You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alexis Manning <al...@googlemail.com> on 2007/02/11 22:19:03 UTC
DKIM / DomainKeys
I enabled the DK/DKIM plugins in my SA 3.1.7 setup and I see that the
default scores for their tests are negligible, presumably because
they're still a bit experimental.
Is anyone using these and can suggest appropriate scores for these
plugins, or are these really just too unripe for serious use at the
moment?
Cheers,
-- A.
Re: DKIM / DomainKeys
Posted by Alexis Manning <al...@googlemail.com>.
Mark.Martinec+sa@ijs.si says...
> [...] some mailing list also corrupt signatures,
> and some people use gmail/yahoo sending address even when posting
> through some other ISP. Before this practice is rooted out,
> one should probably not score invalid signature from these
> two domains too harshly.
Thanks Mark. I have to admit that this hadn't occurred to me, even
though I am one of those people myself!
> Regarding scoring of a mere presence of a valid signature, this is
> not a good indication of spam/ham. Some types of spam carry a valid
> signature from throw-away (kitted) domains
Also something I hadn't really considered.
Thanks again for your scoring information. I need to go and have a
think about how I should use DKIM; not sure how much of a pain it'll be
to keep the DKIM whitelist up to date, and, as you say, that's really
where the benefit comes from.
Cheers,
-- A.
Re: DKIM / DomainKeys
Posted by Mark Martinec <Ma...@ijs.si>.
Alexis,
> I enabled the DK/DKIM plugins in my SA 3.1.7 setup and I see that the
> default scores for their tests are negligible, presumably because
> they're still a bit experimental.
>
> Is anyone using these and can suggest appropriate scores for these
> plugins, or are these really just too unripe for serious use at the
> moment?
One thing worth noting first: the current verision 0.22 of Mail::DKIM
handles both the DKIM as well as older DomainKeys signatures,
and is better maintained and more optimal than Mail::DomainKeys.
This means that one can now safely disable the SA plugin for
DomainKeys and just keep the DKIM plugin, it will cover for both.
Next, the most important role for DKIM/DK is to be able to safely
whitelist sender domains, or to penalize somewhat the mail claiming
to be coming from domains that are known to be signing all mail
(like yahoo and gmail.com), but do not bear a valid sigature.
I say 'somewhat' because some mailing list also corrupt signatures,
and some people use gmail/yahoo sending address even when posting
through some other ISP. Before this practice is rooted out,
one should probably not score invalid signature from these
two domains too harshly.
Regarding scoring of a mere presence of a valid signature, this is
not a good indication of spam/ham. Some types of spam carry a valid
signature from throw-away (kitted) domains, so although a little
bit of favourizing a valid signature is a good thing (providing
incentive for more people to start signing their mail), the bonus
points should not be too high (without also being associated with
known to be nonspamming domains, i.e. whitelist_from_dkim).
Here are some DKIM-related rules that I use.
Don't use these blindly without understanding the topic.
# slightly favourize a mere presence of a valid signature
score DKIM_VERIFIED -1.5
score DKIM_POLICY_TESTING 0
# whitelist some known-to-be-honest domains
score USER_IN_DKIM_WHITELIST -12
whitelist_from_dkim *@intl.paypal.com paypal.com
# add some penalty points to mail from yahoo and gmail.com which
# does not carry a valid signature; exempt mail from mailing lists
header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i
header __L_ML2 exists:List-Id
header __L_ML3 exists:List-Post
header __L_ML4 exists:Mailing-List
header __L_HAS_SNDR exists:Sender
meta __L_VIA_ML __L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR
header __L_FROM_Y1 From:addr =~ m{[@.]yahoo\.com$}i
header __L_FROM_Y2 From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i
header __L_FROM_Y3 From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i
header __L_FROM_Y4 From:addr =~ m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i
meta __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4
header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i
meta L_UNVERIFIED_YAHOO !DKIM_VERIFIED && __L_FROM_YAHOO && !__L_VIA_ML
priority L_UNVERIFIED_YAHOO 500
score L_UNVERIFIED_YAHOO 2.5
meta L_UNVERIFIED_GMAIL !DKIM_VERIFIED && __L_FROM_GMAIL && !__L_VIA_ML
priority L_UNVERIFIED_GMAIL 500
score L_UNVERIFIED_GMAIL 2.5
Mark
Re: DKIM / DomainKeys
Posted by Terry Soucy <ts...@unb.ca>.
Heya,
We leave the score at 0.00 and use it in a test for Yahoo, since there
is a lot of valid Yahoo messages getting tagged because of the RFC
Ignorant rules. We check for it coming from a Yahoo server, and then
test for DK_VERIFIED. If both are correct, then we apply a -3.00 to the
score to compensate for the RFC rules that will more than likely fire off.
Terry
Terry Soucy, Systems Analyst Integrated Technology Services
University of New Brunswick, Fredericton Campus http://www.unbf.ca/its
Voice: 506.447.3018 Fax: 506.453.3590 E-mail: tsoucy@unb.ca
** ITS is a scent-reduced workplace - www.unbf.ca/its/policies **
Alexis Manning wrote:
> michele@blacknight.ie says...
>> Alexis Manning wrote:
> [DK/DKIM plugins]
>>> Is anyone using these and can suggest appropriate scores for these
>>> plugins, or are these really just too unripe for serious use at the
>>> moment?
>> Why don't you keep an eye on the activity for those scores and then decide?
>
> Because I'm just an impatient kind of chap and thought I could short-
> circuit that by stealing other people's work :)
>
> But fairy snuff, I'll wait observantly and see what tweaking seems
> appropriate.
>
> -- A.
Re: DKIM / DomainKeys
Posted by Alexis Manning <al...@googlemail.com>.
michele@blacknight.ie says...
> Alexis Manning wrote:
[DK/DKIM plugins]
> > Is anyone using these and can suggest appropriate scores for these
> > plugins, or are these really just too unripe for serious use at the
> > moment?
>
> Why don't you keep an eye on the activity for those scores and then decide?
Because I'm just an impatient kind of chap and thought I could short-
circuit that by stealing other people's work :)
But fairy snuff, I'll wait observantly and see what tweaking seems
appropriate.
-- A.
Re: DKIM / DomainKeys
Posted by "Michele Neylon :: Blacknight" <mi...@blacknight.ie>.
Alexis Manning wrote:
> I enabled the DK/DKIM plugins in my SA 3.1.7 setup and I see that the
> default scores for their tests are negligible, presumably because
> they're still a bit experimental.
>
> Is anyone using these and can suggest appropriate scores for these
> plugins, or are these really just too unripe for serious use at the
> moment?
>
> Cheers,
>
> -- A.
Why don't you keep an eye on the activity for those scores and then decide?
--
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59 9183072
UK: 0870 163 0607
Fax. +353 (0) 59 9164239