On 5/10/19 1:52 AM, Pedro David Marco wrote: > Hi Kurt, > > > On the contrary, most spam i see is valid DKIM signed... tons of > hacked sites... tons of emails from free trials of big-cheeses... > > Nevertheless... > > meta NO_DKIM_SIGNED ! DKIM_SIGNED > score NO_DKIM_SIGNED 2 > describe NO_DKIM_SIGNED Email does not have DKIM signature >
That alone is too risky to score alone and should be used in a meta rule like this: meta SPAM_NOT_DKIM_SIGNED !DKIM_SIGNED && (MISSING_HEADERS || FSL_BULK_SIG || RDNS_DYNAMIC || OTHER_RULE_COMMONLY_SEEN_AS_SPAM) score SPAM_NOT_DKIM_SIGNED 2 describe SPAM_NOT_DKIM_SIGNED Spammy characteristics and not DKIM signed > Pedro. > > ---------------- > > > >On Friday, May 10, 2019, 4:26:46 AM GMT+2, Kurt Fitzner > <k...@va1der.ca> wrote: > > > >I've noticed on my mail server that DKIM signing is almost diagnostic of > >spam. Almost no legitimate sender is without DKIM, and about 90% of my > >spam is unsigned, so I want to bias non-DKIM-signed heavily towards > >spam. To that end I was wondering if there are any built-in rules I can > >activate to score emails that are not DKIM-signed? I'd rather use a > >built-in rule than roll my own. I caution against this since non-DKIM signed email has no relation to spam or ham. How did you come up with the "about 90%" number? Did you grep logs to get real numbers over a couple of months? Any compromised account from Office 365 (and there are a lot) is going to have DKIM_SIGNED by Microsoft's "tenant.onmicrosoft.com" domain which means absolutely nothing when determining ham/spam. All that means is it was signed by Microsoft mail servers on the way out. If DKIM_VALID was hit, then it means the spam wasn't modified. -- David Jones