You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Scheidell <mi...@secnap.com> on 2010/09/20 17:53:44 UTC
explain DKIM_ADSP_DISCARD?
these new dkim tests confuse me :-)
DKIM_ADSP_DISCARD=1.8
seems like it decided this is a forged email?
seems ok to me. I can pastebin it if someone wants.
spf pass, dkim passes (dkim_valid), rcvd_in_rp_certified,
rcvd_in_dnswl_med, rdns and envelope from seem to match.
AH.. braniacs at ebay... envelope from is members.ebay.com. dkim
signature has d=ebay.com
is that what adsp_discard means? that even though the dkim signature
matched, the domain in the envelope from didn't match the domain that
the signature says it signed?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: explain DKIM_ADSP_DISCARD?
Posted by Mark Martinec <Ma...@ijs.si>.
Michael,
> these new dkim tests confuse me :-)
> DKIM_ADSP_DISCARD=1.8
> seems like it decided this is a forged email?
It is implemented as per RFC 5617.
> seems ok to me. I can pastebin it if someone wants.
> spf pass, dkim passes (dkim_valid), rcvd_in_rp_certified,
> rcvd_in_dnswl_med, rdns and envelope from seem to match.
>
> AH.. braniacs at ebay... envelope from is members.ebay.com.
> dkim signature has d=ebay.com
ADSP des not care for envelope sender address.
All it cares is an exact match between the From header field
and the d= tag (a signing domain) in the DKIM signature.
If that From is also @members.ebay.com and d is ebay.com,
that would be a mismatch and ADSP would strike in.
> is that what adsp_discard means? that even though the dkim signature
> matched, the domain in the envelope from didn't match the domain that
> the signature says it signed?
Which of the ADSP outcomes (unknown/all/discardable) would you end
up with depends in either the published or overridden ADSP policy.
The published ADSP policy (assuming From: ...@members.ebay.com)
would be queried as:
$ host -t txt _adsp._domainkey.members.ebay.com
which in this case does not exist, so it defaults to "unknown".
But the 60_adsp_override_dkim.cf overrides this policy by
an "discardable": adsp_override *.ebay.com
$ man Mail::SpamAssassin::Plugin::DKIM
Absence of this second parameter implies "discardable"
which scores a conservative 1.8 points, not to penalize
mistakes at the signing or the receiving side. But yes,
technically it is a forgery as far as ADSP is concerned.
Mark