You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Per Jessen <pe...@computer.org> on 2010/12/21 08:45:03 UTC
DKIM verification failed vs DKIM couldn't verify ?
I think I must have asked this before, so I must have forgotten the
answer - is there any way of distinguising between "DKIM verification
negative" and "DKIM could not verify"?
/Per Jessen, Zürich
Re: DKIM verification failed vs DKIM couldn't verify ?
Posted by Per Jessen <pe...@computer.org>.
Mark Martinec wrote:
> On Wednesday December 29 2010 20:05:20 Per Jessen wrote:
>> How about the case of rejecting/scoring obviously forged senders?
>> I.e. "from-address = facebook.com" and "dkim verification completed,
>> but failed". That is a pretty good reason for a high score or a
>> reject, whereas "from-address = facebook.com" and "dkim verification
>> failed (temp DNS issue)" isn't.
>
> Exactly. That's why I said that the ADSP side of the DKIM plugin
> treats temporary failures as it is supposed to.
>
Ah, got it. (I didn't know what ADSP meant).
/Per Jessen, Zürich
Re: DKIM verification failed vs DKIM couldn't verify ?
Posted by Mark Martinec <Ma...@ijs.si>.
On Wednesday December 29 2010 20:05:20 Per Jessen wrote:
> How about the case of rejecting/scoring obviously forged senders?
> I.e. "from-address = facebook.com" and "dkim verification completed,
> but failed". That is a pretty good reason for a high score or a
> reject, whereas "from-address = facebook.com" and "dkim verification
> failed (temp DNS issue)" isn't.
Exactly. That's why I said that the ADSP side of the DKIM plugin
treats temporary failures as it is supposed to.
Mark
Re: DKIM verification failed vs DKIM couldn't verify ?
Posted by Per Jessen <pe...@computer.org>.
Mark Martinec wrote:
> myself wrote:
>> No, there currently is no way to distinguish a temporary failure
>> (e.g. a timeout due to network problems) from other DNS failures
>> in SpamAssassin's DKIM plugin.
>
> On the other hand, this isn't too bad. A DKIM validity is commonly
> associated with whitelisting or reputation, so a broken signature,
> just like a DNS service failure, only means that some negative
> score points are absent. A temporary failure need not be treated
> any differently than a missing or invalid signature.
How about the case of rejecting/scoring obviously forged senders?
I.e. "from-address = facebook.com" and "dkim verification completed,
but failed". That is a pretty good reason for a high score or a
reject, whereas "from-address = facebook.com" and "dkim verification
failed (temp DNS issue)" isn't.
/Per Jessen, Zürich
Re: DKIM verification failed vs DKIM couldn't verify ?
Posted by Mark Martinec <Ma...@ijs.si>.
myself wrote:
> No, there currently is no way to distinguish a temporary failure
> (e.g. a timeout due to network problems) from other DNS failures
> in SpamAssassin's DKIM plugin.
On the other hand, this isn't too bad. A DKIM validity is commonly
associated with whitelisting or reputation, so a broken signature,
just like a DNS service failure, only means that some negative
score points are absent. A temporary failure need not be treated
any differently than a missing or invalid signature.
Contrary to the above, an ADSP policy check _is_ sensitive to
temporary failures. A SERVFAIL or a timeout should not cause
substantial score points - and it doesn't! The DKIM plugin
treats DNS failures on obtaining a policy the same as 'unknown'
policy, i.e. it yields no penalty score points. Some fraud may
sneek through on serious DNS trouble, but then again, there
will be more serious issues elsewhere when such happens.
Mark
Re: DKIM verification failed vs DKIM couldn't verify ?
Posted by Mark Martinec <Ma...@ijs.si>.
On Tuesday December 21 2010 08:45:03 Per Jessen wrote:
> I think I must have asked this before, so I must have forgotten the
> answer - is there any way of distinguising between "DKIM verification
> negative" and "DKIM could not verify"?
No, there currently is no way to distinguish a temporary failure
(e.g. a timeout due to network problems) from other DNS failures
in SpamAssassin's DKIM plugin.
Even though a man page for Mail::DKIM::Verifier defines a result
value 'temperror', the actual code never provides this value
as far as I can tell. A timeout produces 'invalid' result:
invalid (public key: DNS query timeout for ...)
and in case of a DNS local server which has no connectivity
to the requested domain the result is also an 'invalid':
invalid (public key: DNS error: SERVFAIL)
This would need to be coordinated with the author of the
module Mail::DKIM, complemented by adding a new status/rule
for such condition. I'm not sure if a genuine SERVFAIL rcode
qualifies as a temporary failure, but a timeout definitely does.
Mark