunately, it's a mix of perfectly legitimate messages and others that > are pure garbage. So that takes Senderbase off the table. Coming from > amazonses shouldn't impact the score either way. And I can't DKIMWLAddress > the signature, then bad stuff would absolutely get through. > > An example is Square, the credit card processor and software company. > They send mail, DKIM signed @*squaremktg.com* <http://squaremktg.com/> on > behalf of clients. Most mail from square is good, but sometimes it gets > spammy, just like we see with mail from other bulk senders. Real world, I > paid for a car wash using their mobile payment platform, I received the > receipt and later got an email with a promotion from the car wash. All > good. The provider's signature was in DKIMWLAddresses. Today, I received > an advertisement from them for what is apparently a "gentleman's club" next > door, offering a complimentary car wash (I took that literally) for > visiting the establishment. The language in that email would have > absolutely had it rejected if it hadn't been on DKIMWLAddresses. Worse, it > wound up in the not-spam corpus. > > > So, I'd like for certain DKIM signatures to be able to SCORE. DKIM > scoring would help it get through (or make it harder depending on the > score) without automatically passing it and adding it to the corpus like > DKIMWLAddresses does. That would let me give the message a negative score > based on the DKIM but still let Bayesian/HMM and other features stay in > play to score the message further. > > Conceptually, I could see this working similarly to senderbase. There > would be a default valance like > dkimBonusValancePB > set to a default of -25 > > Then we'd have a list, maybe called DKIMBousScoreList. Like > DKIMWLAddresses, it would match the end of the validated DKIM identity, but > also accepts a score override: > (@|.)*squaremktg.com* <http://squaremktg.com/> <--- gets the default > of -25 > (@|.)someUsuallyOKsigner.com=>-12 <-- gets -12 for a score > (@|.)*prettygood.com* <http://prettygood.com/>=>5 > <--- gets 1/5 of the default -25 -25/5 = -5 > (@|.)UsuallyBad.com=>-5 <-- this isn't a bonus, a > negative default divided by a negative is a positive. it will be -25/-5 or > adding 5 to the score > > > From a management standpoint, it would certainly be easier to "just" be > able to assign an optional 2nd parameter to DKIMWLAddresses that would > score instead of whitelisting, but I feel like that could be too big of a > coding project. > > I tried to come up with a way to accomplish the same thing based on DKIM > signature, but came up very short. I know I could ignore DKIM and just > score based on the from line, but I really appreciate the certainty that > DKIM gives that the message is really from that organization. > > What do you think? Would a DKIMBousScoreList feature have universal > appeal? > > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
