Re: DKIM scoring with spamassassin
Quanah, * Quanah Gibson-Mount qua...@zimbra.com: --On Friday, February 15, 2013 5:01 PM -0800 John Hardin jhar...@impsec.org wrote: On Fri, 15 Feb 2013, Quanah Gibson-Mount wrote: Does anyone tweak the DKIM scores given by SA? There are plenty of scenarios where DKIM has failed, yet SA does not give the email a particularly high spam mark. 3 example test cases below. I guess I was expecting SA would score DKIM failures more aggressively if there are problems with the signing: DKIM and SPF are anti-forgery tools, not anti-spam tools. If you take a DKIM-signed email that is whitelisted because of whitelist_auth and make a change that invalidates the signature, does it still get whitelisted? If not, then SA is doing all that it can reasonably be expected to do with the invalid signature. DKIM or SPF pass or fail *by itself* is not useful as a spam sign. Taken together with other factors (such as DKIM invalid + claims to be from Wells Fargo) it's useful. Ok, thanks. If any of our users ask, this is a good summary. :) if you want your spam filters to benefit from DKIM, you need to build reputation. You need to account if or if not a domain uses DKIM and what the average spam score of that sender domains is. The OpenDKIM reputation project has introduced a local reputation database and uses SpamAssassin to get the spam score. You might want to investigate in the project if you want to use DKIM (as one of many methods) to filter spam. p@rick -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
DKIM scoring with spamassassin
Does anyone tweak the DKIM scores given by SA? There are plenty of scenarios where DKIM has failed, yet SA does not give the email a particularly high spam mark. 3 example test cases below. I guess I was expecting SA would score DKIM failures more aggressively if there are problems with the signing: Case 1. Actively modify from field of the message and send in manually via SMTP keeping the same signature. X-Spam-Status: No, score=-1.379 tagged_above=-10 required=6.6 tests=[ALL_TRUSTED=-1, BAYES_05=-0.5, DKIM_SIGNED=0.1, NO_DNS_FOR_FROM=0.001, T_DKIM_INVALID=0.01, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01, T_NOT_A_PERSON=-0.01, T_UNKNOWN_ORIGIN=0.01] autolearn=no Authentication-Results: zqa-398.eng.vmware.com (amavisd-new); dkim=fail (1024-bit key) reason=fail (message has been altered) header.d=dkimtest.com Case 2. Update signature on a domain, but don't update it in DNS. X-Spam-Status: No, score=-0.057 tagged_above=-10 required=6.6 tests=[ALL_TRUSTED=-1, BAYES_20=-0.001, DKIM_SIGNED=0.1, NO_DNS_FOR_FROM=0.001, RDNS_NONE=0.793, T_BIG_HEADERS_2K=0.01, T_DKIM_INVALID=0.01, T_HELO_NO_DOMAIN=0.01, T_LONG_HEADER_LINE_80=0.01, T_NOT_A_PERSON=-0.01, T_THREAD_INDEX_BAD=0.01, T_UNKNOWN_ORIGIN=0.01] autolearn=no Authentication-Results: zqa-398.eng.vmware.com (amavisd-new); dkim=fail (1024-bit key) reason=fail (bad RSA signature) header.d=dkimtest.com Case 3. Don't populate DNS record with DKIM signature at all X-Spam-Status: No, score=-1.957 tagged_above=-10 required=6.6 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, DKIM_SIGNED=0.1, RDNS_NONE=0.793, T_BIG_HEADERS_2K=0.01, T_DKIM_INVALID=0.01, T_HELO_NO_DOMAIN=0.01, T_LONG_HEADER_LINE_80=0.01, T_NOT_A_PERSON=-0.01, T_THREAD_INDEX_BAD=0.01, T_UNKNOWN_ORIGIN=0.01] autolearn=no Authentication-Results: zqa-398.eng.vmware.com (amavisd-new); dkim=neutral reason=invalid (public key: not available) header.d=dkimtest.com Thanks, Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: DKIM scoring with spamassassin
On Fri, 15 Feb 2013, Quanah Gibson-Mount wrote: Does anyone tweak the DKIM scores given by SA? There are plenty of scenarios where DKIM has failed, yet SA does not give the email a particularly high spam mark. 3 example test cases below. I guess I was expecting SA would score DKIM failures more aggressively if there are problems with the signing: DKIM and SPF are anti-forgery tools, not anti-spam tools. If you take a DKIM-signed email that is whitelisted because of whitelist_auth and make a change that invalidates the signature, does it still get whitelisted? If not, then SA is doing all that it can reasonably be expected to do with the invalid signature. DKIM or SPF pass or fail *by itself* is not useful as a spam sign. Taken together with other factors (such as DKIM invalid + claims to be from Wells Fargo) it's useful. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows. -- anytwofiveelevenis on Y! SCOX --- 7 days until George Washington's 281st Birthday
Re: DKIM scoring with spamassassin
--On Friday, February 15, 2013 5:01 PM -0800 John Hardin jhar...@impsec.org wrote: On Fri, 15 Feb 2013, Quanah Gibson-Mount wrote: Does anyone tweak the DKIM scores given by SA? There are plenty of scenarios where DKIM has failed, yet SA does not give the email a particularly high spam mark. 3 example test cases below. I guess I was expecting SA would score DKIM failures more aggressively if there are problems with the signing: DKIM and SPF are anti-forgery tools, not anti-spam tools. If you take a DKIM-signed email that is whitelisted because of whitelist_auth and make a change that invalidates the signature, does it still get whitelisted? If not, then SA is doing all that it can reasonably be expected to do with the invalid signature. DKIM or SPF pass or fail *by itself* is not useful as a spam sign. Taken together with other factors (such as DKIM invalid + claims to be from Wells Fargo) it's useful. Ok, thanks. If any of our users ask, this is a good summary. :) --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration