You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Shane Williams <sh...@shanew.net> on 2015/04/13 16:10:56 UTC
Scroring and SPF questions
Somewhat related questions:
1. If I alter a rule's score to 0 locally, my understanding is that
the rule won't even be tested for. Does that also mean it won't count
toward meta-rules?
2. Is there a way to create a local rule that uses the DKIM/SPF
information such that I could match to other headers. In particular,
I'm looking to either prevent (or at least counteract) the
"HEADER_FROM_DIFFERENT_DOMAINS" rule when a mailing list is
involved. So what I'm looking for is a way to test SPF/DKIM against
the mailing list origination point rather than the sender's. Or
perhaps I'm missing some smarter way to deal with these situations.
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: Scroring and SPF questions
Posted by RW <rw...@googlemail.com>.
On Mon, 13 Apr 2015 09:10:56 -0500 (CDT)
Shane Williams wrote:
> Somewhat related questions:
>
> 1. If I alter a rule's score to 0 locally, my understanding is that
> the rule won't even be tested for. Does that also mean it won't count
> toward meta-rules?
AFAIK
> 2. Is there a way to create a local rule that uses the DKIM/SPF
> information such that I could match to other headers. In particular,
> I'm looking to either prevent (or at least counteract) the
> "HEADER_FROM_DIFFERENT_DOMAINS" rule when a mailing list is
> involved.
I wouldn't worry, this rule currently scores 0.001, and I doubt it's
ever going to have a significant score as it stands. For me it hits
more ham than spam.
It's actually pretty easy to fix it so it doesn't FP on SRS, mailing
lists etc, by looking for the from domain anywhere in the envelope
address rather than matching on the end of the envelope domain. For me
this would remove most of the FPs without significantly affecting the
detection of genuinely mismatched domains. However it would still hit a
larger percentage of my ham than spam.
Re: Scroring and SPF questions
Posted by John Hardin <jh...@impsec.org>.
On Mon, 13 Apr 2015, shanew@shanew.net wrote:
> On Mon, 13 Apr 2015, John Hardin wrote:
>
>> On Mon, 13 Apr 2015, Shane Williams wrote:
>>
>> > Somewhat related questions:
>> >
>> > 1. If I alter a rule's score to 0 locally, my understanding is that
>> > the rule won't even be tested for. Does that also mean it won't count
>> > toward meta-rules?
>>
>> That depends on how it's used in the meta rule. If it's used as an
>> exclusion, setting it to always false won't suppress the meta.
>>
>> Also: setting the score of a meta to zero won't suppress evaluation of its
>> component rules.
>
> The specific case I'm wondering about is as part of an arithmetic
> expression, like (__RULE1__ + __RULE2__ + RULE3__) > 2.
> If I set __RULE2__ to a score of 0, is it now impossible for the meta
> rule to trigger (since it can never get more than two "points")?
Strictly speaking, no, because __RULE1__ and __RULE3__ *may* be "tflags
multiple" rules whose individual contributions (hit count) may be > 1.
However, in the simpler case where they are not "tflags multiple" rules,
that is correct.
>> > 2. Is there a way to create a local rule that uses the DKIM/SPF
>> > information such that I could match to other headers. In particular,
>> > I'm looking to either prevent (or at least counteract) the
>> > "HEADER_FROM_DIFFERENT_DOMAINS" rule when a mailing list is
>> > involved. So what I'm looking for is a way to test SPF/DKIM against
>> > the mailing list origination point rather than the sender's. Or
>> > perhaps I'm missing some smarter way to deal with these situations.
>>
>> Simple subrules combined in a neta having a negative score. There are
>> already subrules for detecting mailing list headers and for detecting an
>> invalid DKIM signature. Write a meta that combines those, and give it
>> enough negative points to offset the positive score.
>>
>> Note, however, that mailing list headers are easy for spammers to forge.
>
> What I was getting at (but perhaps not describing well) was finding a
> way to compare the mailing list domain with DKIM or SPF in order to
> ensure that the mailing list at least arrives from the source we would
> expect. It doesn't exactly detect mailing list header forgery, but
> could take away a few points for the ones that can be verified. That
> said, there me be some reason this totally won't work, so feel free to
> tell me so.
Ah, ok. That I missed, or stopped reading too soon. :)
Comparing the domain in two different headers would involve a Header ALL
rule similar to TO_EQ_FM and the like. Those rules might give you a
starting point.
It might be interesting to verify the domain in a list-id header against
some other domain in the headers... (envelope from, perhaps?)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...intellectuals have no interest in what _creates_ wealth, and
what _inhibits_ the creation of wealth. They are very concerned
about the _distribution_ of it, but they act as if wealth just
exists somehow. It's like manna from heaven, it's only a
question of how we split it up. -- Thomas Sowell
-----------------------------------------------------------------------
Today: Thomas Jefferson's 272nd Birthday
Re: Scroring and SPF questions
Posted by sh...@shanew.net.
On Mon, 13 Apr 2015, John Hardin wrote:
> On Mon, 13 Apr 2015, Shane Williams wrote:
>
>> Somewhat related questions:
>>
>> 1. If I alter a rule's score to 0 locally, my understanding is that
>> the rule won't even be tested for. Does that also mean it won't count
>> toward meta-rules?
>
> That depends on how it's used in the meta rule. If it's used as an exclusion,
> setting it to always false won't suppress the meta.
>
> Also: setting the score of a meta to zero won't suppress evaluation of its
> component rules.
The specific case I'm wondering about is as part of an arithmetic
expression, like (__RULE1__ + __RULE2__ + RULE3__) > 2.
If I set __RULE2__ to a score of 0, is it now impossible for the meta
rule to trigger (since it can never get more than two "points")?
>> 2. Is there a way to create a local rule that uses the DKIM/SPF
>> information such that I could match to other headers. In particular,
>> I'm looking to either prevent (or at least counteract) the
>> "HEADER_FROM_DIFFERENT_DOMAINS" rule when a mailing list is
>> involved. So what I'm looking for is a way to test SPF/DKIM against
>> the mailing list origination point rather than the sender's. Or
>> perhaps I'm missing some smarter way to deal with these situations.
>
> Simple subrules combined in a neta having a negative score. There are already
> subrules for detecting mailing list headers and for detecting an invalid DKIM
> signature. Write a meta that combines those, and give it enough negative
> points to offset the positive score.
>
> Note, however, that mailing list headers are easy for spammers to forge.
What I was getting at (but perhaps not describing well) was finding a
way to compare the mailing list domain with DKIM or SPF in order to
ensure that the mailing list at least arrives from the source we would
expect. It doesn't exactly detect mailing list header forgery, but
could take away a few points for the ones that can be verified. That
said, there me be some reason this totally won't work, so feel free to
tell me so.
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: Scroring and SPF questions
Posted by John Hardin <jh...@impsec.org>.
On Mon, 13 Apr 2015, Shane Williams wrote:
> Somewhat related questions:
>
> 1. If I alter a rule's score to 0 locally, my understanding is that
> the rule won't even be tested for. Does that also mean it won't count
> toward meta-rules?
That depends on how it's used in the meta rule. If it's used as an
exclusion, setting it to always false won't suppress the meta.
Also: setting the score of a meta to zero won't suppress evaluation of its
component rules.
> 2. Is there a way to create a local rule that uses the DKIM/SPF
> information such that I could match to other headers. In particular,
> I'm looking to either prevent (or at least counteract) the
> "HEADER_FROM_DIFFERENT_DOMAINS" rule when a mailing list is
> involved. So what I'm looking for is a way to test SPF/DKIM against
> the mailing list origination point rather than the sender's. Or
> perhaps I'm missing some smarter way to deal with these situations.
Simple subrules combined in a neta having a negative score. There are
already subrules for detecting mailing list headers and for detecting an
invalid DKIM signature. Write a meta that combines those, and give it
enough negative points to offset the positive score.
Note, however, that mailing list headers are easy for spammers to forge.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
I'm seriously considering getting one of those bright-orange prison
overalls and stencilling PASSENGER on the back. Along with the paper
slippers, I ought to be able to walk right through security.
-- Brian Kantor in a.s.r
-----------------------------------------------------------------------
Today: Thomas Jefferson's 272nd Birthday