You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Rolf E. Sonneveld" <R....@sonnection.nl> on 2010/12/23 19:15:29 UTC
DKIM tests
Hi,
running (soon to be upgraded):
SpamAssassin Server version 3.2.5
running on Perl 5.8.8
I'm new to this list, although I'm not new to SpamAssassin. Looking at
http://spamassassin.apache.org/tests_3_3_x.html, and particularly at the
following DKIM tests:
DKIM_VERIFIED
DKIM_POLICY_TESTING
DKIM_POLICY_SIGNSOME
DKIM_POLICY_SIGNALL
I wonder what these tests exactly mean. The Wiki pages for them are not
yet written, hence my question here on the list. As the default scores
of these tests are all one (1) I wonder what exactly these tests do. For
example, does the first test (DKIM_VERIFIED) means, that if a DKIM
signature could be verified, the score is increased by one (1)? And
what does 'verified' mean? A verification result can be positive and
negative but in both situations the DKIM signature may have been
verified correctly (i.e. no DNS problems, no ambiguous outcome etc.).
Furthermore, the name of the 3rd and 4th of these tests seems to hint
into the directory of ADSP, as policy mechanism added to DKIM? Is it
correct that these tests perform an ADSP DNS lookup?
/rolf
Re: DKIM tests
Posted by Mark Martinec <Ma...@ijs.si>.
Rolf,
> Does it mean http://spamassassin.apache.org/tests_3_3_x.html needs a
> correction of the score (1) for these tests?
I guess so. Not sure where these scores came from. Anyway, that page
is just a development/testing tool, don't worry too much about it.
What matters is the score in your configuration files, either defaults,
or overridded. And not to forget sa-update.
> I am pleased to see that the ADSP tests can be recognized by their name
> and that DKIM itself and ADSP are not mixed up.
I'm quite fond of the adsp_override command, it breaks the chicken
and the egg problem of who will dare to publish its ADSP in DNS,
knowing that few recipient sites currently bother to check it.
> > and means that at least one signature is valid.
> > Since we have no information at this point on the reputation
> > of a signer, its score is very low too, but can serve in meta
> > rules to contribute good score to reputable signers
I should have mentioned there exists an easier way to make use
of the 3.3 DKIM eval rules for the purpose of manually assigning
reputation score points. Two examples (wrapped for clarity,
a rule should be in single line):
full DKIM_VALID_YG eval:check_dkim_valid(gmail.com, googlemail.com,
googlegroups.com, yahoogroups.com, .yahoo.com, .yahoo.ca, .yahoo.de,
.yahoo.fr, .yahoo.in, .yahoo.co.in, .yahoo.co.jp, .yahoo.co.nz,
.yahoo.co.uk, .yahoo.com.hk, .yahoo.com.ph, .yahoo.com.vn)
score DKIM_VALID_YG -0.5
full DKIM_VALID_WEGAME eval:check_dkim_valid(email.wegame.com)
score DKIM_VALID_WEGAME -8
The above is similar in purpose to whitelist_from_dkim, but
offers a full control over score points attributed to each
signing domain in valid DKIM (or DK) signatures.
Mark
Re: DKIM tests
Posted by "Rolf E. Sonneveld" <R....@sonnection.nl>.
Hi, Mark,
On 12/23/10 7:44 PM, Mark Martinec wrote:
> Rolf,
>
>> running (soon to be upgraded):
>> SpamAssassin Server version 3.2.5
>> running on Perl 5.8.8
>>
>> I'm new to this list, although I'm not new to SpamAssassin. Looking at
>> http://spamassassin.apache.org/tests_3_3_x.html, and particularly at the
>> following DKIM tests:
>>
>> DKIM_VERIFIED
>> DKIM_POLICY_TESTING
>> DKIM_POLICY_SIGNSOME
>> DKIM_POLICY_SIGNALL
>>
>> I wonder what these tests exactly mean. The Wiki pages for them are not
>> yet written, hence my question here on the list.
> 3.2.5 - 25_dkim.cf:
> describe DKIM_SIGNED Domain Keys Identified Mail: message has a signature
> describe DKIM_VERIFIED Domain Keys Identified Mail: signature passes verification
> describe DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain signs some mails
> describe DKIM_POLICY_SIGNALL Domain Keys Identified Mail: policy says domain signs all mails
> describe DKIM_POLICY_TESTING Domain Keys Identified Mail: policy says domain is testing DK
>
> 3.3.1 - 25_dkim.cf:
> describe DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
> describe DKIM_VALID Message has at least one valid DKIM or DK signature
> describe DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
> describe DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
> describe DKIM_ADSP_DISCARD No valid author signature, domain signs all mail
> and suggests discarding the rest
> describe DKIM_ADSP_ALL No valid author signature, domain signs all mail
> describe DKIM_ADSP_CUSTOM_LOW No valid author signature, adsp_override is CUSTOM_LOW
> describe DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED
> describe DKIM_ADSP_CUSTOM_HIGH No valid author signature, adsp_override is CUSTOM_HIGH
> 60_whitelist_dkim.cf:
> describe USER_IN_DKIM_WHITELIST From: address is in the user's DKIM whitelist
> describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM white-list
Oops, I just forgot to have a look at the rules and scores themselves
within my SA configuration.
> The are some differences in DKIM plugin and its rules between 3.2.5 and 3.3.1,
> but the concept is the same.
>
> DKIM_SIGNED just means there is a signature. Purely informative, no score.
>
> DKIM_VERIFIED has been renamed DKIM_VALID with 3.3.0 (both names
> are still there, aliases), and means that at least one signature is valid.
> Since we have no information at this point on the reputation of a
> signer, its score is very low too, but can serve in meta rules to contribute
> good score to reputable signers (instead of hard-whitelisting them
> with USER_IN_DKIM_WHITELIST).
>
> The DKIM_POLICY_* are gone in 3.3.0, they are just there for compatibility,
> with score 0.
Does it mean http://spamassassin.apache.org/tests_3_3_x.html needs a
correction of the score (1) for these tests?
> New with 3.3.* is the ADSP support. See POD docs on the DKIM plugin.
I am pleased to see that the ADSP tests can be recognized by their name
and that DKIM itself and ADSP are not mixed up.
>
>> As the default scores of these tests are all one (1)
> No, they are not at 1. Grep your 50_scores.cf file.
>
> 3.2.5:
> score USER_IN_DKIM_WHITELIST -100.000
> score USER_IN_DEF_DKIM_WL -7.500
> score ENV_AND_HDR_DKIM_MATCH -7.500
> score DKIM_POLICY_SIGNALL 0.001
> score DKIM_POLICY_SIGNSOME 0
> score DKIM_POLICY_TESTING 0.001
> score DKIM_SIGNED 0.001
> score DKIM_VERIFIED -0.001
>
> 3.3.1:
>
> score USER_IN_DKIM_WHITELIST -100.000
> score USER_IN_DEF_DKIM_WL -7.500
> score DKIM_SIGNED 0.1
> score DKIM_VALID -0.1
> score DKIM_VALID_AU -0.1
> score DKIM_VERIFIED 0
> score DKIM_POLICY_SIGNALL 0
> score DKIM_POLICY_SIGNSOME 0
> score DKIM_POLICY_TESTING 0
> score DKIM_ADSP_CUSTOM_LOW 0.001
> score DKIM_ADSP_CUSTOM_MED 0.001
> score DKIM_ADSP_CUSTOM_HIGH 0.001
> score DKIM_ADSP_ALL 0 1.1 0 0.8
> score DKIM_ADSP_DISCARD 0 1.8 0 1.8
> score DKIM_ADSP_NXDOMAIN 0 0.8 0 0.9
>
>
>> I wonder what exactly these tests do. For
>> example, does the first test (DKIM_VERIFIED) means, that if a DKIM
>> signature could be verified, the score is increased by one (1)? And
>> what does 'verified' mean? A verification result can be positive and
>> negative but in both situations the DKIM signature may have been
>> verified correctly (i.e. no DNS problems, no ambiguous outcome etc.).
> This is why DKIM_VERIFIED has been renamed to DKIM_VALID.
>
>> Furthermore, the name of the 3rd and 4th of these tests seems to hint
>> into the directory of ADSP, as policy mechanism added to DKIM? Is it
>> correct that these tests perform an ADSP DNS lookup?
> Yes, with 3.3, if you allow them to do so (can be overruled by
> adsp_override command).
Thanks very much!
/rolf
Re: DKIM tests
Posted by Mark Martinec <Ma...@ijs.si>.
Rolf,
> running (soon to be upgraded):
> SpamAssassin Server version 3.2.5
> running on Perl 5.8.8
>
> I'm new to this list, although I'm not new to SpamAssassin. Looking at
> http://spamassassin.apache.org/tests_3_3_x.html, and particularly at the
> following DKIM tests:
>
> DKIM_VERIFIED
> DKIM_POLICY_TESTING
> DKIM_POLICY_SIGNSOME
> DKIM_POLICY_SIGNALL
>
> I wonder what these tests exactly mean. The Wiki pages for them are not
> yet written, hence my question here on the list.
3.2.5 - 25_dkim.cf:
describe DKIM_SIGNED Domain Keys Identified Mail: message has a signature
describe DKIM_VERIFIED Domain Keys Identified Mail: signature passes verification
describe DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain signs some mails
describe DKIM_POLICY_SIGNALL Domain Keys Identified Mail: policy says domain signs all mails
describe DKIM_POLICY_TESTING Domain Keys Identified Mail: policy says domain is testing DK
3.3.1 - 25_dkim.cf:
describe DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
describe DKIM_VALID Message has at least one valid DKIM or DK signature
describe DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
describe DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
describe DKIM_ADSP_DISCARD No valid author signature, domain signs all mail
and suggests discarding the rest
describe DKIM_ADSP_ALL No valid author signature, domain signs all mail
describe DKIM_ADSP_CUSTOM_LOW No valid author signature, adsp_override is CUSTOM_LOW
describe DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED
describe DKIM_ADSP_CUSTOM_HIGH No valid author signature, adsp_override is CUSTOM_HIGH
60_whitelist_dkim.cf:
describe USER_IN_DKIM_WHITELIST From: address is in the user's DKIM whitelist
describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM white-list
The are some differences in DKIM plugin and its rules between 3.2.5 and 3.3.1,
but the concept is the same.
DKIM_SIGNED just means there is a signature. Purely informative, no score.
DKIM_VERIFIED has been renamed DKIM_VALID with 3.3.0 (both names
are still there, aliases), and means that at least one signature is valid.
Since we have no information at this point on the reputation of a
signer, its score is very low too, but can serve in meta rules to contribute
good score to reputable signers (instead of hard-whitelisting them
with USER_IN_DKIM_WHITELIST).
The DKIM_POLICY_* are gone in 3.3.0, they are just there for compatibility,
with score 0.
New with 3.3.* is the ADSP support. See POD docs on the DKIM plugin.
> As the default scores of these tests are all one (1)
No, they are not at 1. Grep your 50_scores.cf file.
3.2.5:
score USER_IN_DKIM_WHITELIST -100.000
score USER_IN_DEF_DKIM_WL -7.500
score ENV_AND_HDR_DKIM_MATCH -7.500
score DKIM_POLICY_SIGNALL 0.001
score DKIM_POLICY_SIGNSOME 0
score DKIM_POLICY_TESTING 0.001
score DKIM_SIGNED 0.001
score DKIM_VERIFIED -0.001
3.3.1:
score USER_IN_DKIM_WHITELIST -100.000
score USER_IN_DEF_DKIM_WL -7.500
score DKIM_SIGNED 0.1
score DKIM_VALID -0.1
score DKIM_VALID_AU -0.1
score DKIM_VERIFIED 0
score DKIM_POLICY_SIGNALL 0
score DKIM_POLICY_SIGNSOME 0
score DKIM_POLICY_TESTING 0
score DKIM_ADSP_CUSTOM_LOW 0.001
score DKIM_ADSP_CUSTOM_MED 0.001
score DKIM_ADSP_CUSTOM_HIGH 0.001
score DKIM_ADSP_ALL 0 1.1 0 0.8
score DKIM_ADSP_DISCARD 0 1.8 0 1.8
score DKIM_ADSP_NXDOMAIN 0 0.8 0 0.9
> I wonder what exactly these tests do. For
> example, does the first test (DKIM_VERIFIED) means, that if a DKIM
> signature could be verified, the score is increased by one (1)? And
> what does 'verified' mean? A verification result can be positive and
> negative but in both situations the DKIM signature may have been
> verified correctly (i.e. no DNS problems, no ambiguous outcome etc.).
This is why DKIM_VERIFIED has been renamed to DKIM_VALID.
> Furthermore, the name of the 3rd and 4th of these tests seems to hint
> into the directory of ADSP, as policy mechanism added to DKIM? Is it
> correct that these tests perform an ADSP DNS lookup?
Yes, with 3.3, if you allow them to do so (can be overruled by
adsp_override command).
Mark
Re: DKIM tests
Posted by "Rolf E. Sonneveld" <R....@sonnection.nl>.
On 12/23/10 7:15 PM, Rolf E. Sonneveld wrote:
> Hi,
>
> running (soon to be upgraded):
> SpamAssassin Server version 3.2.5
> running on Perl 5.8.8
>
> I'm new to this list, although I'm not new to SpamAssassin. Looking at
> http://spamassassin.apache.org/tests_3_3_x.html, and particularly at
> the following DKIM tests:
>
> DKIM_VERIFIED
> DKIM_POLICY_TESTING
> DKIM_POLICY_SIGNSOME
> DKIM_POLICY_SIGNALL
>
> I wonder what these tests exactly mean. The Wiki pages for them are
> not yet written, hence my question here on the list. As the default
> scores of these tests are all one (1) I wonder what exactly these
> tests do. For example, does the first test (DKIM_VERIFIED) means, that
> if a DKIM signature could be verified, the score is increased by one
> (1)? And what does 'verified' mean? A verification result can be
> positive and negative but in both situations the DKIM signature may
> have been verified correctly (i.e. no DNS problems, no ambiguous
> outcome etc.).
>
> Furthermore, the name of the 3rd and 4th of these tests seems to hint
> into the directory of ADSP
excuse me, should have been: into the direction of ADSP...
> , as policy mechanism added to DKIM? Is it correct that these tests
> perform an ADSP DNS lookup?
>
/rolf