Am 21.09.2014 um 04:08 schrieb John Hardin: > On Sun, 21 Sep 2014, Reindl Harald wrote: > >> Am 21.09.2014 um 03:29 schrieb John Hardin: >>> On Sun, 21 Sep 2014, Reindl Harald wrote: >>> >>>> Am 20.09.2014 um 23:54 schrieb RW: >>>>> On Sat, 20 Sep 2014 15:48:05 +0200 >>>>> Reindl Harald wrote: >>>>> >>>>>> http://www.antivirushelptool.com/spamassassin/header/USER_IN_DEF_DKIM_WL >>>>>> that's too much and gives even a message on systems where >>>>>> BAYES_99 and BAYES_999 would reach 8.0 a negative score >>>>> >>>>> Do you have any evidence for it being too much? It seems about right >>>>> to me. >>>>> >>>>> If you have an actual problem I'd suggest you use unwhitelist_from_dkim >>>>> locally and report the domain so it can be considered for delisting. >>>>> >>>>> The dkim default whitelist contains domains that send a lot of >>>>> autogenerated and bulk mail, but have a very low probabilty of sending >>>>> spam >>>> >>>> how can -7.5 be right? >>>> >>>> it bypasses unconditional any bayse regardless if it is trained >>>> with 100, 1000 or 10000 messages ham / spam and that can not >>>> be the the right thing >>> >>> That's kinda the *point* to a whitelist. >> >> unconditional whitelists are as bad as unconditional blacklists > > So you would be okay with the alternative: DKIM-signed legitimate emails from > a real bank being rejected as spam because your bayes has been trained with > legitimate-looking phishes and thinks they look phishy?
no - it's always a tradeoff i just say -7.5 is too high because it also outbeats any other rules - you need a lot bad things in a message with -7.5 and also on several whitelists to get a message rejected as FP >>> Would you care to share the spam that you posted the scores for at the >>> start of this thread? There's not much we >>> can do with just the rules that hit beside post vague guesses. The critical >>> part is: which domain is that >>> whitelisted DKIM signature for? >> >> no message content available - we don't store anything on the gateway >> 3 cases with score -5 twice and one time -2 >> >> message-id=<....@xtinmta4208.xt.local >> bounce-...@bounce.mail.hotels.com > > OK, mail.hotels.com is in the default DKIM whitelist. > > I haven't looked through the DKIM whitelist code but I note that > def_whitelist_from_dkim supports specification of > the domain in the DKIM signature, and the mail.hotels.com entry does not > specify the signing domain. > > Speculation: I wonder if it's possible that message was a forged hotels.com > email signed with DKIM from *another > domain* and that's why the default DKIM whitelist rule triggered. > > Can someone with more familiarity with the details of DKIM comment on that > possibility? yes, please all other "def_whitelist_from_dkim" looks sane in the logs and have -10 to -16 scores because no bayes hit and no other tags - only that 3 messages which looks questionable
signature.asc
Description: OpenPGP digital signature