ah, wait, are you saying that BombRe will look at headers that ASSP ads, like X-ASSP-DKIM-Identity (which would only be added for a valid signature)? (!!!!!) I always assumed that the bomb functionality was only on the mail's original headers.
On Mon, Nov 8, 2021 at 2:28 PM K Post <nntp.p...@gmail.com> wrote: > The bombHeaderRe with the DEFINE or list should be sufficient. I'm still > worried about fake/invalid DKIM still getting the bonus score, but this > will have to do. Thanks. > > On Mon, Nov 8, 2021 at 12:01 PM Thomas Eckardt <thomas.ecka...@thockar.com> > wrote: > >> I told you to score such domains elsewhere - just do it and the result is >> the same like you wanted. >> >> for example: >> >> bombHeaderRe: >> >> \nDKIM-Signature:(?:[ \t]*[^= \;]+=[^= \;]+\;(?:\r\n)?)+?[ \t]*([di]=\@?( >> The_Wanted_IDENTITY))\;=>the_wanted_negative_score >> >> currently the (?(DEFINE).......) is not working with assp (is destroyed >> if a-d-n-o-r is not set for the file) - but the next version will do it - >> and you can use: >> >> (?(DEFINE)(?<IDENTITY10>the_wanted_identity|ident2|ident3|......))\nDKIM-Signature:(?:[ >> \t]*[^= \;]+=[^= \;]+\;(?:\r\n)?)+?[ >> \t]*([di]=\@?(?&IDENTITY10))\;=>the_wanted_negative_score >> - e.g. -10 >> (?(DEFINE)(?<IDENTITY20>the_wanted_identity|ident5|ident6|......))\nDKIM-Signature:(?:[ >> \t]*[^= \;]+=[^= \;]+\;(?:\r\n)?)+?[ >> \t]*([di]=\@?(?&IDENTITY20))\;=>the_wanted_negative_score >> - eg -20 >> ... >> >> CLOSED for me >> >> >> Thomas >> >> >> >> Von: "K Post" <nntp.p...@gmail.com> >> An: "ASSP development mailing list" < >> assp-test@lists.sourceforge.net> >> Datum: 05.11.2021 20:03 >> Betreff: Re: [Assp-test] Another Concept Question: >> DKIMBousScoreList >> ------------------------------ >> >> >> >> Having the dkimBonusScoreList would be like applying >> dkimBonusValancePB but ONLY for those that DKIM validate AND are on the >> scorelist. Here's why I think that would be helpful and what you proposed >> could be problematic. Essentially: I'm thinking: "look, this organization >> usually sends good stuff, but not always. They might also have people >> sending non-dkim signed messages through a myriad of channels. Deal with >> them separately, but if we KNOW it's from them because of their DKIM >> signature, help that message get through with the idea that it'll be >> stored in okmail unless whitelisted through something other than dkim." >> >> > there is already dkimOkValencePB - increase it >> But a high percentage of all messages that are received, spam and not, >> have valid signatures. I don't think we should use that to give a bonus >> regardless of who the signer is. All gmail messages are signed, almost >> everyting from office365. Yes, I could do a univieral bonus then reduce >> gmail and onmicroosft.com, but that doesn't get 365 users with their own >> signatures and all of the millions of other domains out there. >> >> It was one thing when DKIM signing was a new concept and only legit >> businesses signed messages. Now that most senders are signing, giving a >> bonus would let an awful lot of spam slip through under the rejection >> scoring threshold. >> >> >reduce the score for certain domains by blackListedDomains, SenderBase >> or anywhere else - if needed >> Senderbase won't work for those using AWS as an example - too many >> spammers use them, so adding to senderbase can't be negated using >> blacklist/bombs, etc because I obviously don't know all of the bad senders >> using AWS. >> >> I could reduce the score based on a BombRe match on squaremktg, but then >> I'm reducing when I haven't validated the signature. It would probably >> work for this specific example, but it would be generally helpful to be >> able to reduce the score on a message based solely on the signature when >> I'm sure they're actually the sender Dare I say that I'm in love with >> DKIM? >> >> Would it be life changing like DoDKIMWLAddresses? No absolutely not, but >> if it's not a major task to add the functionality, I think there would be >> wide appeal. >> >> I >>almost<< want to suggest that the dkimBonusValancePB feature be >> removed altogether. I can't think of a scenario where you'd want to give a >> bonus universally just because a message has a valid signature from >> anyone. Same thing for the SPF pass bonus and it's default of -10!!! I'm >> sure there are people using one or both, I just can't think of a >> scenario in which it's a good idea. >> >> >> >> >> On Fri, Nov 5, 2021 at 10:37 AM Thomas Eckardt < >> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote: >> Another useless post about concepts without reading the manual. >> >> >dkimBonusValancePB >> >> there is already dkimOkValencePB - increase it >> >> and >> >> reduce the score for certain domains by blackListedDomains, SenderBase or >> anywhere else - if needed >> >> Thomas >> >> >> >> >> >> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>> >> An: "ASSP development mailing list" < >> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>> >> Datum: 04.11.2021 22:38 >> Betreff: [Assp-test] Another Concept Question: DKIMBousScoreList >> ------------------------------ >> >> >> >> >> SUMMARY: Would there be benefit (that wouldn't be terrible to code) in >> adding the ability for use to assign a score to emails that match a list of >> DKIM signature identities? >> >> >> The DKIMWLAddress and DKIMNPAddress functionality has been an absolute >> game changer here. Thank you so much for implementing that (it was my >> idea, but we all know that I could never code such a thing). >> >> I've combined that functionality with closely monitored SenderBase lists >> to dramatically improve ASSP's accuracy. >> >> One place where Senderbase shines is it's scoring ability for bulk >> senders. For example, I can give anything that Senderbase says is coming >> from constant contact's network a -10 score, by adding it into >> whiteSenderBase like >> ^constantcontact\.com$=>-10 >> I don't want to blindly let through constant contact signed messages, but >> if it's coming from their network, make it a little easier for messages to >> pass through. That's worked well for a long long time. >> >> >> Recently, I'm seeing several bulk senders having legitimate messages DKIM >> signed by the bulk sender them, but being sent through Amazon AWS ( >> *amazonses.com* <http://amazonses.com/>) and is classified by senderbase >> as being Amazon / *amazonses.com* <http://amazonses.com/>. There's a >> lot of volume coming in from *amazonses.com* <http://amazonses.com/>, >> but unfortunately, it's a mix of perfectly legitimate messages and others >> that are pure garbage. So that takes Senderbase off the table. Coming >> from amazonses shouldn't impact the score either way. And I can't >> DKIMWLAddress the signature, then bad stuff would absolutely get through. >> >> An example is Square, the credit card processor and software company. >> They send mail, DKIM signed @*squaremktg.com* <http://squaremktg.com/> >> on behalf of clients. Most mail from square is good, but sometimes it gets >> spammy, just like we see with mail from other bulk senders. Real world, I >> paid for a car wash using their mobile payment platform, I received the >> receipt and later got an email with a promotion from the car wash. All >> good. The provider's signature was in DKIMWLAddresses. Today, I received >> an advertisement from them for what is apparently a "gentleman's club" next >> door, offering a complimentary car wash (I took that literally) for >> visiting the establishment. The language in that email would have >> absolutely had it rejected if it hadn't been on DKIMWLAddresses. Worse, it >> wound up in the not-spam corpus. >> >> >> So, I'd like for certain DKIM signatures to be able to SCORE. DKIM >> scoring would help it get through (or make it harder depending on the >> score) without automatically passing it and adding it to the corpus like >> DKIMWLAddresses does. That would let me give the message a negative score >> based on the DKIM but still let Bayesian/HMM and other features stay in >> play to score the message further. >> >> Conceptually, I could see this working similarly to senderbase. There >> would be a default valance like >> dkimBonusValancePB >> set to a default of -25 >> >> Then we'd have a list, maybe called DKIMBousScoreList. Like >> DKIMWLAddresses, it would match the end of the validated DKIM identity, but >> also accepts a score override: >> (@|.)*squaremktg.com* <http://squaremktg.com/> <--- gets the default >> of -25 >> (@|.)someUsuallyOKsigner.com=>-12 <-- gets -12 for a score >> (@|.)*prettygood.com* <http://prettygood.com/>=>5 >> <--- gets 1/5 of the default -25 -25/5 = -5 >> (@|.)UsuallyBad.com=>-5 <-- this isn't a bonus, a >> negative default divided by a negative is a positive. it will be -25/-5 or >> adding 5 to the score >> >> >> From a management standpoint, it would certainly be easier to "just" be >> able to assign an optional 2nd parameter to DKIMWLAddresses that would >> score instead of whitelisting, but I feel like that could be too big of a >> coding project. >> >> I tried to come up with a way to accomplish the same thing based on DKIM >> signature, but came up very short. I know I could ignore DKIM and just >> score based on the from line, but I really appreciate the certainty that >> DKIM gives that the message is really from that organization. >> >> What do you think? Would a DKIMBousScoreList feature have universal >> appeal? >> >> _______________________________________________ >> Assp-test mailing list >> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> >> *https://lists.sourceforge.net/lists/listinfo/assp-test* >> <https://lists.sourceforge.net/lists/listinfo/assp-test> >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, legally >> privileged and protected in law and are intended solely for the use of the >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> _______________________________________________ >> Assp-test mailing list >> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> >> *https://lists.sourceforge.net/lists/listinfo/assp-test* >> <https://lists.sourceforge.net/lists/listinfo/assp-test> >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, legally >> privileged and protected in law and are intended solely for the use of the >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
