You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Benny Pedersen <me...@junc.eu> on 2022/09/30 16:04:20 UTC
dnswl dwl rule
ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT
describe LOCAL_DNSWL_IN_DWL domain is dnswlisted in dnswl.org
score LOCAL_DNSWL_IN_DWL -1 -1 -1 -1
endif # Mail::SpamAssassin::Plugin::AskDNS
endif # Mail::SpamAssassin::Plugin::DKIM
weekend :=)
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Fri, Oct 07, 2022 at 03:01:17PM +0200, Matus UHLAR - fantomas wrote:
>> the _DKIMDOMAIN_ can contain multiple domains if mail is signed using
>> multiple valid keys.
On 07.10.22 16:35, Henrik K wrote:
>Not a problem, as AskDNS doc says:
>
>"Tags which produce multiple values will result in multiple queries
>launched, each with an expanded template using one of the tag values. An
>example is a DKIMDOMAIN tag which yields a list of signing domains, one for
>each valid signature in a signed message."
oh, I should better read docs then
>_DKIMDOMAIN_ contains verified domains.
>
>_AUTHORDOMAIN_ is simply the From: address without any verification. It has
>nothing to do with DKIM. So it would make no sense to use this.
as I undesstand it, it only makes sense to lookup domain in From:
(_AUTHORDOMAIN_) and only when the mail is DKIM-signed with this domain.
That means, it only makes sende when DKIM_VALID_AU matches.
unless, of course, we want decrease score in case of e-mail has valid DKIM
signature from any listed domain, no matter if it comes from that domain or
not.
- but I don't think this is the case.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_
Posted by Henrik K <he...@hege.li>.
On Fri, Oct 07, 2022 at 03:01:17PM +0200, Matus UHLAR - fantomas wrote:
>
> the _DKIMDOMAIN_ can contain multiple domains if mail is signed using
> multiple valid keys.
Not a problem, as AskDNS doc says:
"Tags which produce multiple values will result in multiple queries
launched, each with an expanded template using one of the tag values. An
example is a DKIMDOMAIN tag which yields a list of signing domains, one for
each valid signature in a signed message."
_DKIMDOMAIN_ contains verified domains.
_AUTHORDOMAIN_ is simply the From: address without any verification. It has
nothing to do with DKIM. So it would make no sense to use this.
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>Matus UHLAR - fantomas skrev den 2022-10-07 10:59:
>>just bumping this if anyone has idea how to process DKIMWL and
>>spamhaus DWL
>>in more efficient matter.
On 07.10.22 14:35, Benny Pedersen wrote:
>there is no data in dwl.spamhaus.org but the rule for testing is still
>in current spamassassin as disabled rule
I must to write it again because you have removed the important part:
the rule is apparently invalid.
the _DKIMDOMAIN_ can contain multiple domains if mail is signed using
multiple valid keys.
the same applies for DKIMWL rules.
the _AUTHORDOMAIN_ should be used instead.
further:
these rules should be imho only used if DKIM_VALID_AU matches, because
there's no point to check DWL/DKIMWL if the mail is not (correctly)
DKIM-signed with sender domain, but with any other domain no matter if it's
listed.
we could possibly spare DWL lookup.
... unless the poing of DWL and DKIMWL is to increate score for mail DKIM-signed
with domain in particular list, even if the domain in From: does not match
the one listed.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_
Posted by Benny Pedersen <me...@junc.eu>.
Matus UHLAR - fantomas skrev den 2022-10-07 10:59:
> just bumping this if anyone has idea how to process DKIMWL and spamhaus
> DWL
> in more efficient matter.
there is no data in dwl.spamhaus.org but the rule for testing is still
in current spamassassin as disabled rule
grep -r dwl ...
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
Hello,
just bumping this if anyone has idea how to process DKIMWL and spamhaus DWL
in more efficient matter.
On 01.10.22 16:42, Matus UHLAR - fantomas wrote:
>>>>> askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT
>
>On 30.09.22 20:57, Matus UHLAR - fantomas wrote:
>>I'm not sure it should be done with _DKIMDOMAIN_, it's described to
>>contain all valid signatures:
>>
>> _DKIMDOMAIN_
>> Signing Domain Identifier (SDID) (the 'd' tag) from valid signatures;
>>
>>
>>the rule should be used with from domain, and only when DKIM_VALID_AU applies.
>>
>>I have checked with one of mails in my archive and added to user_prefs
>>add_header all dkimdomain _DKIMDOMAIN_
>>
>>the result:
>>
>>Authentication-Results: fantomas.fantomas.sk;
>> dkim=pass (2048-bit key; unprotected) header.d=threecollectivemarketing.com header.i=info@threecollectivemarketing.com header.a=rsa-sha256 header.s=ipz header.b=LJOUNANX;
>> dkim=pass (2048-bit key; unprotected) header.d=mx-router-i.com header.i=@mx-router-i.com header.a=rsa-sha256 header.s=ipzs2 header.b=qAQp4Ntr;
>>From: Zebra Blinds <in...@threecollectivemarketing.com>
>>X-Spam-dkimdomain: threecollectivemarketing.com mx-router-i.com
>>
>>so I guess the rules published on https://www.dnswl.org/?p=311
>>are invalid
>>
>>... unless _DKIMDOMAIN_ is used as array - multiple times
>
>I have found other rules using _DKIMDOMAIN_:
>
>20_dnsbl_tests.cf:#askdns __DKIMDOMAIN_IN_DWL_ANY _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT
>
>72_active.cf:askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/
>72_active.cf:askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/
>72_active.cf:askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/
>72_active.cf:askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/
>72_active.cf:askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/
>72_active.cf:askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/
>72_active.cf:askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/
>
>
>perhaps these all should replace _DKIMDOMAIN_ by _AUTHORDOMAIN_ and
>AND-ed with DKIM_VALID_AU.
>
>can these checks be made the way DNS queries are done only when
>DKIM_VALID_AU matches?
>
>perhaps playing with priority
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)
Posted by Henrik K <he...@hege.li>.
On Tue, Oct 11, 2022 at 11:52:17AM +0200, Matus UHLAR - fantomas wrote:
> > On Sat, Oct 01, 2022 at 04:42:09PM +0200, Matus UHLAR - fantomas wrote:
> > > perhaps these all should replace _DKIMDOMAIN_ by _AUTHORDOMAIN_ and AND-ed
> > > with DKIM_VALID_AU.
> > >
> > > can these checks be made the way DNS queries are done only when
> > > DKIM_VALID_AU matches?
> > >
> > > perhaps playing with priority
>
> On 07.10.22 16:41, Henrik K wrote:
> > It's not possible to use priority with askdns. The rule is launched then
> > the all dependent tags are set, nothing more, nothing less.
>
> I see bug 7735 now and am curious if the cvhange only affects order of rule
> calling or calling them at all.
It has no relevance on rule order or calling. It just affects when meta
rule result will be evaluated.
> So, if I make meta rule dependend on other rules:
>
> meta DOMAIN_IN_DNSWL_DWL (DKIM_VALID_AU && __DOMAIN_IN_DNSWL_DWL)
> askdns __DOMAIN_IN_DNSWL_DWL _AUTHORDOMAIN_.dwl.dnswl.org TXT
> describe __DOMAIN_IN_DNSWL_DWL author domain is listed in dwl.dnswl.org
>
> will __DOMAIN_IN_DNSWL_DWL always be called?
__DOMAIN_IN_DNSWL_DWL is a standalone askdns rule. It does not know about
anything metas or stuff that depends on it, so yes it's always called.
Network lookups are generally always launched at the start of the scan
(priority -100 to be exact), and results are checked later on when answer
arrives. If you are hoping to prevent unnecessary DNS query, it's not
possible.
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Sat, Oct 01, 2022 at 04:42:09PM +0200, Matus UHLAR - fantomas wrote:
>> perhaps these all should replace _DKIMDOMAIN_ by _AUTHORDOMAIN_ and AND-ed
>> with DKIM_VALID_AU.
>>
>> can these checks be made the way DNS queries are done only when
>> DKIM_VALID_AU matches?
>>
>> perhaps playing with priority
On 07.10.22 16:41, Henrik K wrote:
>It's not possible to use priority with askdns. The rule is launched then
>the all dependent tags are set, nothing more, nothing less.
I see bug 7735 now and am curious if the cvhange only affects order of rule
calling or calling them at all.
So, if I make meta rule dependend on other rules:
meta DOMAIN_IN_DNSWL_DWL (DKIM_VALID_AU && __DOMAIN_IN_DNSWL_DWL)
askdns __DOMAIN_IN_DNSWL_DWL _AUTHORDOMAIN_.dwl.dnswl.org TXT
describe __DOMAIN_IN_DNSWL_DWL author domain is listed in dwl.dnswl.org
will __DOMAIN_IN_DNSWL_DWL always be called?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)
Posted by Henrik K <he...@hege.li>.
On Fri, Oct 07, 2022 at 04:41:57PM +0300, Henrik K wrote:
> It's not possible to use priority with askdns. The rule is launched then
> the all dependent tags are set, nothing more, nothing less.
... obvious typo but just to clarify, _when_ all tags are set..
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)
Posted by Henrik K <he...@hege.li>.
On Sat, Oct 01, 2022 at 04:42:09PM +0200, Matus UHLAR - fantomas wrote:
>
> perhaps these all should replace _DKIMDOMAIN_ by _AUTHORDOMAIN_ and AND-ed
> with DKIM_VALID_AU.
>
> can these checks be made the way DNS queries are done only when
> DKIM_VALID_AU matches?
>
> perhaps playing with priority
It's not possible to use priority with askdns. The rule is launched then
the all dependent tags are set, nothing more, nothing less.
So there would have to be a _DKIMAUTHORDOMAIN_ or such, which would be set
from From: address when valid DKIM author sig is found. This would
obviously require changing DKIM.pm plugin code to set it.
Other than that, I have no idea if something like that would be useful, I
leave that up for others to ponder.
_DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>>> askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT
On 30.09.22 20:57, Matus UHLAR - fantomas wrote:
>I'm not sure it should be done with _DKIMDOMAIN_, it's described to
>contain all valid signatures:
>
> _DKIMDOMAIN_
> Signing Domain Identifier (SDID) (the 'd' tag) from valid signatures;
>
>
>the rule should be used with from domain, and only when DKIM_VALID_AU applies.
>
>I have checked with one of mails in my archive and added to user_prefs
>add_header all dkimdomain _DKIMDOMAIN_
>
>the result:
>
>Authentication-Results: fantomas.fantomas.sk;
> dkim=pass (2048-bit key; unprotected) header.d=threecollectivemarketing.com header.i=info@threecollectivemarketing.com header.a=rsa-sha256 header.s=ipz header.b=LJOUNANX;
> dkim=pass (2048-bit key; unprotected) header.d=mx-router-i.com header.i=@mx-router-i.com header.a=rsa-sha256 header.s=ipzs2 header.b=qAQp4Ntr;
>From: Zebra Blinds <in...@threecollectivemarketing.com>
>X-Spam-dkimdomain: threecollectivemarketing.com mx-router-i.com
>
>so I guess the rules published on https://www.dnswl.org/?p=311
>are invalid
>
>... unless _DKIMDOMAIN_ is used as array - multiple times
I have found other rules using _DKIMDOMAIN_:
20_dnsbl_tests.cf:#askdns __DKIMDOMAIN_IN_DWL_ANY _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT
72_active.cf:askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/
72_active.cf:askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/
72_active.cf:askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/
72_active.cf:askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/
72_active.cf:askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/
72_active.cf:askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/
72_active.cf:askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/
perhaps these all should replace _DKIMDOMAIN_ by _AUTHORDOMAIN_ and AND-ed
with DKIM_VALID_AU.
can these checks be made the way DNS queries are done only when DKIM_VALID_AU
matches?
perhaps playing with priority
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
Re: dnswl dwl rule
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 30.09.22 19:15, Benny Pedersen wrote:
>Matus UHLAR - fantomas skrev den 2022-09-30 18:53:
>>On 30.09.22 18:04, Benny Pedersen wrote:
>>>ifplugin Mail::SpamAssassin::Plugin::DKIM
>>> ifplugin Mail::SpamAssassin::Plugin::AskDNS
>>>
>>> askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT
>>> describe LOCAL_DNSWL_IN_DWL domain is dnswlisted in dnswl.org
>>> score LOCAL_DNSWL_IN_DWL -1 -1 -1 -1
>>
>>tflags LOCAL_DNSWL_IN_DWL net nice noautolearn
>>
>>> endif # Mail::SpamAssassin::Plugin::AskDNS
>>>endif # Mail::SpamAssassin::Plugin::DKIM
>
>added here, thanks
I'm not sure it should be done with _DKIMDOMAIN_, it's described to contain
all valid signatures:
_DKIMDOMAIN_
Signing Domain Identifier (SDID) (the 'd' tag) from valid signatures;
the rule should be used with from domain, and only when DKIM_VALID_AU applies.
I have checked with one of mails in my archive and added to user_prefs
add_header all dkimdomain _DKIMDOMAIN_
the result:
Authentication-Results: fantomas.fantomas.sk;
dkim=pass (2048-bit key; unprotected) header.d=threecollectivemarketing.com header.i=info@threecollectivemarketing.com header.a=rsa-sha256 header.s=ipz header.b=LJOUNANX;
dkim=pass (2048-bit key; unprotected) header.d=mx-router-i.com header.i=@mx-router-i.com header.a=rsa-sha256 header.s=ipzs2 header.b=qAQp4Ntr;
From: Zebra Blinds <in...@threecollectivemarketing.com>
X-Spam-dkimdomain: threecollectivemarketing.com mx-router-i.com
so I guess the rules published on https://www.dnswl.org/?p=311
are invalid
... unless _DKIMDOMAIN_ is used as array - multiple times
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
Re: dnswl dwl rule
Posted by Benny Pedersen <me...@junc.eu>.
Matus UHLAR - fantomas skrev den 2022-09-30 18:53:
> On 30.09.22 18:04, Benny Pedersen wrote:
>> ifplugin Mail::SpamAssassin::Plugin::DKIM
>> ifplugin Mail::SpamAssassin::Plugin::AskDNS
>>
>> askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT
>> describe LOCAL_DNSWL_IN_DWL domain is dnswlisted in dnswl.org
>> score LOCAL_DNSWL_IN_DWL -1 -1 -1 -1
>
> tflags LOCAL_DNSWL_IN_DWL net nice noautolearn
>
>> endif # Mail::SpamAssassin::Plugin::AskDNS
>> endif # Mail::SpamAssassin::Plugin::DKIM
added here, thanks
pmc mwembers is it stable enough to be default included ?
https://gitlab.isc.org/isc-projects/bind9/-/issues/3331 is this a
problem with spamassassin ?
asked on dnswl irc for missing _ on dwl where answer just was that it
would not be needed, so far so good, but what abour other domain
blacklists ?
Re: dnswl dwl rule
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 30.09.22 18:04, Benny Pedersen wrote:
>ifplugin Mail::SpamAssassin::Plugin::DKIM
> ifplugin Mail::SpamAssassin::Plugin::AskDNS
>
> askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT
> describe LOCAL_DNSWL_IN_DWL domain is dnswlisted in dnswl.org
> score LOCAL_DNSWL_IN_DWL -1 -1 -1 -1
tflags LOCAL_DNSWL_IN_DWL net nice noautolearn
> endif # Mail::SpamAssassin::Plugin::AskDNS
>endif # Mail::SpamAssassin::Plugin::DKIM
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.