You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2007/02/15 11:36:56 UTC
Re: dkim plugins warnings
Can you capture a message that causes this, and open a bug on the
bugzilla? I haven't seen that before. (Even if it's harmless,
the warning message is ugly.)
--j.
Raul Dias writes:
> I have being getting a lot of this in my logs:
>
> Feb 14 21:55:13 s spamd[7249]: dkim: invalid DKIM-Signature: invalid
> (unsupported protocol)
> at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Plugin/DKIM.pm line
> 339, <GEN114> line 390
>
> Is this something I should worry about?
>
> AFAIS, it is related to broken DK implementation on the sender, shouldnt
> this be reflect as some score instead of a warning?
>
> -Raul Dias
Re: dkim plugins warnings
Posted by Mark Martinec <Ma...@ijs.si>.
> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5095#c3
Btw, that particular check and message was removed from Mail::DKIM:
-- VERSION 0.20 --
2006-10-24: Jason Long <jl...@messiah.edu>
* lib/Mail/DKIM/MessageParser.pm: removed problematic check for
"control characters"
> Probably not a bad idea since it may encourage people to upgrade to
> newer versions of Mail::DKIM that fix whatever is being spewed about.
Btw, in view of my patch in:
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5332
I didn't know what to do with existing calls to warn, so I left them it.
Such messages to stderr may be annoying or confusing for end-users,
so perhaps these should all be removed (replaced by call to dbg()),
at least in Plugin::DKIM.
Mark
Re: dkim plugins warnings
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
I thought you voted for letting Mail::DKIM spew whatever it wanted. :)
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5095#c3
Probably not a bad idea since it may encourage people to upgrade to
newer versions of Mail::DKIM that fix whatever is being spewed about.
Daryl
Justin Mason wrote:
> Can you capture a message that causes this, and open a bug on the
> bugzilla? I haven't seen that before. (Even if it's harmless,
> the warning message is ugly.)
>
> --j.
>
> Raul Dias writes:
>> I have being getting a lot of this in my logs:
>>
>> Feb 14 21:55:13 s spamd[7249]: dkim: invalid DKIM-Signature: invalid
>> (unsupported protocol)
>> at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Plugin/DKIM.pm line
>> 339, <GEN114> line 390
>>
>> Is this something I should worry about?
>>
>> AFAIS, it is related to broken DK implementation on the sender, shouldnt
>> this be reflect as some score instead of a warning?
>>
>> -Raul Dias
>
Re: dkim plugins warnings
Posted by Mark Martinec <Ma...@ijs.si>.
Bill Landry writes,
> Mark, your patches for DKIM.pm and DkSignature.pm took care of the issue
> I was seeing with GMail DomainKey signatures, since they were missing
> the "q=dns" tag.
Below is a similar patch to Mail/DKIM/DkSignature.pm,
this time to handle missing 'a' tags in DomainKeys signatures,
which seem to be practiced by paypal.com and ebay.com.
(I sent the patch to Jason Long as well).
--- DKIM/DkSignature.pm~ Fri Feb 9 19:47:55 2007
+++ DKIM/DkSignature.pm Mon Feb 19 20:52:47 2007
@@ -127,4 +127,23 @@
}
+=head2 algorithm() - get or set the algorithm (a=) field
+
+The algorithm used to generate the signature.
+Defaults to "rsa-sha1", an RSA-signed SHA-1 digest.
+
+=cut
+
+sub algorithm
+{
+ my $self = shift;
+
+ if (@_)
+ {
+ $self->set_tag("a", shift);
+ }
+
+ return lc $self->get_tag("a") || 'rsa-sha1';
+}
+
=head2 canonicalization() - get or set the canonicalization (c=) field
Mark
Re: dkim plugins warnings
Posted by Bill Landry <bi...@inetmsg.com>.
Mark Martinec wrote the following on 2/15/2007 3:37 AM -0800:
> Raul Dias writes:
>
>> I have being getting a lot of this in my logs:
>>
>> [snip]
> Below is my patch, please apply it to Mail::DKIM files
> DkSignature.pm and Verifier.pm and see if it fixes the warnings
> you are seeing.
Mark, your patches for DKIM.pm and DkSignature.pm took care of the issue
I was seeing with GMail DomainKey signatures, since they were missing
the "q=dns" tag.
Before patches (mail from gmail.com):
=====================================
X-Spam-Status: No, score=2.58 required=10 tests=[AWL=1.079, BAYES_50=0.001,
L_P0F_Linux=-0.5, L_UNVERIFIED_GMAIL=2.5,...
After patches (mail from gmail.com):
====================================
X-Spam-Status: No, score=0.997 required=10 tests=[AWL=2.496, BAYES_60=1,
DKIM_SIGNED=0.001, DKIM_VERIFIED=-1.5, L_P0F_Linux=-0.5,...
Thanks!
Bill
Re: dkim plugins warnings
Posted by Mark Martinec <Ma...@ijs.si>.
> ok, the warnings are gone. There is only one missing ; in the patch
> Missing ; here, right?
Right.
-+ : "invalid domain in d tag"
++ : "invalid domain in d tag";
If you want, you may apply also my patch to Plugin::DKIM.pm.
Fixes two minor problems and adds some niceities. See:
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5332
Mark
Re: dkim plugins warnings
Posted by Raul Dias <ra...@dias.com.br>.
On Thu, 2007-02-15 at 12:37 +0100, Mark Martinec wrote:
[...]
> Below is my patch, please apply it to Mail::DKIM files
> DkSignature.pm and Verifier.pm and see if it fixes the warnings
> you are seeing.
ok, the warnings are gone. There is only one missing ; in the patch
(below).
> > AFAIS, it is related to broken DK implementation on the sender,
> > shouldnt this be reflect as some score instead of a warning?
>
> Can't say. A general policy of SA is to add score points only
> when some item is an indicator of spam, not just because it
> violates some standard.
I was thinking more about flaging the error than necessary adding high
score, like 0.01.
> - unless ($signature->domain)
> + unless ($signature->domain ne '')
> {
> # no domain specified
> - $self->{signature_reject_reason} = "missing d= parameter";
> + $self->{signature_reject_reason} =
> + !defined($signature->domain) ? "missing d tag"
> + : "invalid domain in d tag"
Missing ; here, right?
> return 0;
> }
-Raul Dias
Re: dkim plugins warnings
Posted by Mark Martinec <Ma...@ijs.si>.
Raul Dias writes:
> I have being getting a lot of this in my logs:
>
> Feb 14 21:55:13 s spamd[7249]: dkim: invalid DKIM-Signature: invalid
> (unsupported protocol)
> at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Plugin/DKIM.pm
> line 339
>
> Is this something I should worry about?
I believe it is due to a DomainKeys signature with a missing q tag
(the query protocol). The DomainKeys draft mandates this tag,
even though its only possible value is q=dns. Some broken signers
leave it out.
As the newer DKIM protokol draft makes this tag optional, I just
suggested relaxing the check for DomainKeys signatures too,
sending a mail to Jason Long (the author of Mail::DKIM module)
just last week. The change will be in 0.23 I believe.
Below is my patch, please apply it to Mail::DKIM files
DkSignature.pm and Verifier.pm and see if it fixes the warnings
you are seeing.
> AFAIS, it is related to broken DK implementation on the sender,
> shouldnt this be reflect as some score instead of a warning?
Can't say. A general policy of SA is to add score points only
when some item is an indicator of spam, not just because it
violates some standard.
--- DkSignature.pm~ Wed Jan 17 22:41:25 2007
+++ DkSignature.pm Fri Feb 9 19:47:55 2007
@@ -273,5 +273,7 @@
$self->set_tag("q", shift);
- return $self->get_tag("q");
+ # although draft-delany-domainkeys-base-06 does mandate presence of a
+ # q=dns tag, it is quote common that q tag is missing - be merciful
+ return !defined($self->get_tag("q")) ? 'dns' : $self->get_tag("q");
}
--- Verifier.pm~ Fri Jan 19 15:03:52 2007
+++ Verifier.pm Fri Feb 9 19:43:31 2007
@@ -183,5 +183,5 @@
# unsupported algorithm
$self->{signature_reject_reason} = "unsupported algorithm";
- if ($signature->algorithm)
+ if (defined $signature->algorithm)
{
$self->{signature_reject_reason} .= " " . $signature->algorithm;
@@ -194,5 +194,5 @@
# unsupported canonicalization method
$self->{signature_reject_reason} = "unsupported canonicalization";
- if ($signature->method)
+ if (defined $signature->method)
{
$self->{signature_reject_reason} .= " " . $signature->method;
@@ -203,17 +203,17 @@
unless ($signature->check_protocol)
{
- # unsupported protocol
- $self->{signature_reject_reason} = "unsupported protocol";
- if ($signature->protocol)
- {
- $self->{signature_reject_reason} .= " " . $signature->protocol;
- }
+ # unsupported query protocol
+ $self->{signature_reject_reason} =
+ !defined($signature->protocol) ? "missing q tag"
+ : "unsupported query protocol, q=" . $signature->protocol;
return 0;
}
- unless ($signature->domain)
+ unless ($signature->domain ne '')
{
# no domain specified
- $self->{signature_reject_reason} = "missing d= parameter";
+ $self->{signature_reject_reason} =
+ !defined($signature->domain) ? "missing d tag"
+ : "invalid domain in d tag"
return 0;
}
@@ -222,5 +222,5 @@
{
# no selector specified
- $self->{signature_reject_reason} = "missing s= parameter";
+ $self->{signature_reject_reason} = "missing s tag";
return 0;
}
@@ -546,7 +546,9 @@
fail (body has been altered)
invalid (unsupported canonicalization)
- invalid (unsupported protocol)
- invalid (missing d= parameter)
- invalid (missing s= parameter)
+ invalid (unsupported query protocol)
+ invalid (invalid domain in d tag)
+ invalid (missing q tag)
+ invalid (missing d tag)
+ invalid (missing s tag)
invalid (unsupported v=0.1 tag)
invalid (no public key available)
Mark