You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Robert Fitzpatrick <ro...@webtent.org> on 2018/11/27 01:13:12 UTC

Custom DMARC_FAIL rule

I have the following custom rules working pretty well in testing, but 
ran into this message with two "Authentication-Results" headers:

> Authentication-Results: mx3.webtent.org; dmarc=none (p=none dis=none)
> header.from=email.monoprice.com
> Authentication-Results: mx3.webtent.org;
> 	dkim=fail reason="signature verification failed" (2048-bit key;
> unprotected) header.d=email.monoprice.com
> header.i=@email.monoprice.com header.b=JvTxQQIc

This triggers DMARC_FAIL in my custom rules below, but all I want to 
pick up on is 'header.from' failures. What do I need to change the 
regular expression to also pick up on header.from in the header? Would I 
just add '.*header.form' after =fail?

> # DMARC rules
> header __DMARC_FAIL Authentication-Results =~ /webtent.org; (dmarc|dkim)=fail /
> meta   DMARC_FAIL   (__DMARC_FAIL && !__DOS_HAS_LIST_ID && !__DOS_HAS_MAILING_LIST)
> describe DMARC_FAIL DMARC or DKIM authentication failed
> score DMARC_FAIL 3.7
> 
> meta     WT_FORGED_SENDER (DMARC_FAIL && !DKIM_VALID)
> describe WT_FORGED_SENDER To score high when DMARC fails w/o valid DKIM
> score    WT_FORGED_SENDER 8.0
> 
> header __DMARC_PASS Authentication-Results =~ /webtent.org; (dmarc|dkim)=pass /
> meta   DMARC_PASS  (__DMARC_PASS && !DMARC_FAIL)
> describe DMARC_PASS DMARC or DKIM authentication valid
> tflags DMARC_PASS nice
> score DMARC_PASS -1.1
> 
> meta   DMARC_NONE   (!DMARC_PASS && !DMARC_FAIL)
> describe DMARC_NONE No DMARC or DKIM authentication
> score DMARC_NONE 0.001

Any suggestions for setting up DMARC custom rules appreciated.

-- 
Robert

Re: Custom DMARC_FAIL rule

Posted by David Jones <dj...@ena.com>.

On 11/27/18 7:46 AM, RW wrote:
> On Mon, 26 Nov 2018 20:13:12 -0500
> Robert Fitzpatrick wrote:
> 
>> I have the following custom rules working pretty well in testing, but
>> ran into this message with two "Authentication-Results" headers:
>>
>>> Authentication-Results: mx3.webtent.org; dmarc=none (p=none
>>> dis=none) header.from=email.monoprice.com
>>> Authentication-Results: mx3.webtent.org;
>>> 	dkim=fail reason="signature verification failed" (2048-bit
>>> key; unprotected) header.d=email.monoprice.com
>>> header.i=@email.monoprice.com header.b=JvTxQQIc
>>
>> This triggers DMARC_FAIL in my custom rules below, but all I want to
>> pick up on is 'header.from' failures. What do I need to change the
>> regular expression to also pick up on header.from in the header?
>> Would I just add '.*header.form' after =fail?
>>
>>> # DMARC rules
>>> header __DMARC_FAIL Authentication-Results =~ /webtent.org;
>>> (dmarc|dkim)=fail /
> 
> 
> dkim=fail doesn't imply the email failed DMARC. Just look for
> dmarc=fail. Using header.from is just a roundabout way of eliminating
> the unneccessary dkim=fail matches.
> 
> 

Correct.  For DMARC to pass _either_ SPF_PASS and aligns with the 
envelope-from domain _OR_ DKIM_VALID_AU which is a pass and alignment 
with the From: header domain.  If both pass and align then that is even 
better.

Keep it simple.  (Adjust the "smtp.ena.net" for your own OpenDMARC 
AuthservID value.)


header		DMARC_PASS	Authentication-Results =~ /smtp\.ena\.net; dmarc=pass/
describe	DMARC_PASS	DMARC check passed
score		DMARC_PASS	-0.01

header		DMARC_FAIL	Authentication-Results =~ /smtp\.ena\.net; dmarc=fail/
describe	DMARC_FAIL	DMARC check failed
score		DMARC_FAIL	0.01

header		DMARC_NONE	Authentication-Results =~ /smtp\.ena\.net; dmarc=none/
describe	DMARC_NONE	DMARC check neutral
score		DMARC_NONE	0.01

header		__DMARC_FAIL_REJECT	Authentication-Results =~ /smtp\.ena\.net; 
dmarc=fail \(p=reject/
meta		DMARC_FAIL_REJECT	__DMARC_FAIL_REJECT && !ENA_TRUSTED_LIST
describe	DMARC_FAIL_REJECT	DMARC check failed and the sending domains 
says to reject this message
score		DMARC_FAIL_REJECT	8.2


Adjust the ENA_TRUSTED_LIST above to whatever you want to do to exclude 
certain senders or mailing lists from DMARC checks.

-- 
David Jones

Re: Custom DMARC_FAIL rule

Posted by RW <rw...@googlemail.com>.

On Mon, 26 Nov 2018 20:13:12 -0500
Robert Fitzpatrick wrote:

> I have the following custom rules working pretty well in testing, but 
> ran into this message with two "Authentication-Results" headers:
> 
> > Authentication-Results: mx3.webtent.org; dmarc=none (p=none
> > dis=none) header.from=email.monoprice.com
> > Authentication-Results: mx3.webtent.org;
> > 	dkim=fail reason="signature verification failed" (2048-bit
> > key; unprotected) header.d=email.monoprice.com
> > header.i=@email.monoprice.com header.b=JvTxQQIc  
> 
> This triggers DMARC_FAIL in my custom rules below, but all I want to 
> pick up on is 'header.from' failures. What do I need to change the 
> regular expression to also pick up on header.from in the header?
> Would I just add '.*header.form' after =fail?
> 
> > # DMARC rules
> > header __DMARC_FAIL Authentication-Results =~ /webtent.org;
> > (dmarc|dkim)=fail / 


dkim=fail doesn't imply the email failed DMARC. Just look for
dmarc=fail. Using header.from is just a roundabout way of eliminating
the unneccessary dkim=fail matches.



> > meta     WT_FORGED_SENDER (DMARC_FAIL && !DKIM_VALID)


Valid DKIM doesn't imply an email is not forged, the signature could be
unrelated to the author. If you want a sanity check you can use
DKIM_VALID_AU.




> >header __DMARC_PASS Authentication-Results =~ /webtent.org;
> > (dmarc|dkim)=pass / 

Again remove the dkim pass.