Re: Scroring and SPF questions
On Mon, 13 Apr 2015, sha...@shanew.net wrote: On Mon, 13 Apr 2015, John Hardin wrote: On Mon, 13 Apr 2015, Shane Williams wrote: > Somewhat related questions: > > 1. If I alter a rule's score to 0 locally, my understanding is that > the rule won't even be tested for. Does that also mean it won't count > toward meta-rules? That depends on how it's used in the meta rule. If it's used as an exclusion, setting it to always false won't suppress the meta. Also: setting the score of a meta to zero won't suppress evaluation of its component rules. The specific case I'm wondering about is as part of an arithmetic expression, like (__RULE1__ + __RULE2__ + RULE3__) > 2. If I set __RULE2__ to a score of 0, is it now impossible for the meta rule to trigger (since it can never get more than two "points")? Strictly speaking, no, because __RULE1__ and __RULE3__ *may* be "tflags multiple" rules whose individual contributions (hit count) may be > 1. However, in the simpler case where they are not "tflags multiple" rules, that is correct. > 2. Is there a way to create a local rule that uses the DKIM/SPF > information such that I could match to other headers. In particular, > I'm looking to either prevent (or at least counteract) the > "HEADER_FROM_DIFFERENT_DOMAINS" rule when a mailing list is > involved. So what I'm looking for is a way to test SPF/DKIM against > the mailing list origination point rather than the sender's. Or > perhaps I'm missing some smarter way to deal with these situations. Simple subrules combined in a neta having a negative score. There are already subrules for detecting mailing list headers and for detecting an invalid DKIM signature. Write a meta that combines those, and give it enough negative points to offset the positive score. Note, however, that mailing list headers are easy for spammers to forge. What I was getting at (but perhaps not describing well) was finding a way to compare the mailing list domain with DKIM or SPF in order to ensure that the mailing list at least arrives from the source we would expect. It doesn't exactly detect mailing list header forgery, but could take away a few points for the ones that can be verified. That said, there me be some reason this totally won't work, so feel free to tell me so. Ah, ok. That I missed, or stopped reading too soon. :) Comparing the domain in two different headers would involve a Header ALL rule similar to TO_EQ_FM and the like. Those rules might give you a starting point. It might be interesting to verify the domain in a list-id header against some other domain in the headers... (envelope from, perhaps?) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...intellectuals have no interest in what _creates_ wealth, and what _inhibits_ the creation of wealth. They are very concerned about the _distribution_ of it, but they act as if wealth just exists somehow. It's like manna from heaven, it's only a question of how we split it up.-- Thomas Sowell --- Today: Thomas Jefferson's 272nd Birthday
Re: Scroring and SPF questions
On Mon, 13 Apr 2015, John Hardin wrote: On Mon, 13 Apr 2015, Shane Williams wrote: Somewhat related questions: 1. If I alter a rule's score to 0 locally, my understanding is that the rule won't even be tested for. Does that also mean it won't count toward meta-rules? That depends on how it's used in the meta rule. If it's used as an exclusion, setting it to always false won't suppress the meta. Also: setting the score of a meta to zero won't suppress evaluation of its component rules. The specific case I'm wondering about is as part of an arithmetic expression, like (__RULE1__ + __RULE2__ + RULE3__) > 2. If I set __RULE2__ to a score of 0, is it now impossible for the meta rule to trigger (since it can never get more than two "points")? 2. Is there a way to create a local rule that uses the DKIM/SPF information such that I could match to other headers. In particular, I'm looking to either prevent (or at least counteract) the "HEADER_FROM_DIFFERENT_DOMAINS" rule when a mailing list is involved. So what I'm looking for is a way to test SPF/DKIM against the mailing list origination point rather than the sender's. Or perhaps I'm missing some smarter way to deal with these situations. Simple subrules combined in a neta having a negative score. There are already subrules for detecting mailing list headers and for detecting an invalid DKIM signature. Write a meta that combines those, and give it enough negative points to offset the positive score. Note, however, that mailing list headers are easy for spammers to forge. What I was getting at (but perhaps not describing well) was finding a way to compare the mailing list domain with DKIM or SPF in order to ensure that the mailing list at least arrives from the source we would expect. It doesn't exactly detect mailing list header forgery, but could take away a few points for the ones that can be verified. That said, there me be some reason this totally won't work, so feel free to tell me so. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT CompSci =--+--- All syllogisms contain three lines | sha...@shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: Scroring and SPF questions
On Mon, 13 Apr 2015 09:10:56 -0500 (CDT) Shane Williams wrote: > Somewhat related questions: > > 1. If I alter a rule's score to 0 locally, my understanding is that > the rule won't even be tested for. Does that also mean it won't count > toward meta-rules? AFAIK > 2. Is there a way to create a local rule that uses the DKIM/SPF > information such that I could match to other headers. In particular, > I'm looking to either prevent (or at least counteract) the > "HEADER_FROM_DIFFERENT_DOMAINS" rule when a mailing list is > involved. I wouldn't worry, this rule currently scores 0.001, and I doubt it's ever going to have a significant score as it stands. For me it hits more ham than spam. It's actually pretty easy to fix it so it doesn't FP on SRS, mailing lists etc, by looking for the from domain anywhere in the envelope address rather than matching on the end of the envelope domain. For me this would remove most of the FPs without significantly affecting the detection of genuinely mismatched domains. However it would still hit a larger percentage of my ham than spam.
Re: Scroring and SPF questions
On Mon, 13 Apr 2015, Shane Williams wrote: Somewhat related questions: 1. If I alter a rule's score to 0 locally, my understanding is that the rule won't even be tested for. Does that also mean it won't count toward meta-rules? That depends on how it's used in the meta rule. If it's used as an exclusion, setting it to always false won't suppress the meta. Also: setting the score of a meta to zero won't suppress evaluation of its component rules. 2. Is there a way to create a local rule that uses the DKIM/SPF information such that I could match to other headers. In particular, I'm looking to either prevent (or at least counteract) the "HEADER_FROM_DIFFERENT_DOMAINS" rule when a mailing list is involved. So what I'm looking for is a way to test SPF/DKIM against the mailing list origination point rather than the sender's. Or perhaps I'm missing some smarter way to deal with these situations. Simple subrules combined in a neta having a negative score. There are already subrules for detecting mailing list headers and for detecting an invalid DKIM signature. Write a meta that combines those, and give it enough negative points to offset the positive score. Note, however, that mailing list headers are easy for spammers to forge. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- I'm seriously considering getting one of those bright-orange prison overalls and stencilling PASSENGER on the back. Along with the paper slippers, I ought to be able to walk right through security. -- Brian Kantor in a.s.r --- Today: Thomas Jefferson's 272nd Birthday
Scroring and SPF questions
Somewhat related questions: 1. If I alter a rule's score to 0 locally, my understanding is that the rule won't even be tested for. Does that also mean it won't count toward meta-rules? 2. Is there a way to create a local rule that uses the DKIM/SPF information such that I could match to other headers. In particular, I'm looking to either prevent (or at least counteract) the "HEADER_FROM_DIFFERENT_DOMAINS" rule when a mailing list is involved. So what I'm looking for is a way to test SPF/DKIM against the mailing list origination point rather than the sender's. Or perhaps I'm missing some smarter way to deal with these situations. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT CompSci =--+--- All syllogisms contain three lines | sha...@shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew