You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2020/06/16 21:20:58 UTC

[Bug 7827] New: SpamAssassin reports DKIM invalid when email contains attachment

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7827

            Bug ID: 7827
           Summary: SpamAssassin reports DKIM invalid when email contains
                    attachment
           Product: Spamassassin
           Version: 3.4.2
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Plugins
          Assignee: dev@spamassassin.apache.org
          Reporter: data.protection.gdpr@gmail.com
  Target Milestone: Undefined

Hello,

I've been noticing that pretty much every email that contains an attachment,
even if coming from @outlook.com or @gmail.com, for example, is marked with
DKIM invalid.

The emails are 100% legit, because I reply to them and receive a reply. And,
the emails without attachment are marked as DKIM valid.



I use the Mail::SpamAssassin::Plugin::DKIM extension of SpamAssassin, which
adds DKIM_INVALID & DKIM_SIGNED to the X-Spam-Status header.

  header        __DKIM_EXISTS   exists:DKIM-Signature

  meta     DKIM_INVALID !__DKIM_EXISTS || !DKIM_VALID
  describe DKIM_INVALID DKIM-Signature header does not exist or is not valid
  score    DKIM_INVALID 5.0




And the emails do have DKIM header, but SpamAssassin sees them as invalid:


DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
...



Thanks!

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7827] SpamAssassin reports DKIM invalid when email contains attachment

Posted by bu...@spamassassin.apache.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7827

Bill Cole <bi...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |billcole@apache.org
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #1 from Bill Cole <bi...@apache.org> ---

1. This cannot be considered a SpamAssassin bug unless you have some other
trustworthy DKIM signature verifier which validates a signed message that SA
deems invalid.

2. Mail systems routinely make harmless changes to email which break DKIM
signatures. This can include an encoding change that may be necessary to
transport a binary attachment over Internet email. 

3. It is literally impossible to diagnose your problem without a specific
UNMODIFIED complete example. 

4. This is the sort of probable non-bug problem which should be better
addressed on the SpamAssassin Users mailing list. 

5. Redefining & rescoring DKIM_INVALID as you have done is deeply unwise. The
definition in the default ruleset only hits on signed messages whose signature
does not validate and it is scored at 0.1 because of the common problem of DKIM
signatures breaking in transit. Marking every unsigned email and every signed
email with a broken signature as spam (i.e. with a 5.0 score as your rule does)
is a choice to intentionally mislabel mail.

-- 
You are receiving this mail because:
You are the assignee for the bug.