The mails in generally are erroneously rejected due to bayesian or HMM
hit. That's clearly a problem but there's always going to be false
positives, I just want to limit them however possible, I just figured that
if we know they have DKIM signing and we trust the org not to send spam,
that this would be a silver bullet to let the mail through, without
whitelisting the domain, and it would help improve the corpus automatically
while we do this.
The idea of using a bombre to adjust scoring is interesting and the ability
to run an executable expression within them is intriguing! I need to
absorb this a bit. Definitely an advanced option, but potentially super
powerful. Certainly not for non-advanced users. I feel like my suggestion
(if a sound concept) would be potentially applicable to all.
! see your point of requiring the entire header for DKIM validation, but I
don't see why that would break my concept. Since we're already able to
validate DKIM signautures is it unreasonable to have a list of from domains
that is checked after the header is received if, and only if, a DKIM is
validated to see if there's a match no that header list? Sure, the code to
do this in ASSP doesn't exist, but why wouldn't that theory work?
Thanks for always being so responsive and entertaining my ideas,
Ken
On Sun, Mar 4, 2018 at 2:41 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:
> >our $DKIMpassAction = 7; # (0..7) if DKIM pass: bit-0 =
> set rwlok to 1 (medium trust status), bit-1 = skip penaltybox-check, bit-2
> = set IP-score to zero - default is 7 (all bits set)
>
> This shows all. The mail is nearly full whiteisted (medium trust status),
> the penaltybox is not checked, the IP-score is cleared.
>
> If such a mail is blocked by assp, the question is - why?
>
> If this question is answered, configure the blocking check to your needs.
>
> >AND it's got a valid DKIM signature tied to the from domain, treat the
> mail as whitelisted.
>
> All DKIM checks made before the complete mail is received (eg. header part
> check) have a medium trust - why? The full DKIM signature check requires
> to have the full mail received. So, for most of the mails all other checks
> are done before the DKIM-signature can be checked.
>
> Your logic will not work!
>
> >Do you think this makes sense to consider as a possible future ASSP
> feature?
> No.
> If you want, you can write your own level-1 plugin (after header checks
> are done) to puzzle out your logic using the available low trust DKIM
> verification results.
>
>
> >Maybe there's another way? I'm all ears.
>
> It is possible to use an available '..bombRe' regular expression feature
> (here - e.g. bombHeaderRe) to reduce or to increase the score of an email,
> based on found DKIM signatures for specific domains.
>
> ~\n(?:DKIM|DomainKey)-Signature:(?:\s*(?:[a-ce-z])=[\w\-\/]+\;)*\s*d=the\.domainname\.here\;~
> => your-(negative)score.or.weight-here
>
> or for more domains
>
> ~\n(?:DKIM|DomainKey)-Signature:(?:\s*(?:[a-ce-z])=[
> \w\-\/]+\;)*\s*d=(?:the\.domainname\.here|nextdomain|nextdomain|....)\;~
> => your-(negative)score.or.weight-here
>
>
> Any of the next versions will possibly be able to accept executable code
> in regular expressions (executed on regex match).This feature is
> implemented in perl regular expressions. It will make it (for example)
> possible to do the following:
>
> ~\n(?:DKIM|DomainKey)-Signature:(?:\s*(?:[a-ce-z])=[
> \w\-\/]+\;)*\s*d=(?:the\.domainname\.here|nextdomain|
> nextdomain|....)\;(?{eval('$Con{$fh}->{whitelisted}=1')})~ =>
> your-(negative)score.or.weight-here
> or
> ~\n(?:DKIM|DomainKey)-Signature:(?:\s*(?:[a-ce-z])=[
> \w\-\/]+\;)*\s*d=(?:the\.domainname\.here|nextdomain|
> nextdomain|....)\;(?{eval('CorrectASSPcfg::myDKIMCheck($fh)')})~ =>
> your-(negative)score.or.weight-here
>
> If a match is found, the code will be executed. In the first example, the
> 'whitelisted' flag is set to the highest trust level and the weight is
> used. The second example calls a custom sub routine in CorrectASSPcfg.pm on
> match.
>
> In the current version, this is forbidden by assp (even perl allows it)
> and per default this will be also the case in future version. But the
> future version will have a switch to allow the usage of this perl feature.
>
> Thomas
>
>
>
>
> Von: "K Post" <nntp.p...@gmail.com>
> An: "ASSP development mailing list" <assp-test@lists.sourceforge.
> net>
> Datum: 01.03.2018 19:03
> Betreff: Re: [Assp-test] [SPAM] Re: Allow DKIM signed mail through
> for a domain
> ------------------------------
>
>
>
> That's good to know, thanks. However, I'm looking for something a little
> different. I don't want to apply the same rules to ALL dkim signed mail,
> *only
> to those from specific domains*. Otherwise any spammer who registers a
> domain and uses DKIM signing will have mail get through. Worse, that would
> also have all signed mail from providers like *gmail.com*
> <http://gmail.com/> come through regardless of content.
>
> And note, I have RWLwhitelisting set to off (the default) for fear of
> having good IP's lke office365's not do any other filtering.
>
> Instead, I'm thinking about logic like this: f the from address on an
> email (only the header from address) matches what I have in a config file
> AND it's got a valid DKIM signature tied to the from domain, treat the mail
> as whitelisted. Don't penalize these domains if it's not signed, but if
> it is, just let it through and put the mail to the notspam corpus. This
> way known outside domains who we know generally dkim sign their mail will
> get through to us and improve bayesian / HMM. Whitelisting a domain like
> *redcross.org* <http://redcross.org/> isn't an option, as spammers send
> from there to us all of the time. But if we could always allow DKIM
> through regarles of which user sent to us, that would help.
>
> Do you think this makes sense to consider as a possible future ASSP
> feature? Maybe there's another way? I'm all ears.
>
> Thanks
>
>
>
> On Wed, Feb 28, 2018 at 11:51 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> If amail apsses the DKIM check it will be processed like it would be
> "RWLOK" (default).
> This can be configured using the hidden variable "$DKIMpassAction".
>
>
> our $DKIMpassAction = 7; # (0..7) if DKIM pass: bit-0 =
> set rwlok to 1 (medium trust status), bit-1 = skip penaltybox-check, bit-2
> = set IP-score to zero - default is 7 (all bits set)
>
> Thomas
>
>
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 28.02.2018 15:54
> Betreff: [Assp-test] Allow DKIM signed mail through for a domain
> ------------------------------
>
>
>
>
> Lots of our external contacts use Office365. Senderbase is obviously
> useless for them. If a sender is whitelisted, fine, but there are often
> large numbers of senders in an organization (known organizations where we
> cannot whitelist the domain or else spammers from another server would get
> through).
>
> So, since many of these companies use DKIM is there a way with ASSP to
> consider an email for a particular sender domain whitelisted if a the DKIM
> matches? We cannot not strictly require a DKIM or penalize since these
> larger organizations typically also send non-signed email from other
> sources, but if the DKIM does match for a list of domains, just let it
> through, regardless of content.
>
> Is that doable? If not, is it worth considering?.
>
> Respectfully,
> Ken
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
