You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Benny Pedersen <me...@junc.eu> on 2022/09/30 16:04:20 UTC

dnswl dwl rule

ifplugin Mail::SpamAssassin::Plugin::DKIM
     ifplugin Mail::SpamAssassin::Plugin::AskDNS

         askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT
         describe LOCAL_DNSWL_IN_DWL domain is dnswlisted in dnswl.org
         score LOCAL_DNSWL_IN_DWL -1 -1 -1 -1

     endif # Mail::SpamAssassin::Plugin::AskDNS
endif # Mail::SpamAssassin::Plugin::DKIM


weekend :=)

Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

>On Fri, Oct 07, 2022 at 03:01:17PM +0200, Matus UHLAR - fantomas wrote:
>> the _DKIMDOMAIN_ can contain multiple domains if mail is signed using
>> multiple valid keys.

On 07.10.22 16:35, Henrik K wrote:
>Not a problem, as AskDNS doc says:
>
>"Tags which produce multiple values will result in multiple queries
>launched, each with an expanded template using one of the tag values.  An
>example is a DKIMDOMAIN tag which yields a list of signing domains, one for
>each valid signature in a signed message."

oh, I should better read docs then

>_DKIMDOMAIN_ contains verified domains.
>
>_AUTHORDOMAIN_ is simply the From: address without any verification.  It has
>nothing to do with DKIM.  So it would make no sense to use this.

as I undesstand it, it only makes sense to lookup domain in From: 
(_AUTHORDOMAIN_) and only when the mail is DKIM-signed with this domain.
That means, it only makes sende when DKIM_VALID_AU matches.

unless, of course, we want decrease score in case of e-mail has valid DKIM 
signature from any listed domain, no matter if it comes from that domain or 
not.
- but I don't think this is the case. 

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".

Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_

Posted by Henrik K <he...@hege.li>.

On Fri, Oct 07, 2022 at 03:01:17PM +0200, Matus UHLAR - fantomas wrote:
> 
> the _DKIMDOMAIN_ can contain multiple domains if mail is signed using
> multiple valid keys.

Not a problem, as AskDNS doc says:

"Tags which produce multiple values will result in multiple queries
launched, each with an expanded template using one of the tag values.  An
example is a DKIMDOMAIN tag which yields a list of signing domains, one for
each valid signature in a signed message."

_DKIMDOMAIN_ contains verified domains.

_AUTHORDOMAIN_ is simply the From: address without any verification.  It has
nothing to do with DKIM.  So it would make no sense to use this.

Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

>Matus UHLAR - fantomas skrev den 2022-10-07 10:59:
>>just bumping this if anyone has idea how to process DKIMWL and 
>>spamhaus DWL
>>in more efficient matter.

On 07.10.22 14:35, Benny Pedersen wrote:
>there is no data in dwl.spamhaus.org but the rule for testing is still 
>in current spamassassin as disabled rule

I must to write it again because you have removed the important part:

the rule is apparently invalid.

the _DKIMDOMAIN_ can contain multiple domains if mail is signed using 
multiple valid keys.

the same applies for DKIMWL rules.

the _AUTHORDOMAIN_ should be used instead.

further:

these rules should be imho only used if DKIM_VALID_AU matches, because 
there's no point to check DWL/DKIMWL if the mail is not (correctly) 
DKIM-signed with sender domain, but with any other domain no matter if it's 
listed.

we could possibly spare DWL lookup.

... unless the poing of DWL and DKIMWL is to increate score for mail DKIM-signed 
with domain in particular list, even if the domain in From: does not match 
the one listed.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.

Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_

Posted by Benny Pedersen <me...@junc.eu>.

Matus UHLAR - fantomas skrev den 2022-10-07 10:59:

> just bumping this if anyone has idea how to process DKIMWL and spamhaus 
> DWL
> in more efficient matter.

there is no data in dwl.spamhaus.org but the rule for testing is still 
in current spamassassin as disabled rule

grep -r dwl ...

Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

Hello,

just bumping this if anyone has idea how to process DKIMWL and spamhaus DWL
in more efficient matter.

On 01.10.22 16:42, Matus UHLAR - fantomas wrote:
>>>>>     askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT
>
>On 30.09.22 20:57, Matus UHLAR - fantomas wrote:
>>I'm not sure it should be done with _DKIMDOMAIN_, it's described to 
>>contain all valid signatures:
>>
>>   _DKIMDOMAIN_
>>     Signing Domain Identifier (SDID) (the 'd' tag) from valid signatures;
>>
>>
>>the rule should be used with from domain, and only when DKIM_VALID_AU applies.
>>
>>I have checked with one of mails in my archive and added to user_prefs
>>add_header      all     dkimdomain      _DKIMDOMAIN_
>>
>>the result:
>>
>>Authentication-Results: fantomas.fantomas.sk;
>>       dkim=pass (2048-bit key; unprotected) header.d=threecollectivemarketing.com header.i=info@threecollectivemarketing.com header.a=rsa-sha256 header.s=ipz header.b=LJOUNANX;
>>       dkim=pass (2048-bit key; unprotected) header.d=mx-router-i.com header.i=@mx-router-i.com header.a=rsa-sha256 header.s=ipzs2 header.b=qAQp4Ntr;
>>From: Zebra Blinds <in...@threecollectivemarketing.com>
>>X-Spam-dkimdomain: threecollectivemarketing.com mx-router-i.com
>>
>>so I guess the rules published on https://www.dnswl.org/?p=311
>>are invalid
>>
>>... unless _DKIMDOMAIN_ is used as array - multiple times
>
>I have found other rules using _DKIMDOMAIN_:
>
>20_dnsbl_tests.cf:#askdns   __DKIMDOMAIN_IN_DWL_ANY  _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT
>
>72_active.cf:askdns    __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/
>72_active.cf:askdns    __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/
>72_active.cf:askdns    __DKIMWL_WL_HI    _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/
>72_active.cf:askdns    __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/
>72_active.cf:askdns    __DKIMWL_WL_MED   _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/
>72_active.cf:askdns    __DKIMWL_WL_BL   _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/
>72_active.cf:askdns    __DKIMWL_BLOCKED  _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/
>
>
>perhaps these all should replace _DKIMDOMAIN_  by _AUTHORDOMAIN_ and 
>AND-ed with DKIM_VALID_AU.
>
>can these checks be made the way DNS queries are done only when 
>DKIM_VALID_AU matches?
>
>perhaps playing with priority

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.

Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)

Posted by Henrik K <he...@hege.li>.

On Tue, Oct 11, 2022 at 11:52:17AM +0200, Matus UHLAR - fantomas wrote:
> > On Sat, Oct 01, 2022 at 04:42:09PM +0200, Matus UHLAR - fantomas wrote:
> > > perhaps these all should replace _DKIMDOMAIN_  by _AUTHORDOMAIN_ and AND-ed
> > > with DKIM_VALID_AU.
> > > 
> > > can these checks be made the way DNS queries are done only when
> > > DKIM_VALID_AU matches?
> > > 
> > > perhaps playing with priority
> 
> On 07.10.22 16:41, Henrik K wrote:
> > It's not possible to use priority with askdns.  The rule is launched then
> > the all dependent tags are set, nothing more, nothing less.
> 
> I see bug 7735 now and am curious if the cvhange only affects order of rule
> calling or calling them at all.

It has no relevance on rule order or calling.  It just affects when meta
rule result will be evaluated.

> So, if I make meta rule dependend on other rules:
> 
> meta		DOMAIN_IN_DNSWL_DWL	(DKIM_VALID_AU && __DOMAIN_IN_DNSWL_DWL)
> askdns		__DOMAIN_IN_DNSWL_DWL	_AUTHORDOMAIN_.dwl.dnswl.org TXT
> describe	__DOMAIN_IN_DNSWL_DWL	author domain is listed in dwl.dnswl.org
> 
> will __DOMAIN_IN_DNSWL_DWL always be called?

__DOMAIN_IN_DNSWL_DWL is a standalone askdns rule.  It does not know about
anything metas or stuff that depends on it, so yes it's always called. 
Network lookups are generally always launched at the start of the scan
(priority -100 to be exact), and results are checked later on when answer
arrives.  If you are hoping to prevent unnecessary DNS query, it's not
possible.

Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

>On Sat, Oct 01, 2022 at 04:42:09PM +0200, Matus UHLAR - fantomas wrote:
>> perhaps these all should replace _DKIMDOMAIN_  by _AUTHORDOMAIN_ and AND-ed
>> with DKIM_VALID_AU.
>>
>> can these checks be made the way DNS queries are done only when
>> DKIM_VALID_AU matches?
>>
>> perhaps playing with priority

On 07.10.22 16:41, Henrik K wrote:
>It's not possible to use priority with askdns.  The rule is launched then
>the all dependent tags are set, nothing more, nothing less.

I see bug 7735 now and am curious if the cvhange only affects order of rule 
calling or calling them at all.

So, if I make meta rule dependend on other rules:

meta		DOMAIN_IN_DNSWL_DWL	(DKIM_VALID_AU && __DOMAIN_IN_DNSWL_DWL)
askdns		__DOMAIN_IN_DNSWL_DWL	_AUTHORDOMAIN_.dwl.dnswl.org TXT
describe	__DOMAIN_IN_DNSWL_DWL	author domain is listed in dwl.dnswl.org

will __DOMAIN_IN_DNSWL_DWL always be called?

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)

Posted by Henrik K <he...@hege.li>.

On Fri, Oct 07, 2022 at 04:41:57PM +0300, Henrik K wrote:
> It's not possible to use priority with askdns.  The rule is launched then
> the all dependent tags are set, nothing more, nothing less.

... obvious typo but just to clarify, _when_ all tags are set..

Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)

Posted by Henrik K <he...@hege.li>.

On Sat, Oct 01, 2022 at 04:42:09PM +0200, Matus UHLAR - fantomas wrote:
> 
> perhaps these all should replace _DKIMDOMAIN_  by _AUTHORDOMAIN_ and AND-ed
> with DKIM_VALID_AU.
> 
> can these checks be made the way DNS queries are done only when
> DKIM_VALID_AU matches?
> 
> perhaps playing with priority

It's not possible to use priority with askdns.  The rule is launched then
the all dependent tags are set, nothing more, nothing less.

So there would have to be a _DKIMAUTHORDOMAIN_ or such, which would be set
from From: address when valid DKIM author sig is found.  This would
obviously require changing DKIM.pm plugin code to set it.

Other than that, I have no idea if something like that would be useful, I
leave that up for others to ponder.

_DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

>>>>      askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT

On 30.09.22 20:57, Matus UHLAR - fantomas wrote:
>I'm not sure it should be done with _DKIMDOMAIN_, it's described to 
>contain all valid signatures:
>
>    _DKIMDOMAIN_
>      Signing Domain Identifier (SDID) (the 'd' tag) from valid signatures;
>
>
>the rule should be used with from domain, and only when DKIM_VALID_AU applies.
>
>I have checked with one of mails in my archive and added to user_prefs
>add_header      all     dkimdomain      _DKIMDOMAIN_
>
>the result:
>
>Authentication-Results: fantomas.fantomas.sk;
>        dkim=pass (2048-bit key; unprotected) header.d=threecollectivemarketing.com header.i=info@threecollectivemarketing.com header.a=rsa-sha256 header.s=ipz header.b=LJOUNANX;
>        dkim=pass (2048-bit key; unprotected) header.d=mx-router-i.com header.i=@mx-router-i.com header.a=rsa-sha256 header.s=ipzs2 header.b=qAQp4Ntr;
>From: Zebra Blinds <in...@threecollectivemarketing.com>
>X-Spam-dkimdomain: threecollectivemarketing.com mx-router-i.com
>
>so I guess the rules published on https://www.dnswl.org/?p=311
>are invalid
>
>... unless _DKIMDOMAIN_ is used as array - multiple times

I have found other rules using _DKIMDOMAIN_:

20_dnsbl_tests.cf:#askdns   __DKIMDOMAIN_IN_DWL_ANY  _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT

72_active.cf:askdns    __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/
72_active.cf:askdns    __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/
72_active.cf:askdns    __DKIMWL_WL_HI    _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/
72_active.cf:askdns    __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/
72_active.cf:askdns    __DKIMWL_WL_MED   _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/
72_active.cf:askdns    __DKIMWL_WL_BL   _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/
72_active.cf:askdns    __DKIMWL_BLOCKED  _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/


perhaps these all should replace _DKIMDOMAIN_  by _AUTHORDOMAIN_ and AND-ed 
with DKIM_VALID_AU.

can these checks be made the way DNS queries are done only when DKIM_VALID_AU 
matches?

perhaps playing with priority

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.

Re: dnswl dwl rule

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 30.09.22 19:15, Benny Pedersen wrote:
>Matus UHLAR - fantomas skrev den 2022-09-30 18:53:
>>On 30.09.22 18:04, Benny Pedersen wrote:
>>>ifplugin Mail::SpamAssassin::Plugin::DKIM
>>>   ifplugin Mail::SpamAssassin::Plugin::AskDNS
>>>
>>>       askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT
>>>       describe LOCAL_DNSWL_IN_DWL domain is dnswlisted in dnswl.org
>>>       score LOCAL_DNSWL_IN_DWL -1 -1 -1 -1
>>
>>tflags LOCAL_DNSWL_IN_DWL net nice noautolearn
>>
>>>   endif # Mail::SpamAssassin::Plugin::AskDNS
>>>endif # Mail::SpamAssassin::Plugin::DKIM
>
>added here, thanks

I'm not sure it should be done with _DKIMDOMAIN_, it's described to contain 
all valid signatures:

     _DKIMDOMAIN_
       Signing Domain Identifier (SDID) (the 'd' tag) from valid signatures;


the rule should be used with from domain, and only when DKIM_VALID_AU applies.

I have checked with one of mails in my archive and added to user_prefs
add_header      all     dkimdomain      _DKIMDOMAIN_

the result:

Authentication-Results: fantomas.fantomas.sk;
         dkim=pass (2048-bit key; unprotected) header.d=threecollectivemarketing.com header.i=info@threecollectivemarketing.com header.a=rsa-sha256 header.s=ipz header.b=LJOUNANX;
         dkim=pass (2048-bit key; unprotected) header.d=mx-router-i.com header.i=@mx-router-i.com header.a=rsa-sha256 header.s=ipzs2 header.b=qAQp4Ntr;
From: Zebra Blinds <in...@threecollectivemarketing.com>
X-Spam-dkimdomain: threecollectivemarketing.com mx-router-i.com

so I guess the rules published on https://www.dnswl.org/?p=311
are invalid

... unless _DKIMDOMAIN_ is used as array - multiple times

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...

Re: dnswl dwl rule

Posted by Benny Pedersen <me...@junc.eu>.

Matus UHLAR - fantomas skrev den 2022-09-30 18:53:
> On 30.09.22 18:04, Benny Pedersen wrote:
>> ifplugin Mail::SpamAssassin::Plugin::DKIM
>>    ifplugin Mail::SpamAssassin::Plugin::AskDNS
>> 
>>        askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT
>>        describe LOCAL_DNSWL_IN_DWL domain is dnswlisted in dnswl.org
>>        score LOCAL_DNSWL_IN_DWL -1 -1 -1 -1
> 
> tflags LOCAL_DNSWL_IN_DWL net nice noautolearn
> 
>>    endif # Mail::SpamAssassin::Plugin::AskDNS
>> endif # Mail::SpamAssassin::Plugin::DKIM

added here, thanks

pmc mwembers is it stable enough to be default included ?

https://gitlab.isc.org/isc-projects/bind9/-/issues/3331 is this a 
problem with spamassassin ?

asked on dnswl irc for missing _ on dwl where answer just was that it 
would not be needed, so far so good, but what abour other domain 
blacklists ?

Re: dnswl dwl rule

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 30.09.22 18:04, Benny Pedersen wrote:
>ifplugin Mail::SpamAssassin::Plugin::DKIM
>    ifplugin Mail::SpamAssassin::Plugin::AskDNS
>
>        askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT
>        describe LOCAL_DNSWL_IN_DWL domain is dnswlisted in dnswl.org
>        score LOCAL_DNSWL_IN_DWL -1 -1 -1 -1

tflags LOCAL_DNSWL_IN_DWL net nice noautolearn 

>    endif # Mail::SpamAssassin::Plugin::AskDNS
>endif # Mail::SpamAssassin::Plugin::DKIM

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.