You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2006/08/14 20:23:16 UTC
Re: Rule for non-DK-signed mail from yahoo
Mark Martinec writes:
> Having received a couple of messages faking to be from yahoo,
> despite FORGED_YAHOO_RCVD and few other rules firing, the final
> score was not high enough. Since Yahoo! is signing their
> outgoing mail with DomainKeys, I came up with:
>
> header __L_FROM_YAHOO From:addr =~ /[@.]yahoo\.com$/i
> meta UNVERIFIED_YAHOO __L_FROM_YAHOO && !DK_VERIFIED
> priority UNVERIFIED_YAHOO 500
> score UNVERIFIED_YAHOO 5.0
>
> which seems to do its job.
>
> I had to experiment with priority - are there any guidelines fo this?
> Is this a way to go? - any obvious improvements?
makes sense to me, although --
(a) Is "From:addr" rather than "EnvelopeFrom:addr" the right header to
use?
(b) are Y! signing all mail? I would have assumed some systems are not
yet using DK.
In 3.1.x, you have to set priority manually, unfortunately, to be higher
than both of the subrules. in 3.2.x, it'll do that automatically for you.
--j.
Re: Rule for non-DK-signed mail from yahoo
Posted by Mark Martinec <Ma...@ijs.si>.
Thanks Justin and Daryl.
> > (a) Is "From:addr" rather than "EnvelopeFrom:addr" the right header to
> > use?
> I'd say yes. DK signs the message, not the envelope. I'm pretty sure
> the current milters look for a From: header to decide on what
> selector/etc to use.
Right, DK (as well as DKIM) uses addresses in the header, not envelope.
DK would choose Sender if it exists, otherwise a From, to obtain the
signer domain. DKIM is more sophisticated (could use Resent-From,...), but
basically, for direct mail the From header field is the most important one.
> (b) are Y! signing all mail? I would have assumed some systems are not
> yet using DK.
This is a key question here. I'd hope yes, since Yahoo was the leading
proponent in establishing this technology (now aiming for DKIM).
Although their policy record still says 'testing' and 'signs SOME mail':
$ host -t txt _domainkey.yahoo.com
t=y\; o=~\; n=http://antispam.yahoo.com/domainkeys
I think they are just conservative, trying to avoid some broken recipient's
mailer from rejecting their genuine mail, or to avoid problems with mailing
lists invalidating signatures when their user posts there.
> In 3.1.x, you have to set priority manually, unfortunately, to be higher
> than both of the subrules. in 3.2.x, it'll do that automatically for you.
Thanks for the info.
> Personally I'd cut the score in half.
Ok, perhaps.
> Slow DNS could cause FPs -- I've seen it happen
> on mail from rogers.com which Y! runs.
Interesting. Further experience is welcome. The _domainkey.yahoo.com
TXT policy record has TTL set to two hours, and one of their public
keys (s1024._domainkey.yahoo.com) has a lifetime of 24 hours - so a
local caching DNS resolver is likely to retrieve the policy from
its cache, or from any one of the 5 registered Yahoo name servers.
As far as I can tell, it is a global Yahoo thing, not something
pertaining to one or another of their servers.
What about gmail.com? They seem to be signing their mail too
(see: host -t txt beta._domainkey.gmail.com) but also avoid full
commitment in their policy (no policy => default policy).
Any experience there?
Mark
Re: Rule for non-DK-signed mail from yahoo
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 8/14/2006 2:23 PM, Justin Mason wrote:
> Mark Martinec writes:
>
>>Having received a couple of messages faking to be from yahoo,
>>despite FORGED_YAHOO_RCVD and few other rules firing, the final
>>score was not high enough. Since Yahoo! is signing their
>>outgoing mail with DomainKeys, I came up with:
>>
>> header __L_FROM_YAHOO From:addr =~ /[@.]yahoo\.com$/i
>> meta UNVERIFIED_YAHOO __L_FROM_YAHOO && !DK_VERIFIED
>> priority UNVERIFIED_YAHOO 500
>> score UNVERIFIED_YAHOO 5.0
>>
>>which seems to do its job.
>>
>>I had to experiment with priority - are there any guidelines fo this?
>>Is this a way to go? - any obvious improvements?
Personally I'd cut the score in half. Slow DNS could cause FPs -- I've
seen it happen on mail from rogers.com which Y! runs.
> makes sense to me, although --
>
> (a) Is "From:addr" rather than "EnvelopeFrom:addr" the right header to
> use?
I'd say yes. DK signs the message, not the envelope. I'm pretty sure
the current milters look for a From: header to decide on what
selector/etc to use.
Daryl