I understand that, and I sense your frustration, but I'm obviously not
understanding something.
Thanks for the changes in 18085. It looks like there's going to be some
great enhancements to work with. Every little bit helps, and these are
some pretty big bits! Thanks.
Still, I don't understand why validating DKIM only when it has an i= record
is what we'd want. Isn't d= signing without i= almost as useful? All the
tests I've done with DKIM sent to other providers seems to indicate valid
signatures even without the i=
So why isn't ASSP coded to also consider the domain? Why wouldn't we want
it to? Is d= not also a good way of showing that a message is really
coming from the domain it claims to be? Yes, i= identifies the specific
address and is more granular, but as I understand it d= validates the
domain generally which is useful.
Please hear me out by listening to this specific example. There's lots
more where this is a real world problem that could be solved as I see it by
d= dkim validation.
Take authentication emails from microsoft for example, where they are
signed only with d=accountprotection.microsoft.com without an i= line. To
be able to automatically NP these when we know the DKIM is valid would be
invaluable. It's exactly these type of emails that have a tendency to be
erroneously tagged as spam. Their body sounds a lot like the scam versions
that are regularly intercepted. It comes from the Office365 service, so we
can't senderbase allow that. Scammers often send mail from the same
account-security-nore...@accountprotection.microsoft.com address, so we
can't whitelist that. Even if we could magically pass it based on a SPF
match alone, that wouldn't work because scammers could also send spoofed
through the same set of 0ffice365 public servers.
A d= DKIM signature shows that someone who controls the DKIM record
provided a signing key to the server that sent this mail. We know that
these are always DKIM signed, but because ASSP ignores the valid d= (only)
signature and only looks for i=, the signature in this example isn't
validated. I don't understand why validating d= as well wouldn't be the
desired functionality.
DKIM i= records are gold, but d= only records are pretty close to perfect
too, so will you please reconsider changing ASSP to do so?
On Mon, Mar 26, 2018 at 2:18 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:
> again:
>
> ASSP uses the DKIM signature identity
>
> Thomas
>
>
>
>
>
> Von: "K Post" <nntp.p...@gmail.com>
> An: "ASSP development mailing list" <assp-test@lists.sourceforge.
> net>
> Datum: 25.03.2018 19:04
> Betreff: Re: [Assp-test] New DKIM Whilelisted Addresses Feature
> ------------------------------
>
>
>
> Is there a particular reason that ASSP can't also look to the d= tag?
>
> 2 thoughts here:
> 1) Unless I have something misconfigured, when ASSP sends DKIM signed mail
> it doesn't use an i= tag. Shouldn't ASSP be accepting of that for incoming
> mail?
>
> 2) Doing an very unscientific review of various inbound messages, of those
> that are DKIM signed, less than 25% seem to have the identity tag. They
> all obviously have the d= tag. Sure, i= is great, but if most have only
> the d- tag, why aren't we taking that into account? The perl module seems
> to support it. If the signature validates using the d=, shouldn't we treat
> this as validated? I must not be understanding something.
>
>
>
> On Sun, Mar 25, 2018 at 4:57 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> ASSP uses the DKIM signature identity, which is mostly the i= tag. DKIM
> signatures without an identity are invalid. The i= tag is only one way (of
> multiple) to define a DKIM identiy
>
> Thomas
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 24.03.2018 15:26
> Betreff: Re: [Assp-test] New DKIM Whilelisted Addresses Feature
> ------------------------------
>
>
>
> The gui says that these 2 new features check the i= line. Lots of
> messages I'm seeing only has the d= entry (including mail sent through
> other ASSP servers). Could we check that as well?
>
> On Tue, Mar 20, 2018 at 2:48 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> >let people know that senderbase matches will be put in okay mail (not in
> notspam)
>
> Collecting HAM is done flag (no flag, whitelisted, noprocessing) based and
> like configured.
>
> Thomas
>
>
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 19.03.2018 14:55
> Betreff: Re: [Assp-test] New DKIM Whilelisted Addresses Feature
> ------------------------------
>
>
>
> Sorry for the multiple messages on this, but thanks as always for the
> update!
>
> When I read "the mail will be *processed as *whitelisted" I got worried
> that it would be treated exactly as whitelisted, which could mean added to
> the whitelist itself. So, based on your note, I'd suggest changing the
> description of DKIMWLAddresses from
> If a valid DKIM or DomainKey signature is found and the signature identity
> tag (i=u...@domain.tld) matches any of these addresses, the mail will be
> processed as Whitelisted.
> to
> If a valid DKIM or DomainKey signature is found and the signature identity
> tag (i=u...@domain.tld) matches any of these addresses, the mail will be
> passed and saved as if it were Whitelisted. The message will pass all
> filters and will be added to the notspam corpus just like mail from a
> whitelisted sender would be. Unlike a true whitelisted sender, no
> whitelist address additions will be made
>
> Also, maybe put something in the SenderBase section to let people know
> that senderbase matches will be put in okay mail (not in notspam) and that
> people might also consider the DKIMWLAddresses to add to the notpspam
> corpus if there's a DKIM match?
>
>
>
>
>
> On Mon, Mar 19, 2018 at 3:24 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> >will this actually add the other non-local addresses to the whitelist
> itself based on the NotGreedyWhitelist setting?
>
> No.
>
> Thomas
>
>
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 18.03.2018 20:34
> Betreff: Re: [Assp-test] New DKIM Whilelisted Addresses Feature
> ------------------------------
>
>
>
>
> SORRY, - I meant to kill the last message and start over, but hit send
> inadvertently.
>
> Thanks again for implementing this.
>
> If there's a match in the DKIM Whitelisted Addresses file will this
> actually add the other non-local addresses to the whitelist itself based on
> the NotGreedyWhitelist setting? I hope not. If so, can we get another
> file option like DKIMTreatAsNotSpamAddresses which would treat the message
> as if it were whitelisted in terms of letting the message through and
> storing it in notspam, but not actually whitelisting the from and other
> addresses?
>
>
>
> On Sun, Mar 18, 2018 at 2:22 PM, K Post <*nntp.p...@gmail.com*
> <nntp.p...@gmail.com>> wrote:
>
> Thanks again for implementing this.
>
> Question, if I have something like
> u...@domain.tld
> in the DKIMWLAddresses file
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
