You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2016/04/13 23:36:16 UTC

[Bug 7310] New: suggested rule: DomainKey-Signature with invalid DNS

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7310

            Bug ID: 7310
           Summary: suggested rule: DomainKey-Signature with invalid DNS
           Product: Spamassassin
           Version: 3.4.1
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Rules
          Assignee: dev@spamassassin.apache.org
          Reporter: matt@domsch.com

The predominance of spam I receive that is not otherwise detected or filtered
has the same pattern - it includes a DomainKey-Signature header (which is
considered obsolete I know, nonetheless it remains present) yet the selector
(s=foo) and domain (d=foo) portion of the header are fictitious.

As an example:

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=gamma; d=countingbooks.com;
        h=To:Date:Message-ID:From:Subject:Date:MIME-Version:Content-type;

by DomainKey rules, our filter should look up
gamma._domainkey.countingbooks.com TXT record in DNS to find the public key
corresponding to the signer of this message.  However, this does not exist. 
This is akin to the __DKIM_EXISTS rule testing for the existence of the header,
and the DKIM_ADSP_NXDOMAIN rule that looks up a DKIM ADSP record in DNS, but in
this case we're merely looking up the public key record.

The opendkim milter (http://opendkim.org) has a specific test and configuration
option for how to handle such DNS lookup failures on a DKIM-Signature header,
but does not do likewise for (obsolete) DomainKey-Signature headers.

The perl(Mail::DKIM) module already used by SpamAssassin to handle the
DKIM-Signature header can also handle the DomainKey-Signature header, and the
SpamAssassin Plugin DKIM.pm indicates it will also check the
DomainKey-Signature heder, but does not seem to do so.


I have so far found only a single false positive on this test - that on mail
from the Boy Scouts of America <sc...@scoutstuff.org> where they included
a DomainKey-Signature header with incorrect d= value, yet included a correct
DKIM-Signature header with the correct d=value.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7310] suggested rule: DomainKey-Signature with invalid DNS

Posted by bu...@bugzilla.spamassassin.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7310

Matt Domsch <ma...@domsch.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |matt@domsch.com

--- Comment #1 from Matt Domsch <ma...@domsch.com> ---
Created attachment 5384
  --> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5384&action=edit
domainkey-signature header spam mbox

Spam corpus, with a single false positive due to a misconfigured mail server at
scoutstuff.org.

-- 
You are receiving this mail because:
You are the assignee for the bug.