Re: Rule for non-DKIM-signed messages

Fri, 10 May 2019 08:43:26 -0700 

On 5/10/19 1:52 AM, Pedro David Marco wrote:

On the contrary, most spam i see is valid DKIM signed...   tons of
hacked sites... tons of emails from free trials of big-cheeses...

Nevertheless...

meta        NO_DKIM_SIGNED        ! DKIM_SIGNED
score NO_DKIM_SIGNED        2
describe NO_DKIM_SIGNED        Email does not have DKIM signature


On 10.05.19 14:48, David Jones wrote:

That alone is too risky to score alone and should be used in a meta rule
like this:

meta    SPAM_NOT_DKIM_SIGNED    !DKIM_SIGNED && (MISSING_HEADERS ||
FSL_BULK_SIG || RDNS_DYNAMIC || OTHER_RULE_COMMONLY_SEEN_AS_SPAM)
score   SPAM_NOT_DKIM_SIGNED    2
describe SPAM_NOT_DKIM_SIGNED   Spammy characteristics and not DKIM signed


I wanted to comment OP's mail, but since I don't have DKIM set up, I wasn't
sure it would pass  :-)


 >On Friday, May 10, 2019, 4:26:46 AM GMT+2, Kurt Fitzner
<k...@va1der.ca> wrote:
 >
 >I've noticed on my mail server that DKIM signing is almost diagnostic of
 >spam.  Almost no legitimate sender is without DKIM, and about 90% of my
 >spam is unsigned, so I want to bias non-DKIM-signed heavily towards
 >spam.  To that end I was wondering if there are any built-in rules I can
 >activate to score emails that are not DKIM-signed? I'd rather use a
 >built-in rule than roll my own.


I caution against this since non-DKIM signed email has no relation to
spam or ham.  How did you come up with the "about 90%" number?  Did you
grep logs to get real numbers over a couple of months?

Any compromised account from Office 365 (and there are a lot) is going
to have DKIM_SIGNED by Microsoft's "tenant.onmicrosoft.com" domain which
means absolutely nothing when determining ham/spam.  All that means is
it was signed by Microsoft mail servers on the way out.  If DKIM_VALID
was hit, then it means the spam wasn't modified.


I also doubt if DKIM_VALID is enough. To be sure, the mail should hit
DKIM_VALID_AU to prove it was signed by the sender's mail server...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm

Reply via email to