You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Scheidell <sc...@secnap.net> on 2008/09/04 15:10:31 UTC
DKIM sigs started failing.
"I didn't change anything"(tm) :-)
If I did, I don't think it should have done anything to dkim signatures,
but I will doublecheck rewrite rules.
I have upgraded from Mail-DKIM .31 to .32 to see if it helps.
Anyone else missing the DKIM_VERIFIED rule on legit email?
any reason .31 started to fail?
(hint if you don't have this, try this rule:
meta DKIM_FORGED DKIM_SIGNED && !DKIM_VERIFIED
tflags DKIM_FORGED net
score DKIM_FORGED 1.0
--
Michael Scheidell, CTO
Main: 561-999-5000, Office: 561-939-7259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* Everything Channel Hot Product of 2008
* Shaping Information Security Award 2008
* CRN Magazine Top 40 Emerging Security Vendors
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: DKIM sigs started failing.
Posted by Mark Martinec <Ma...@ijs.si>.
Larry Nedry,
> Out of the last 249,000 emails, DKIM_VERIFIED has only hit 18 times.
> DKIM_SIGNED on the other hand has hit about 58,000 times.
This is highly unusual, my stats show that overall 80% of messages
with a DKIM or DK signature bear a valid signature, and 20% fail
validation. (checking at MTA stage)
The ratio varies across signing domains. For example a mail
signed by gmail.com fails in 10% of messages, and discounting
from this pool messages which passed through some mailing list
a failure rate is only 0.9% for DKIM signatures of gmail.com,
(for reasons like a 'resent' or due to failed DNS lookups).
If you see much worse results that this, either your Mail::DKIM
module is too old, or you use some pre-filtering appliance or some
MTA which is garbling your mail. Checking signatures late, i.e.
after mail delivery (by MUA or procmail or collected by fetchmail)
is another likely reason for signature failures. It deserves
to be investigated and fixed.
The current version of Mail::DKIM is 0.32, the 0.31 should be
fine too.
Mark
Re: DKIM sigs started failing.
Posted by Michael Scheidell <sc...@secnap.net>.
> On 9/4/08 at 9:10 AM -0400 Michael Scheidell wrote:
>> Anyone else missing the DKIM_VERIFIED rule on legit email?
>
> Out of the last 249,000 emails, DKIM_VERIFIED has only hit 18 times.
> DKIM_SIGNED on the other hand has hit about 58,000 times.
>
> Nedry
>
All legit email?
Something has happened. You running Mail-DKIM .32 or .31?
--
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: DKIM sigs started failing.
Posted by Larry Nedry <sp...@bluestreak.net>.
On 9/4/08 at 9:10 AM -0400 Michael Scheidell wrote:
>Anyone else missing the DKIM_VERIFIED rule on legit email?
Out of the last 249,000 emails, DKIM_VERIFIED has only hit 18 times.
DKIM_SIGNED on the other hand has hit about 58,000 times.
Nedry