Re: Rule to detect non-standard headers that aren't X- prefixed

[Henrik K]

On Mon, May 23, 2022 at 10:48:51PM -0600, Philip Prindeville wrote:
> 
> 
> > On May 11, 2022, at 1:53 AM, Henrik K  wrote:
> > 
> > On Wed, May 11, 2022 at 10:49:32AM +0300, Henrik K wrote:
> >> On Wed, May 11, 2022 at 10:44:05AM +0300, Henrik K wrote:
> >>> On Tue, May 10, 2022 at 06:19:38PM -0600, Philip Prindeville wrote:
>  See my original message.
>  
>  I can't think of a single way to match each header, and then test for 
>  any of them not matching the pattern...
> >>> 
> >>> Simply use regex negative lookahead.
> >>> 
> >>> ALL =~ /^(?!Foo|Bar):/m
> >>> 
> >>> It will hit any line _not_ starting with Foo: or Bar:
> >> 
> >> Oops I think it was buggy.. more like:
> >> 
> >> ALL =~ /^(?!(?:Foo|Bar):)/m
> > 
> > And for debug logging to log the missing header (to easily inspect what was
> > matched) you need some additional string matching, lookahead itself doesn't
> > save any string
> > 
> > ALL =~ /^(?!(?:Foo|Bar):)[^:]+/m
> > 
> 
> 
> Ended up using .*$ instead of [^:]* but that worked too.
> 
> Is it possible to count how many times we didn't see matching headers and 
> then count those, setting some threshold, like 3 or more unknown headers?

tflags multiple should work

header UNKNOWN_HDR ALL ...
tflags UNKNOWN_HDR multiple maxhits=3
meta UNKNOWN_HDR_TOOMANY UNKNOWN_HDR >= 3

Re: Rule to detect non-standard headers that aren't X- prefixed

[Philip Prindeville]

> On May 11, 2022, at 1:53 AM, Henrik K  wrote:
> 
> On Wed, May 11, 2022 at 10:49:32AM +0300, Henrik K wrote:
>> On Wed, May 11, 2022 at 10:44:05AM +0300, Henrik K wrote:
>>> On Tue, May 10, 2022 at 06:19:38PM -0600, Philip Prindeville wrote:
 See my original message.
 
 I can't think of a single way to match each header, and then test for any 
 of them not matching the pattern...
>>> 
>>> Simply use regex negative lookahead.
>>> 
>>> ALL =~ /^(?!Foo|Bar):/m
>>> 
>>> It will hit any line _not_ starting with Foo: or Bar:
>> 
>> Oops I think it was buggy.. more like:
>> 
>> ALL =~ /^(?!(?:Foo|Bar):)/m
> 
> And for debug logging to log the missing header (to easily inspect what was
> matched) you need some additional string matching, lookahead itself doesn't
> save any string
> 
> ALL =~ /^(?!(?:Foo|Bar):)[^:]+/m
> 


Ended up using .*$ instead of [^:]* but that worked too.

Is it possible to count how many times we didn't see matching headers and then 
count those, setting some threshold, like 3 or more unknown headers?

Thanks,

-Philip

Re: DMARC fails for valid record?

[Alex]

>
>
>
> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>
> ... and this is the perl library.
>
> I see you have both  KAM_DMARC_REJECT and DMARC_REJECT
> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
> isn't available, but uses the library if it does.
>
> could you (temporarily) uninstall the
> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
> if it fixes the problem?
>

Since uninstalling it this morning, there have been no other occurrences of
KAM_DMARC_REJECT all day for any emails.

The last DMARC_REJECT was also this morning prior to uninstalling
perl-Mail-Dmarc-PurePerl.

The only other references to DMARC today have been from KAM_DMARC_STATUS

Re: DMARC fails for valid record?

[Matus UHLAR - fantomas]

On 2022-05-23 10:11, giova...@paclan.it wrote:

starting from r1900857, official ASF channels are loaded first, then
all other channels in alphabetical order.

I would like to better check the original email if possible.


On 23.05.22 11:01, Benny Pedersen wrote:
dmarc plugin would have to inhirit AuthRes results, imho current dmarc 
plugin miss this


i am still unsure if AuthRes is usefull in other tests as is now


I agree, however both the original mails don't have DMARC result in 
Authentication-Results: headers.


They both have dkim=pass in Authentication-Results: and both hit 
DKIM_VALID_AU. 


https://pastebin.com/9g9VrgVK
https://pastebin.com/DCu9cq4t


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95

Re: DMARC fails for valid record?

[Matus UHLAR - fantomas]

On 22.05.22 12:25, Kevin A. McGrail wrote:
>#1 you can use the welcomelist entries but NOT the welcomelist_auth
>entries if DMARC is failing.



On Sun, May 22, 2022 at 1:51 PM Matus UHLAR - fantomas 
wrote:

isn't welcomelist_auth okay with DKIM_VALID_AU ?


On 22.05.22 15:17, Alex wrote:

It looks like welcomelist_auth works with SPF even when this DMARC_REJECT
occurs, I believe.


welcomelist_auth requires SPF or DKIM pass result, so passing either should 
cause welcomelist_auth to hit.


...unless the code was rewritten to ignore those when DMARC causes fail.


>#2 There are definitely some issues with SA 4.0 Trunk and DMARC issues
>that we are working through, sorry to say it's been rougher than I 
>wanted too.  But we have it in production and we are working on edge 
>cases from my end.


Alex (OP), do you have Mail::DMARC installed?



May 22 15:12:59.482 [865542] dbg: plugin: loading
Mail::SpamAssassin::Plugin::DMARC from @INC


this is the SA plugin, not the perl library...


I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.


... and this is the perl library.

I see you have both  KAM_DMARC_REJECT and DMARC_REJECT
- KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC 
isn't available, but uses the library if it does.


could you (temporarily) uninstall the perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch 
if it fixes the problem?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe.

Re: DMARC fails for valid record?

[Benny Pedersen]

On 2022-05-23 10:11, giova...@paclan.it wrote:


starting from r1900857, official ASF channels are loaded first, then
all other channels in alphabetical order.

I would like to better check the original email if possible.


dmarc plugin would have to inhirit AuthRes results, imho current dmarc 
plugin miss this


i am still unsure if AuthRes is usefull in other tests as is now

Re: DMARC fails for valid record?

[giovanni]

On 5/22/22 18:25, Kevin A. McGrail wrote:
> Alex,
> 
> #1 you can use the welcomelist entries but NOT the welcomelist_auth entries 
> if DMARC is failing.
> 
> #2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that 
> we are working through, sorry to say it's been rougher than I wanted too.  
> But we have it in production and we are working on edge cases from my end.
> 
> #3 At my work at PCCC, we changed some concepts to install the KAM rules so 
> they are parsed after the stock rules for some of the default DMARC scores to 
> change too.  We used a new option for sa-update that Henrik added to do this. 
>  I'll ask for some info about it and test that pastebin to see if it fails on 
> our system too.  I was also discussing more DMARC/DKIM regression tests are 
> needed.  It's too fragile.
> 
starting from r1900857, official ASF channels are loaded first, then all other 
channels in alphabetical order.

I would like to better check the original email if possible.

 Giovanni


> Regards,
> KAM
> 
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail  - 
> 703.798.0171
> 
> 
> On Sun, May 22, 2022 at 11:25 AM Alex  > wrote:
> 
> Hi, I think this is another - this one also includes KAM_DMARC_REJECT
> 
> https://pastebin.com/9g9VrgVK 
> 
>  *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
>  *      valid
>  * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from 
> author's
>  *       domain
>  * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>  *  6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
>  *      and the domain has a DMARC reject policy
>  *  1.8 DMARC_REJECT DMARC reject policy
> 
> Can this info even be added to the welcomelist or will that also now fail?
> 
> 
> 
> On Sun, May 22, 2022 at 11:10 AM Alex  > wrote:
> 
> Hi, is it possible the DMARC_REJECT problem still exists?
> 
> https://pastebin.com/DCu9cq4t 
> 
>  * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>  *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not 
> necessarily
>  *      valid
>  * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from 
> author's
>  *       domain
>  *  1.8 DMARC_REJECT DMARC reject policy
> 
> Authentication-Results: xavier.example.com 
>  (amavisd-new);
>             dkim=pass (1024-bit key) header.d=hotwire.com 
>  header.b="NEdhsCdV";
>             dkim=pass (1024-bit key) header.d=amazonses.com 
>  header.b="UglVB1nr"
> 
> $ spamassassin --version
> SpamAssassin version 4.0.0-r1900583
>   running on Perl version 5.34.1
> 
> 
> On Wed, May 11, 2022 at 9:01 AM Alex  > wrote:
> 
> Hi,
> 
> On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail 
> mailto:kmcgr...@apache.org>> wrote:
> 
> I believe this is a bug and fixed in trunk.
> 
> On 5/10/2022 1:55 PM, Bill Cole wrote:
> > Looks like a bug. It should not be possible to hit 
> DKIM_VALID_AU and also DMARC_REJECT and/or KAM_DMARC_REJECT
> 
> 
> 
> This was from svn version 1900493. I've now checked out 1900794, 
> but that somehow appears different from the version SA reports?
> 
> $ spamassassin --version
> SpamAssassin version 4.0.0-r1900583
>   running on Perl version 5.34.1
> 
> My firstdata email does appear to now pass DKIM properly, without 
> DMARC_REJECT or KAM_DMARC_REJECT.
> 
> Any idea under what circumstances the DKIM check fails so I can 
> watch for it? Or can we consider it solved?
> 
> 



OpenPGP_signature
Description: OpenPGP digital signature