replay RBL queries one hour later
The last time I was hit by a not-recognized phishing campaign, no Ips nor domains were present in RBL. When I took action one hour later I found that several of them were listed. So my idea is; is it possible to replay the queries one/two hours later? I envision two methods: - logging the queries, with Message-ids - storing a copy of the message If the second run hits new RBL, report to me, to take action. Hope I was clear...
Re: replay RBL queries one hour later
On 25.02.23 15:34, hg user wrote: The last time I was hit by a not-recognized phishing campaign, no Ips nor domains were present in RBL. When I took action one hour later I found that several of them were listed. So my idea is; is it possible to replay the queries one/two hours later? you can scan mail every time you want, the question is how do you want to do that. I envision two methods: - logging the queries, with Message-ids - storing a copy of the message If the second run hits new RBL, report to me, to take action. this could work, this way you could feed all mail multiple times to SA, which would apparently increase usagfe of DNSBLs, they could block you then. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: replay RBL queries one hour later
On Sat, 25 Feb 2023, hg user wrote: The last time I was hit by a not-recognized phishing campaign, no Ips nor domains were present in RBL. When I took action one hour later I found that several of them were listed. So my idea is; is it possible to replay the queries one/two hours later? Another more common approach to this situation is "greylisting", where the first attempt to submit a message from an unrecognized source is tempfailed for some period of time. The mailer will retry and the submission will be accepted after the greylisting period has expired, which may give RBLs time to list the IPs/domains/hashes/etc. This also theoretically blocks fire-and-forget mass spammers who only try submission once, but I don't know how common that model is these days. https://duckduckgo.com/?q=milter-greylist There are scenarios where this delay is unwelcome, for example commercial accounts where you don't want a delay in receiving communications from customers or potential customers. There are ways to tune it that may mitigate these concerns somewhat. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The Constitution is not a suicide pact, it is a restraining order against government. And government, like any abusive person, does not respect or obey restraining orders. -- Anonymous --- 1,001 days since the first private commercial manned orbital mission (SpaceX)
Re: replay RBL queries one hour later
On 2023-02-25 at 09:34:52 UTC-0500 (Sat, 25 Feb 2023 15:34:52 +0100) hg user is rumored to have said: The last time I was hit by a not-recognized phishing campaign, no Ips nor domains were present in RBL. When I took action one hour later I found that several of them were listed. So my idea is; is it possible to replay the queries one/two hours later? If you write the code to do it, based on however you manage your mail, you can do this. There's no way to put that sort of site-specific tooling into SA itself. SA does not know anything about mail other than the messages it is given. SA has no way to know what has happened to a message after it has made its judgment. I envision two methods: - logging the queries, with Message-ids - storing a copy of the message If the second run hits new RBL, report to me, to take action. It's certainly something that one could do. It is not something that SpamAssassin itself does or ever will do. A useful tool for doing this sort of thing involving SA is the MIMEDdefang milter, which can use SA for filtering and also can do anything else you can tell Perl to do with mail. I believe MailMunge (a descendant of MIMEDefang) also has that capacity. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: replay RBL queries one hour later
Something to keep in mind about this idea of rescanning messages later - once more anti-spam data is available - for use in training/reporting spams - this probably should NOT be done days later because SOME senders aggressively expire/recycle DKIM dns records. I guess that is to minimize the ability for criminals to spoof DKIM? The result is that if you implement this idea on days-old messages, you can end up with some spam scoring that was ONLY due to the DKIM not being valid anymore, where it was valid at the time the message was sent. This can lead to many egregious false positives. But doing this "one hour later" shouldn't have this problem. Rob McEwen, invaluement
Re: replay RBL queries one hour later
Rob McEwen skrev den 2023-02-26 19:03: ... sent. This can lead to many egregious false positives. But doing this "one hour later" shouldn't have this problem. message-id is timebased, so why invalidate it ? :) i did that mistake on not dkim sign that header in that regard i now have 2048 kbit size, where 4096 is a bit overkill
Re: replay RBL queries one hour later
Benny, All I know for sure is this - for MANY legit emails - DKIM fails some days later - when it had originally worked/validated at the time the message was sent. I see this often in the real world when I rescan a message to try to verify the impact on a message that a spam filtering change caused - then notice that a very legit email that original passed DKIM at the time the message was received - now suddenly fails DKIM during this days-later rescan - and without ANY changes to the message itself. I think that this is most likely caused by DNS records for that DKIM being changed/updated. But whatever the cause, this is STILL a reality that's worth noting, for anyone who is rescanning messages later. Rob McEwen, invaluement -- Original Message -- From "Benny Pedersen" To users@spamassassin.apache.org Date 2/26/2023 1:37:53 PM Subject Re: replay RBL queries one hour later Rob McEwen skrev den 2023-02-26 19:03: .. sent. This can lead to many egregious false positives. But doing this "one hour later" shouldn't have this problem. message-id is timebased, so why invalidate it ? :) i did that mistake on not dkim sign that header in that regard i now have 2048 kbit size, where 4096 is a bit overkill
Re: replay RBL queries one hour later
Rob McEwen skrev den 2023-02-26 19:45: Benny, All I know for sure is this - for MANY legit emails - DKIM fails some days later - when it had originally worked/validated at the time the message was sent. when i begined dkim signing i did that tought why would it be valid after delivery, could it be good to only be valid until recipient forwarder have recieved it ?, into days senario could harden arc more to be used in forwards that on it self breaks dkim postfix have queue life time 5d, so make dkim valid for 6 days ? :) since then i do not expire this anymore I see this often in the real world when I rescan a message to try to verify the impact on a message that a spam filtering change caused - then notice that a very legit email that original passed DKIM at the time the message was received - now suddenly fails DKIM during this days-later rescan - and without ANY changes to the message itself. why rescan ? add reuse foo into local.cf for spamassassin so it not retesting dkim I think that this is most likely caused by DNS records for that DKIM being changed/updated. But whatever the cause, this is STILL a reality that's worth noting, for anyone who is rescanning messages later. correct, how to solve that world on steriods ? :)
Re: replay RBL queries one hour later
Thank you to everybody that replied to my request. I knew I was not clear in my message... :-)) sorry about it. I have 2 paid RBL (so I don't care about number of queries) at the frontier MTA. These RBLs reject a ton of connections and so the number of messages reaching SA is already reduced. Unfortunately, I can't greylist at the moment... well, actually I answer with a 4xx code with one of the paid RBL... it's not *me* that greylists but an external, official, specialized source. I know, borderline. Back to my request, I see two possibilities. A. In the logs of the frontier MTA I have the connection IPs of the messages that went through. A simple script can extract the IPs, |sort|uniq and then dig/nslookup and note if they are now listed. Unfortunately I don't know if the message was reported spam or quarantined later but it may be detected spam not for RBL B. On the backend, zimbra logs all the messages stored in the mailboxes. A bit more complex script can dump the not spam and not quarantined messages received in a time range in a specific dir and submit each one to SA, the production one or one dedicated to this job. In this way I will also check the URL RBLs. Using a different SA server allows us to use SA 4.0, or a different set of plugins and rules, or for example enabling only RBLs checks, adding the paid ones. Still don't know if all this is worth the effort. > >
Re: replay RBL queries one hour later
Rob McEwen wrote: Benny, All I know for sure is this - for MANY legit emails - DKIM fails some days later Hours. I've recently learned about this, in the context of trying to welcomelist legitimate senders. A 2-hour validity window for the DKIM signature is pretty common. :( - when it had originally worked/validated at the time the message was sent. I see this often in the real world when I rescan a message to try to verify the impact on a message that a spam filtering change caused - then notice that a very legit email that original passed DKIM at the time the message was received - now suddenly fails DKIM during this days-later rescan - and without ANY changes to the message itself. I think that this is most likely caused by DNS records for that DKIM being changed/updated. On most of those messages I expect it's an attribute set on the signature, not a rotated DKIM record. Look for "t=..." and "x=..." in the DKIM-Signature header. t= is the timestamp when it was signed, x= is when it expires. -kgd
AuthRes plugin (replay RBL queries one hour later)
Rob McEwen wrote: All I know for sure is this - for MANY legit emails - DKIM fails some days later On 28.02.23 12:52, Kris Deugau wrote: Hours. I've recently learned about this, in the context of trying to welcomelist legitimate senders. A 2-hour validity window for the DKIM signature is pretty common. :( I hope these senders expire their e-mail 1.5 hours after sending... This should be avoidable by using opendkim at SMTP time, and using Mail::SpamAssassin::Plugin::AuthRes plugin in the way that DKIM rules aren't rechecked if they are I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. I will try to load it to see if it works. - when it had originally worked/validated at the time the message was sent. I see this often in the real world when I rescan a message to try to verify the impact on a message that a spam filtering change caused - then notice that a very legit email that original passed DKIM at the time the message was received - now suddenly fails DKIM during this days-later rescan - and without ANY changes to the message itself. I think that this is most likely caused by DNS records for that DKIM being changed/updated. On most of those messages I expect it's an attribute set on the signature, not a rotated DKIM record. Look for "t=..." and "x=..." in the DKIM-Signature header. t= is the timestamp when it was signed, x= is when it expires. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
Re: AuthRes plugin (replay RBL queries one hour later)
On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: > > I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. > > However, I don't see AuthRes plugin mention in .pre files nor in SA rules. Because it's experimental and unfinished. > I will try to load it to see if it works. You also need rules for it to do anything. No plugin uses it's parsing at this time. Try the example rules and report back if it works.. https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html
Re: AuthRes plugin (replay RBL queries one hour later)
On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:
I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
However, I don't see AuthRes plugin mention in .pre files nor in SA rules.
On 01.03.23 11:28, Henrik K wrote:
Because it's experimental and unfinished.
this is the info I was searching for :-)
I will try to load it to see if it works.
You also need rules for it to do anything. No plugin uses it's parsing at
this time.
I see as it's missing from SA rules.
Try the example rules and report back if it works..
https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html
I'll try to define another set of rules to see if they fit:
header A_SPF_PASS eval:check_authres_result('spf', 'pass')
score A_SPF_PASS 0.001
header A_SPF_FAIL eval:check_authres_result('spf', 'fail')
score A_SPF_FAIL 0.1
header A_SPF_SOFTFAIL eval:check_authres_result('spf', 'softfail')
score A_SPF_SOFTFAIL 0.1
header A_SPF_TEMPFAIL eval:check_authres_result('spf', 'tempfail')
score A_SPF_SOFTFAIL 0.1
header A_DKIM_VERIFIED eval:check_authres_result('dkim', 'pass')
score A_DKIM_VERIFIED 0.1
header A_DKIM_INVALID eval:check_authres_result('dkim', 'fail')
score A_DKIM_INVALID 0.001
However, so far spamassassin --lint produces:
Mar 1 10:40:36.659 [19493] warn: Use of uninitialized value $result in string
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 10:40:36.661 [19493] warn: Use of uninitialized value $result in string
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 10:40:36.661 [19493] warn: Use of uninitialized value $result in string
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 10:40:36.662 [19493] warn: Use of uninitialized value $result in string
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 10:40:36.663 [19493] warn: Use of uninitialized value $result in string
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 10:40:36.666 [19493] warn: Use of uninitialized value $result in string
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
I guess it's missing the headers, when I pasted this your mail with headers:
Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none)
header.from=hege.li
Authentication-Results: fantomas.fantomas.sk;
dkim=pass (2048-bit key; unprotected) header.d=hege.li
header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=B6Wp55NL;
dkim-atps=neutral
Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF
authorized) smtp.mailfrom=spamassassin.apache.org
(client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org;
envelope-from=users-return-126602-uhlar=fantomas.sk@spamassassin.apache.
org; receiver=)
Authentication-Results: fantomas.fantomas.sk; arc=none
smtp.remote-ip=3.227.148.255
I only got two lines of errors:
Mar 1 10:47:17.688 [19813] warn: Use of uninitialized value $result in string
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 10:47:17.689 [19813] warn: Use of uninitialized value $result in string
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
Re: AuthRes plugin (replay RBL queries one hour later)
On Wed, Mar 01, 2023 at 10:50:02AM +0100, Matus UHLAR - fantomas wrote: > > On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: > > > I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. > > > > > > However, I don't see AuthRes plugin mention in .pre files nor in SA rules. > > On 01.03.23 11:28, Henrik K wrote: > > Because it's experimental and unfinished. > > this is the info I was searching for :-) Apparently any info was removed from UPGRADE too https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6918 > However, so far spamassassin --lint produces: > > Mar 1 10:40:36.659 [19493] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > Mar 1 10:40:36.661 [19493] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > Mar 1 10:40:36.661 [19493] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > Mar 1 10:40:36.662 [19493] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > Mar 1 10:40:36.663 [19493] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > Mar 1 10:40:36.666 [19493] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > > I guess it's missing the headers, when I pasted this your mail with headers: > > Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) > header.from=hege.li > Authentication-Results: fantomas.fantomas.sk; > dkim=pass (2048-bit key; unprotected) header.d=hege.li > header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=B6Wp55NL; > dkim-atps=neutral > Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF > authorized) smtp.mailfrom=spamassassin.apache.org > (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org; > > envelope-from=users-return-126602-uhlar=fantomas.sk@spamassassin.apache. > org; receiver=) > Authentication-Results: fantomas.fantomas.sk; arc=none > smtp.remote-ip=3.227.148.255 > > I only got two lines of errors: > > Mar 1 10:47:17.688 [19813] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > Mar 1 10:47:17.689 [19813] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. Bah, I think it was tested as atleast working without errors. I'll have a look..
Re: AuthRes plugin (replay RBL queries one hour later)
On 01.03.23 11:55, Henrik K wrote: Bah, I think it was tested as atleast working without errors. I'll have a look.. yes, it's working at least partly: Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li Authentication-Results: fantomas.fantomas.sk; dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=sWtnWE1E; dkim-atps=neutral Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF authorized) smtp.mailfrom=spamassassin.apache.org (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org; envelope-from=users-return-126604-uhlar=fantomas.sk@spamassassin.apache. org; receiver=) Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255 X-Spam-Report: * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * -0.0 SPF_PASS SPF: sender matches SPF record * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * 0.0 A_SPF_PASS No description available. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
Re: AuthRes plugin (replay RBL queries one hour later)
Matus UHLAR - fantomas skrev den 2023-03-01 09:56: I hope these senders expire their e-mail 1.5 hours after sending... facebook can do it in 1.5 sekunds :) This should be avoidable by using opendkim at SMTP time, and using Mail::SpamAssassin::Plugin::AuthRes plugin in the way that DKIM rules aren't rechecked if they are this plugin is ment to be in core dmarc plugin not as a seperate plugin imho, that sayed it need config :) I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. +1 However, I don't see AuthRes plugin mention in .pre files nor in SA rules. +1 I will try to load it to see if it works. share config if it does (lets share trustness)
Re: AuthRes plugin (replay RBL queries one hour later)
Henrik K skrev den 2023-03-01 10:28: On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. Because it's experimental and unfinished. logic is aswell why should spf pluging be enabled to test if arc chain pass spf ? same problem with dkim imho aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/ I will try to load it to see if it works. You also need rules for it to do anything. No plugin uses it's parsing at this time. its aswell good to define trustness in this senario, this is more or less bogos :) Try the example rules and report back if it works.. https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html it does not, how should dmarc plugin use this ? dmarc only works with A-R headers imho, not internal data as in spamassassin, okay first step first :)
Re: AuthRes plugin (replay RBL queries one hour later)
Matus UHLAR - fantomas skrev den 2023-03-01 10:50: . Mar 1 10:47:17.689 [19813] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. spamassassin --version ? aurhres was in 3.4.6 aswell is why i ask authres in 4.0.0 does imho not make that error
Re: AuthRes plugin (replay RBL queries one hour later)
Matus UHLAR - fantomas skrev den 2023-03-01 09:56: I hope these senders expire their e-mail 1.5 hours after sending... On 01.03.23 13:35, Benny Pedersen wrote: facebook can do it in 1.5 sekunds :) so, if your mail doesn't get delivered within 1.5 seconds and the DKIM signature expires on the fly, the mail gets dropped from mail server? This should be avoidable by using opendkim at SMTP time, and using Mail::SpamAssassin::Plugin::AuthRes plugin in the way that DKIM rules aren't rechecked if they are this plugin is ment to be in core dmarc plugin not as a seperate plugin imho, that sayed it need config :) It should be stable first. Yes, it should be the core - Mail::SpamAssassin::Plugin::SPF already uses Authentication-Results: header if it exists. SPF, DKIM and DMARC headers should use results of Authentication-Results: headers (optionally?) only if they produce positive result. Forced revalidation should be possible, although I have no idea how to implement it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
Re: AuthRes plugin (replay RBL queries one hour later)
Matus UHLAR - fantomas skrev den 2023-03-01 15:40: so, if your mail doesn't get delivered within 1.5 seconds and the DKIM signature expires on the fly, the mail gets dropped from mail server? no, aligned spf pass from facebook, and even on unaligned i do not reject dkim fails, this is a job for dmarc this plugin is ment to be in core dmarc plugin not as a seperate plugin imho, that sayed it need config :) It should be stable first. +1, it cant be since its only localy trustness first Yes, it should be the core - Mail::SpamAssassin::Plugin::SPF already uses Authentication-Results: header if it exists. double checking arc spf then ? i have not checked perlcode yet SPF, DKIM and DMARC headers should use results of Authentication-Results: headers (optionally?) only if they produce positive result. i only wish arc plugin would be in dmarc core so the extra plugin is not needed that fits for how arc using should be authres is only if you would forward mails to another finaly dmarc testing Forced revalidation should be possible, although I have no idea how to implement it. +1
Re: AuthRes plugin (replay RBL queries one hour later)
On 01.03.23 11:55, Henrik K wrote: Bah, I think it was tested as atleast working without errors. I'll have a look.. On 01.03.23 11:04, Matus UHLAR - fantomas wrote: yes, it's working at least partly: Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li Authentication-Results: fantomas.fantomas.sk; dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=sWtnWE1E; dkim-atps=neutral Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF authorized) smtp.mailfrom=spamassassin.apache.org (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org; envelope-from=users-return-126604-uhlar=fantomas.sk@spamassassin.apache. org; receiver=) Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255 Mar 1 16:32:54.213 [30815] dbg: authres: parsing Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li Mar 1 16:32:54.214 [30815] dbg: authres: parsing Authentication-Results: fantomas.fantomas.sk; dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=sWtnWE1E; dkim-atps=neutral Mar 1 16:32:54.214 [30815] dbg: authres: skipping header, unknown property for header: a Mar 1 16:32:54.214 [30815] dbg: authres: parsing Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF authorized) smtp.mailfrom=spamassassin.apache.org (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org; envelope-from=users-return-126604-uhlar=fantomas.sk@spamassassin.apache. org; receiver=) Mar 1 16:32:54.214 [30815] dbg: authres: parsing Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255 Mar 1 16:32:54.214 [30815] dbg: authres: skipping header, unknown method: arc Mar 1 16:32:54.214 [30815] dbg: authres: results: dmarc=none spf=pass Mar 1 16:32:55.618 [30815] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. Mar 1 16:32:55.618 [30815] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. after editing headers I see that errors are caused by 1. "header.a=rsa-sha256" and "header.s=hege2" options in Authentication-Results: for dkim where "a" contains algorithm and "s" the used selector. 2. unknown "arc" Authentication-Results: header removing mentioned fields in the first header caused one less error message and A_DKIM_VERIFIED hit. removing second header removed error messages completely -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton
Re: AuthRes plugin (replay RBL queries one hour later)
Matus UHLAR - fantomas skrev den 2023-03-01 15:40: so, if your mail doesn't get delivered within 1.5 seconds and the DKIM signature expires on the fly, the mail gets dropped from mail server? On 01.03.23 16:33, Benny Pedersen wrote: no, aligned spf pass from facebook, and even on unaligned i do not reject dkim fails, this is a job for dmarc I was asking about outgoing mail being removed from the queue after their DKIM signature expires. I would not expect anyone to use DKIM expiration shorter than queue lifetime of mail. Yes, it should be the core - Mail::SpamAssassin::Plugin::SPF already uses Authentication-Results: header if it exists. double checking arc spf then ? i have not checked perlcode yet ? SPF, DKIM and DMARC headers should use results of Authentication-Results: headers (optionally?) only if they produce positive result. i only wish arc plugin would be in dmarc core so the extra plugin is not needed that fits for how arc using should be trusting ARC requires configuring server to trust ARC authority. So it's a little use usually. authres is only if you would forward mails to another finaly dmarc testing authres is great, if you validate mail before you scan for spamminess. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer
Re: AuthRes plugin (replay RBL queries one hour later)
On Wed, Mar 01, 2023 at 04:46:27PM +0100, Matus UHLAR - fantomas wrote: > > 1. "header.a=rsa-sha256" and "header.s=hege2" options in > Authentication-Results: for dkim where "a" contains algorithm and "s" the > used selector. > > 2. unknown "arc" Authentication-Results: header > > removing mentioned fields in the first header caused one less error message > and A_DKIM_VERIFIED hit. > > removing second header removed error messages completely Fixed these in trunk..
Re: AuthRes plugin (replay RBL queries one hour later)
On 3/1/23 14:30, Benny Pedersen wrote: Henrik K skrev den 2023-03-01 10:28: On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. Because it's experimental and unfinished. logic is aswell why should spf pluging be enabled to test if arc chain pass spf ? same problem with dkim imho aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/ I have wip code to check if dkim passes from arc signatures and integrate it into DMARC policies checks. Authres plugin is needed to parse Arc signatures and pass the results to DMARC plugin. Giovanni I will try to load it to see if it works. You also need rules for it to do anything. No plugin uses it's parsing at this time. its aswell good to define trustness in this senario, this is more or less bogos :) Try the example rules and report back if it works.. https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html it does not, how should dmarc plugin use this ? dmarc only works with A-R headers imho, not internal data as in spamassassin, okay first step first :) OpenPGP_signature Description: OpenPGP digital signature
Re: AuthRes plugin (replay RBL queries one hour later)
On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. Henrik K skrev den 2023-03-01 10:28: Because it's experimental and unfinished. On 3/1/23 14:30, Benny Pedersen wrote: logic is aswell why should spf pluging be enabled to test if arc chain pass spf ? same problem with dkim imho aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/ On 02.03.23 10:04, giova...@paclan.it wrote: I have wip code to check if dkim passes from arc signatures and integrate it into DMARC policies checks. Authres plugin is needed to parse Arc signatures and pass the results to DMARC plugin. Authres plugin should only parse Authentication-Results: headers, not signatures themselves. other plugins should be able to use data provided by this plugin. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: AuthRes plugin (replay RBL queries one hour later)
giova...@paclan.it skrev den 2023-03-02 10:04: On 3/1/23 14:30, Benny Pedersen wrote: Henrik K skrev den 2023-03-01 10:28: On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. Because it's experimental and unfinished. logic is aswell why should spf pluging be enabled to test if arc chain pass spf ? same problem with dkim imho aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/ I have wip code to check if dkim passes from arc signatures and integrate it into DMARC policies checks. how ?, this code works without authres enabled as i see it Return-Path: X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on localhost.junc.eu X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=ARC_SIGNED,ARC_VALID,AWL, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H2,RELAYCOUNTRY_BAD,RELAYCOUNTRY_GREY,SPF_HELO_PASS, SPF_PASS,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=4.0.0 X-Spam-Timing: total 1713 ms - parse: 1.94 (0.1%), b_tie_ro: 4.4 (0.3%), extract_message_metadata: 41 (2.4%), tests_pri_-1: 7 (0.4%), compile_gen: 292 (17.1%), get_uri_detail_list: 3.4 (0.2%), tests_pri_-2000: 2.0 (0.1%), compile_eval: 27 (1.6%), tests_pri_-1000: 1.77 (0.1%), tests_pri_-950: 1.21 (0.1%), tests_pri_-900: 1.29 (0.1%), tests_pri_-100: 892 (52.1%), dkim_load_modules: 34 (2.0%), check_dkim_signature: 540 (31.5%), poll_dns_idle: 827 (48.3%), check_spf: 64 (3.7%), tests_pri_-90: 1.41 (0.1%), tests_pri_0: 443 (25.9%), tests_pri_500: 2.1 (0.1%), tests_pri_1000: 12 (0.7%), total_awl: 10 (0.6%), check_awl: 1.95 (0.1%), update_awl: 1.92 (0.1%), rewrite_mail: 0.00 (0.0%) Content analysis details: (-2.8 points, 5.0 required) pts rule name description -- -- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [94.237.105.223 listed in wl.mailspike.net] -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [94.237.105.223 listed in list.dnswl.org] -0.1 SPF_PASS SPF: sender matches SPF record -0.1 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 ARC_SIGNED Message has a ARC signature 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid 0.0 ARC_VALID Message has a valid ARC signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 RELAYCOUNTRY_GREY Relayed through at some point 1.5 RELAYCOUNTRY_BAD Relayed through at some point 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines -2.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.1 DMARC_PASS DMARC pass policy 0.0 AWLAWL: From: address is in the auto welcome-list Authres plugin is needed to parse Arc signatures and pass the results to DMARC plugin. yes the magic can be done in dmarc where it belongs authres is imho only for trusted arc signers, not for testing ARC_VALID or ARC_SIGNED confirm it ?, the rules for authres does not work for me, but it seem it does for others ?, why ?
Re: AuthRes plugin (replay RBL queries one hour later)
On 3/2/23 11:50, Matus UHLAR - fantomas wrote: On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. Henrik K skrev den 2023-03-01 10:28: Because it's experimental and unfinished. On 3/1/23 14:30, Benny Pedersen wrote: logic is aswell why should spf pluging be enabled to test if arc chain pass spf ? same problem with dkim imho aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/ On 02.03.23 10:04, giova...@paclan.it wrote: I have wip code to check if dkim passes from arc signatures and integrate it into DMARC policies checks. Authres plugin is needed to parse Arc signatures and pass the results to DMARC plugin. Authres plugin should only parse Authentication-Results: headers, not signatures themselves. I mean ARC-Authentication-Results headers, signatures are checked by DKIM.pm. other plugins should be able to use data provided by this plugin. this is still WIP code. OpenPGP_signature Description: OpenPGP digital signature
Re: AuthRes plugin (replay RBL queries one hour later)
On 3/2/23 12:49, Benny Pedersen wrote: giova...@paclan.it skrev den 2023-03-02 10:04: On 3/1/23 14:30, Benny Pedersen wrote: Henrik K skrev den 2023-03-01 10:28: On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. Because it's experimental and unfinished. logic is aswell why should spf pluging be enabled to test if arc chain pass spf ? same problem with dkim imho aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/ I have wip code to check if dkim passes from arc signatures and integrate it into DMARC policies checks. how ?, this code works without authres enabled as i see it if DKIM fails but ARC passes DMARC policy could be overriden, this part doesn't work. In your case DMARC would pass even without ARC because DKIM is valid. Return-Path: X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on localhost.junc.eu X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=ARC_SIGNED,ARC_VALID,AWL, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H2,RELAYCOUNTRY_BAD,RELAYCOUNTRY_GREY,SPF_HELO_PASS, SPF_PASS,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=4.0.0 X-Spam-Timing: total 1713 ms - parse: 1.94 (0.1%), b_tie_ro: 4.4 (0.3%), extract_message_metadata: 41 (2.4%), tests_pri_-1: 7 (0.4%), compile_gen: 292 (17.1%), get_uri_detail_list: 3.4 (0.2%), tests_pri_-2000: 2.0 (0.1%), compile_eval: 27 (1.6%), tests_pri_-1000: 1.77 (0.1%), tests_pri_-950: 1.21 (0.1%), tests_pri_-900: 1.29 (0.1%), tests_pri_-100: 892 (52.1%), dkim_load_modules: 34 (2.0%), check_dkim_signature: 540 (31.5%), poll_dns_idle: 827 (48.3%), check_spf: 64 (3.7%), tests_pri_-90: 1.41 (0.1%), tests_pri_0: 443 (25.9%), tests_pri_500: 2.1 (0.1%), tests_pri_1000: 12 (0.7%), total_awl: 10 (0.6%), check_awl: 1.95 (0.1%), update_awl: 1.92 (0.1%), rewrite_mail: 0.00 (0.0%) Content analysis details: (-2.8 points, 5.0 required) pts rule name description -- -- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [94.237.105.223 listed in wl.mailspike.net] -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [94.237.105.223 listed in list.dnswl.org] -0.1 SPF_PASS SPF: sender matches SPF record -0.1 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 ARC_SIGNED Message has a ARC signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 ARC_VALID Message has a valid ARC signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 RELAYCOUNTRY_GREY Relayed through at some point 1.5 RELAYCOUNTRY_BAD Relayed through at some point 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines -2.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.1 DMARC_PASS DMARC pass policy 0.0 AWL AWL: From: address is in the auto welcome-list Authres plugin is needed to parse Arc signatures and pass the results to DMARC plugin. yes the magic can be done in dmarc where it belongs authres is imho only for trusted arc signers, not for testing ARC_VALID or ARC_SIGNED confirm it ?, the rules for authres does not work for me, but it seem it does for others ?, why ? OpenPGP_signature Description: OpenPGP digital signature
Re: AuthRes plugin (replay RBL queries one hour later)
Matus UHLAR - fantomas skrev den 2023-03-02 11:50: Authres plugin should only parse Authentication-Results: headers, not signatures themselves. other plugins should be able to use data provided by this plugin. +1 funny you provided an eval that worked ? :) have you seen ARC_VALID or ARC_SIGNED yet ? imho dmarc in spamassassin is already doing things right, but authres should maybe just be dokumented when to use it it already used in perlcode in dmarc, without any eval calls previous mail i posted is without authres enabled
Re: AuthRes plugin (replay RBL queries one hour later)
giova...@paclan.it skrev den 2023-03-02 12:53: how ?, this code works without authres enabled as i see it if DKIM fails but ARC passes DMARC policy could be overriden, this part doesn't work. ah okay got it eval should not be done in dkim but moved to authres so, and results metadata used in dmarc plugin In your case DMARC would pass even without ARC because DKIM is valid. currect, there is just many corner cases yet to test your spamassassin channel for rules does btw not lint, please see why when only check.pm is loaded and that rule that does not lint is already tested in spamassassin core rules, so that code is just tested one more time without any new results :/
Re: AuthRes plugin (replay RBL queries one hour later)
Matus UHLAR - fantomas skrev den 2023-03-02 11:50: Authres plugin should only parse Authentication-Results: headers, not signatures themselves. other plugins should be able to use data provided by this plugin. On 02.03.23 12:55, Benny Pedersen wrote: +1 funny you provided an eval that worked ? :) have you seen ARC_VALID or ARC_SIGNED yet ? many. I just still don't think we should trust ARC headers by default (someone has signes headers, but that does not mean that someone is trustful). if ARC signer is trusted and the signature is correct, the status can be extracted from ARC-Authentication-Results: Further modules can use that to e.g. allowlist sender even if the DKIM fails Authentication-Results: fantomas.fantomas.sk; arc=pass smtp.remote-ip=52.100.19.99 arc.chain=microsoft.com ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=pern.onmicrosoft.com; dmarc=pass action=none header.from=gcwus.edu.pk; dkim=pass header.d=gcwus.edu.pk; arc=none Here, if I trust "fantomas.fantomas.sk" authentication header (configurable in AuthRes) and I trust signer microsoft.com, I will believe that the message passed DMARC and SPF for pern.onmicrosoft.com. However, if there was other random ARC signer, faking positive results of spf/dkim/dmarc results, we should not believe the ARC signature ... and this message can still be spam (it is). imho dmarc in spamassassin is already doing things right, but authres should maybe just be dokumented when to use it it's the DKIM module that validates ARC headers in SA. While the functionality is similar to DKIM, it already used in perlcode in dmarc, without any eval calls previous mail i posted is without authres enabled -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully.
