Spam email by-pass because dkim adsp timeout

[Alessio Cecchi <al...@skye.it>]

Hi,

some of our users have received spam/phishing email in INBOX. 
Investigating I found that the cause is the time that spamassassin spent 
to returna result, 30 seconds in the dkim adsp:

[...]

Reply-To: server-admin@mailserverupgrader.xyz
From: "MEssage Center -  companyname.it" 
<se...@mailserverupgrader.xyz>
To: name.surname@companyname.it

[...]

Oct 20 16:22:41.142 [27900] dbg: FreeMail: RULE (FREEMAIL_FROM) 
check_freemail_from
Oct 20 16:22:41.142 [27900] dbg: FreeMail: all from-addresses: 
cindy.vandwest@gmail.com, server-admin@mailserverupgrader.xyz
Oct 20 16:22:41.142 [27900] dbg: FreeMail: HIT! cindy.vandwest@gmail.com 
is freemail
Oct 20 16:22:41.153 [27900] dbg: dkim: using Mail::DKIM version 0.39
Oct 20 16:22:41.154 [27900] dbg: dkim: performing public key lookup and 
signature verification
Oct 20 16:22:51.155 [27900] dbg: dkim: FAILED DKIM, 
i=@serverupgrader.xyz, d=serverupgrader.xyz, s=default, a=rsa-sha1, 
c=relaxed/relaxed, unknown key size, invalid, does not match author domain
Oct 20 16:22:51.155 [27900] dbg: dkim: signature verification result: 
INVALID (PUBLIC KEY: DNS QUERY TIMEOUT FOR 
DEFAULT._DOMAINKEY.SERVERUPGRADER.XYZ)
Oct 20 16:22:51.155 [27900] dbg: dkim: adsp: performing lookup on 
_adsp._domainkey.mailserverupgrader.xyz

[ NOTE 30 seconds here ]

Oct 20 16:23:11.155 [27900] dbg: dkim: adsp: fetch or parse on domain 
mailserverupgrader.xyz failed: DNS query timeout for mailserverupgrader.xyz
Oct 20 16:23:11.156 [27900] dbg: dkim: signing practices on 
mailserverupgrader.xyz unavailable
Oct 20 16:23:11.156 [27900] dbg: dkim: adsp result: U/unknown (dns: no 
result), author domain 'mailserverupgrader.xyz'
Oct 20 16:23:11.156 [27900] dbg: rules: uri host enlisted 
(SUSP_URI_NTLD): serverupgrader.xyz (xyz)
Oct 20 16:23:11.156 [27900] dbg: rules: ran eval rule PDS_OTHER_BAD_TLD 
======> got hit (1)
Oct 20 16:23:11.157 [27900] dbg: eval: From 2nd level domain: 
mailserverupgrader.xyz, EnvelopeFrom 2nd level domain: gmail.com
Oct 20 16:23:11.157 [27900] dbg: rules: ran eval rule 
HEADER_FROM_DIFFERENT_DOMAINS ======> got hit (1)
Oct 20 16:23:11.157 [27900] dbg: spf: already checked for Received-SPF 
headers, proceeding with DNS based checks
Oct 20 16:23:11.157 [27900] dbg: spf: found Envelope-From in first 
external Received header

Can it be a tactic?

How can I configure this timeout to 5 seconds or similar?

Thanks

-- 
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice

Re: Spam email by-pass because dkim adsp timeout

[Bill Cole <sa...@billmail.scconsult.com>]

On 2021-10-20 at 11:31:48 UTC-0400 (Wed, 20 Oct 2021 17:31:48 +0200)
Alessio Cecchi <al...@skye.it>
is rumored to have said:

> Il 20/10/21 16:46, Benny Pedersen ha scritto:
>> On 2021-10-20 16:35, Alessio Cecchi wrote:
>>
>>> How can I configure this timeout to 5 seconds or similar?
>>
>> perldoc Mail::SpamAssassin::Plugin::DKIM
>>
>> see section override
>
> Thanks, I have solved with:
>
> adsp_override   *    unknown
>
> There still a 10 seconds time spents on DKIM check:
>
> Oct 20 17:19:42.210 [15847] dbg: dkim: using Mail::DKIM version 0.39
> Oct 20 17:19:42.211 [15847] dbg: dkim: performing public key lookup and signature verification
>
> [ 10 seconds here]
>
> Oct 20 17:19:52.211 [15847] dbg: dkim: FAILED DKIM, i=@serverupgrader.xyz, d=serverupgrader.xyz, s=default, a=rsa-sha1, c=relaxed/relaxed, unknown key size, invalid, does not match author domain
> Oct 20 17:19:52.211 [15847] dbg: dkim: signature verification result: INVALID (PUBLIC KEY: DNS QUERY TIMEOUT FOR DEFAULT._DOMAINKEY.SERVERUPGRADER.XYZ)
>
> But seems a dns timeout, not a a dkim_timeout that is 5 seconds by default (from perldoc Mail::SpamAssassin::Plugin::DKIM ).
>
> Any suggestion?

Don't run SpamAssassin inside a chroot jail or container without working DNS?

That's just a random guess since you don't say anything useful about your configuration. Because you appear to have munged relevant domain names, it is impossible to know whether the failed lookup could or should have resulted in anything.

You can set default timeouts for DNS queries in /etc/resolv.conf.

-- 
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Spam email by-pass because dkim adsp timeout

[Alessio Cecchi <al...@skye.it>]

Il 20/10/21 16:46, Benny Pedersen ha scritto:
> On 2021-10-20 16:35, Alessio Cecchi wrote:
>
>> How can I configure this timeout to 5 seconds or similar?
>
> perldoc Mail::SpamAssassin::Plugin::DKIM
>
> see section override

Thanks, I have solved with:

adsp_override   *    unknown

There still a 10 seconds time spents on DKIM check:

Oct 20 17:19:42.210 [15847] dbg: dkim: using Mail::DKIM version 0.39
Oct 20 17:19:42.211 [15847] dbg: dkim: performing public key lookup and 
signature verification

[ 10 seconds here]

Oct 20 17:19:52.211 [15847] dbg: dkim: FAILED DKIM, 
i=@serverupgrader.xyz, d=serverupgrader.xyz, s=default, a=rsa-sha1, 
c=relaxed/relaxed, unknown key size, invalid, does not match author domain
Oct 20 17:19:52.211 [15847] dbg: dkim: signature verification result: 
INVALID (PUBLIC KEY: DNS QUERY TIMEOUT FOR 
DEFAULT._DOMAINKEY.SERVERUPGRADER.XYZ)

But seems a dns timeout, not a a dkim_timeout that is 5 seconds by 
default (from perldoc Mail::SpamAssassin::Plugin::DKIM ).

Any suggestion?

-- 
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice

Re: Spam email by-pass because dkim adsp timeout

[Benny Pedersen <me...@junc.eu>]

On 2021-10-20 16:35, Alessio Cecchi wrote:

> How can I configure this timeout to 5 seconds or similar?

perldoc Mail::SpamAssassin::Plugin::DKIM

see section override

have in mind that ADSP is depricated, as in opendkim its removed, but in 
perl its still supported as usefull feature :=)