Correct. The fact that there are some scores that add up to approximately -0.2 is negligible when compared to a standard threshold of 5.0.
Do you have false positives being caused by these emails? Do you have false negatives? That's more important to look at then just focusing on one set of rules. Regards, KAM On Mon, Jul 26, 2021, 08:08 Greg Troxel <g...@lexort.com> wrote: > > Matus UHLAR - fantomas <uh...@fantomas.sk> writes: > > > I noticed that pure existence of DKIM signature can push score under > zero: > > > > DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, > > > > ...so the cumulative score is -0.2. > > > > I'm aware that we don't have many rules with negative scores, but > multiple > > scores for single valid DKIM sinature should not be redundant. > > I don't follow the logic in "should not be redundant" especially for > scores with such low values of -0.1. > > You're talking about "below 0", but what matters is "<5", per SA > doctrine. > > As I see it SIGNED and VALID are intended to cancel, causing a signature > that isn't valid to get a +0.1. That seems sensible, although given how > much DKIM is broken by mailing lists that (incorrectly IMHO) modify > messages, it doesn't seem really useful to make that higher. > > And then there's -0.1 for a valid dkim matching From: and another -0.1 > for valid dkim matching the envelope sender, which is often different. > So -0.2 means that there are two dkim signatures, one for each, and they > are both valid. Not a guarantee of ham of course, but -0.2 is a small > score. > > It's a fair question to ask how these shake out with masscheck, but I > see nothing intrinsically wrong. > > > do you people modify scores of these rules? > > I would turn both off, but DKIM_VALID is used in some meta rules... > > I am someone who tweaks a lot of scores, but basically my tweaking > reduces scores of +3 or more down a few points because I find they hit > ham, and scoring up things of 1-2 to higher because they hit my spam and > I find they don't really hit my ham. I have never been motivated to > adjust these. > > For me, the biggest deal with dkim is that I can whitelist_from_dkim for > senders, and avoid whitelisting forged mail not actually from them. > > > BTW, looking at metas in 72_active.cf: > > > > meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && > !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE > > meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && > !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE > && !SPF_PASS > > > > !DKIM_VALID && !DKIM_VALID_AU is redundant and !DKIM_VALID_AU should be > enough > > I don't think so. These are negated. And, a dkim signature from some > random domain that is not the From: or envelope-from will cause > DKIM_VALID. But I do think !DKIM_VALID will impliy !DKIM_VALID_AU. > Still, I'm 50/50 whether I'm write or I'm about to learn something. > > > > meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && > > !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && > > !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID > > > > meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || > ALL_TRUSTED # yes DKIM, no SPF > > meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || > !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF > > > > shouldn't these contain DKIM_VALID_AU instead? > > perhaps, but the problem is that there is a lot of mail that is From: > i...@foobank.com and has envelope-from of > foobank-sen...@bankserviceprovider.com with a dkim from > bankserviceprovider.com. This is bogus; people who deal with > foobank.com should be able to > whitelist_from_dkim *@foobank.com > and treat everything else claiming to be from foobank as spam/phish. > But the world isn't like that. >
