You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Fitzpatrick <ro...@webtent.org> on 2018/11/27 01:13:12 UTC
Custom DMARC_FAIL rule
I have the following custom rules working pretty well in testing, but
ran into this message with two "Authentication-Results" headers:
> Authentication-Results: mx3.webtent.org; dmarc=none (p=none dis=none)
> header.from=email.monoprice.com
> Authentication-Results: mx3.webtent.org;
> dkim=fail reason="signature verification failed" (2048-bit key;
> unprotected) header.d=email.monoprice.com
> header.i=@email.monoprice.com header.b=JvTxQQIc
This triggers DMARC_FAIL in my custom rules below, but all I want to
pick up on is 'header.from' failures. What do I need to change the
regular expression to also pick up on header.from in the header? Would I
just add '.*header.form' after =fail?
> # DMARC rules
> header __DMARC_FAIL Authentication-Results =~ /webtent.org; (dmarc|dkim)=fail /
> meta DMARC_FAIL (__DMARC_FAIL && !__DOS_HAS_LIST_ID && !__DOS_HAS_MAILING_LIST)
> describe DMARC_FAIL DMARC or DKIM authentication failed
> score DMARC_FAIL 3.7
>
> meta WT_FORGED_SENDER (DMARC_FAIL && !DKIM_VALID)
> describe WT_FORGED_SENDER To score high when DMARC fails w/o valid DKIM
> score WT_FORGED_SENDER 8.0
>
> header __DMARC_PASS Authentication-Results =~ /webtent.org; (dmarc|dkim)=pass /
> meta DMARC_PASS (__DMARC_PASS && !DMARC_FAIL)
> describe DMARC_PASS DMARC or DKIM authentication valid
> tflags DMARC_PASS nice
> score DMARC_PASS -1.1
>
> meta DMARC_NONE (!DMARC_PASS && !DMARC_FAIL)
> describe DMARC_NONE No DMARC or DKIM authentication
> score DMARC_NONE 0.001
Any suggestions for setting up DMARC custom rules appreciated.
--
Robert
Re: Custom DMARC_FAIL rule
Posted by David Jones <dj...@ena.com>.
On 11/27/18 7:46 AM, RW wrote:
> On Mon, 26 Nov 2018 20:13:12 -0500
> Robert Fitzpatrick wrote:
>
>> I have the following custom rules working pretty well in testing, but
>> ran into this message with two "Authentication-Results" headers:
>>
>>> Authentication-Results: mx3.webtent.org; dmarc=none (p=none
>>> dis=none) header.from=email.monoprice.com
>>> Authentication-Results: mx3.webtent.org;
>>> dkim=fail reason="signature verification failed" (2048-bit
>>> key; unprotected) header.d=email.monoprice.com
>>> header.i=@email.monoprice.com header.b=JvTxQQIc
>>
>> This triggers DMARC_FAIL in my custom rules below, but all I want to
>> pick up on is 'header.from' failures. What do I need to change the
>> regular expression to also pick up on header.from in the header?
>> Would I just add '.*header.form' after =fail?
>>
>>> # DMARC rules
>>> header __DMARC_FAIL Authentication-Results =~ /webtent.org;
>>> (dmarc|dkim)=fail /
>
>
> dkim=fail doesn't imply the email failed DMARC. Just look for
> dmarc=fail. Using header.from is just a roundabout way of eliminating
> the unneccessary dkim=fail matches.
>
>
Correct. For DMARC to pass _either_ SPF_PASS and aligns with the
envelope-from domain _OR_ DKIM_VALID_AU which is a pass and alignment
with the From: header domain. If both pass and align then that is even
better.
Keep it simple. (Adjust the "smtp.ena.net" for your own OpenDMARC
AuthservID value.)
header DMARC_PASS Authentication-Results =~ /smtp\.ena\.net; dmarc=pass/
describe DMARC_PASS DMARC check passed
score DMARC_PASS -0.01
header DMARC_FAIL Authentication-Results =~ /smtp\.ena\.net; dmarc=fail/
describe DMARC_FAIL DMARC check failed
score DMARC_FAIL 0.01
header DMARC_NONE Authentication-Results =~ /smtp\.ena\.net; dmarc=none/
describe DMARC_NONE DMARC check neutral
score DMARC_NONE 0.01
header __DMARC_FAIL_REJECT Authentication-Results =~ /smtp\.ena\.net;
dmarc=fail \(p=reject/
meta DMARC_FAIL_REJECT __DMARC_FAIL_REJECT && !ENA_TRUSTED_LIST
describe DMARC_FAIL_REJECT DMARC check failed and the sending domains
says to reject this message
score DMARC_FAIL_REJECT 8.2
Adjust the ENA_TRUSTED_LIST above to whatever you want to do to exclude
certain senders or mailing lists from DMARC checks.
--
David Jones
Re: Custom DMARC_FAIL rule
Posted by RW <rw...@googlemail.com>.
On Mon, 26 Nov 2018 20:13:12 -0500
Robert Fitzpatrick wrote:
> I have the following custom rules working pretty well in testing, but
> ran into this message with two "Authentication-Results" headers:
>
> > Authentication-Results: mx3.webtent.org; dmarc=none (p=none
> > dis=none) header.from=email.monoprice.com
> > Authentication-Results: mx3.webtent.org;
> > dkim=fail reason="signature verification failed" (2048-bit
> > key; unprotected) header.d=email.monoprice.com
> > header.i=@email.monoprice.com header.b=JvTxQQIc
>
> This triggers DMARC_FAIL in my custom rules below, but all I want to
> pick up on is 'header.from' failures. What do I need to change the
> regular expression to also pick up on header.from in the header?
> Would I just add '.*header.form' after =fail?
>
> > # DMARC rules
> > header __DMARC_FAIL Authentication-Results =~ /webtent.org;
> > (dmarc|dkim)=fail /
dkim=fail doesn't imply the email failed DMARC. Just look for
dmarc=fail. Using header.from is just a roundabout way of eliminating
the unneccessary dkim=fail matches.
> > meta WT_FORGED_SENDER (DMARC_FAIL && !DKIM_VALID)
Valid DKIM doesn't imply an email is not forged, the signature could be
unrelated to the author. If you want a sanity check you can use
DKIM_VALID_AU.
> >header __DMARC_PASS Authentication-Results =~ /webtent.org;
> > (dmarc|dkim)=pass /
Again remove the dkim pass.