Ok, then I still think it's an idea worth considering at some point in the future. Alternatives exist, but don't *exactly* do what I want. Bonus score based solely on signature, regardless of what Senderbase returns (to help bulk mailers through who might use AWS or somewhere else that's abused often). It takes all of the perfection that DWIMWLAddresses is, and just helps a message along, instead of outright whitelisting it. Again, not high priority or even that super useful, just raised it as an idea. I'll let it be, but if at some point in the future, you're so inclined.... Thanks for hearing me out!
On Tue, Nov 9, 2021 at 12:32 AM Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > >are you saying that BombRe will look at headers that ASSP ads > > No, it looks only in to the original header. > > >I'm still worried about fake/invalid DKIM still getting the bonus score, > > Invalid DKIM signatures should be blocked or scored very high, so the > bonus score does not matter > > Thomas > > > > Von: "K Post" <nntp.p...@gmail.com> > An: "ASSP development mailing list" < > assp-test@lists.sourceforge.net> > Datum: 09.11.2021 05:53 > Betreff: Re: [Assp-test] Another Concept Question: > DKIMBousScoreList > ------------------------------ > > > > ah, wait, are you saying that BombRe will look at headers that ASSP ads, > like X-ASSP-DKIM-Identity (which would only be added for a valid > signature)? (!!!!!) I always assumed that the bomb functionality was > only on the mail's original headers. > > On Mon, Nov 8, 2021 at 2:28 PM K Post <*nntp.p...@gmail.com* > <nntp.p...@gmail.com>> wrote: > The bombHeaderRe with the DEFINE or list should be sufficient. I'm still > worried about fake/invalid DKIM still getting the bonus score, but this > will have to do. Thanks. > > On Mon, Nov 8, 2021 at 12:01 PM Thomas Eckardt < > *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote: > I told you to score such domains elsewhere - just do it and the result is > the same like you wanted. > > for example: > > bombHeaderRe: > > \nDKIM-Signature:(?:[ \t]*[^= \;]+=[^= \;]+\;(?:\r\n)?)+?[ \t]*([di]=\@?( > The_Wanted_IDENTITY))\;=>the_wanted_negative_score > > currently the (?(DEFINE).......) is not working with assp (is destroyed if > a-d-n-o-r is not set for the file) - but the next version will do it - > and you can use: > > (?(DEFINE)(?<IDENTITY10>the_wanted_identity|ident2|ident3|......))\nDKIM-Signature:(?:[ > \t]*[^= \;]+=[^= \;]+\;(?:\r\n)?)+?[ > \t]*([di]=\@?(?&IDENTITY10))\;=>the_wanted_negative_score > - e.g. -10 > (?(DEFINE)(?<IDENTITY20>the_wanted_identity|ident5|ident6|......))\nDKIM-Signature:(?:[ > \t]*[^= \;]+=[^= \;]+\;(?:\r\n)?)+?[ > \t]*([di]=\@?(?&IDENTITY20))\;=>the_wanted_negative_score > - eg -20 > ... > > CLOSED for me > > > Thomas > > > > Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>> > An: "ASSP development mailing list" < > *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>> > Datum: 05.11.2021 20:03 > Betreff: Re: [Assp-test] Another Concept Question: > DKIMBousScoreList > ------------------------------ > > > > Having the dkimBonusScoreList would be like applying > dkimBonusValancePB but ONLY for those that DKIM validate AND are on the > scorelist. Here's why I think that would be helpful and what you proposed > could be problematic. Essentially: I'm thinking: "look, this organization > usually sends good stuff, but not always. They might also have people > sending non-dkim signed messages through a myriad of channels. Deal with > them separately, but if we KNOW it's from them because of their DKIM > signature, help that message get through with the idea that it'll be > stored in okmail unless whitelisted through something other than dkim." > > > there is already dkimOkValencePB - increase it > But a high percentage of all messages that are received, spam and not, > have valid signatures. I don't think we should use that to give a bonus > regardless of who the signer is. All gmail messages are signed, almost > everyting from office365. Yes, I could do a univieral bonus then reduce > gmail and *onmicroosft.com* <http://onmicroosft.com/>, but that doesn't > get 365 users with their own signatures and all of the millions of > other domains out there. > > It was one thing when DKIM signing was a new concept and only legit > businesses signed messages. Now that most senders are signing, giving a > bonus would let an awful lot of spam slip through under the rejection > scoring threshold. > > >reduce the score for certain domains by blackListedDomains, SenderBase or > anywhere else - if needed > Senderbase won't work for those using AWS as an example - too many > spammers use them, so adding to senderbase can't be negated using > blacklist/bombs, etc because I obviously don't know all of the bad senders > using AWS. > > I could reduce the score based on a BombRe match on squaremktg, but then > I'm reducing when I haven't validated the signature. It would probably > work for this specific example, but it would be generally helpful to be > able to reduce the score on a message based solely on the signature when > I'm sure they're actually the sender Dare I say that I'm in love with > DKIM? > > Would it be life changing like DoDKIMWLAddresses? No absolutely not, but > if it's not a major task to add the functionality, I think there would be > wide appeal. > > I >>almost<< want to suggest that the dkimBonusValancePB feature be > removed altogether. I can't think of a scenario where you'd want to give a > bonus universally just because a message has a valid signature from > anyone. Same thing for the SPF pass bonus and it's default of -10!!! I'm > sure there are people using one or both, I just can't think of a > scenario in which it's a good idea. > > > > > On Fri, Nov 5, 2021 at 10:37 AM Thomas Eckardt < > *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote: > Another useless post about concepts without reading the manual. > > >dkimBonusValancePB > > there is already dkimOkValencePB - increase it > > and > > reduce the score for certain domains by blackListedDomains, SenderBase or > anywhere else - if needed > > Thomas > > > > > > Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>> > An: "ASSP development mailing list" < > *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>> > Datum: 04.11.2021 22:38 > Betreff: [Assp-test] Another Concept Question: DKIMBousScoreList > ------------------------------ > > > > > SUMMARY: Would there be benefit (that wouldn't be terrible to code) in > adding the ability for use to assign a score to emails that match a list of > DKIM signature identities? > > > The DKIMWLAddress and DKIMNPAddress functionality has been an absolute > game changer here. Thank you so much for implementing that (it was my > idea, but we all know that I could never code such a thing). > > I've combined that functionality with closely monitored SenderBase lists > to dramatically improve ASSP's accuracy. > > One place where Senderbase shines is it's scoring ability for bulk > senders. For example, I can give anything that Senderbase says is coming > from constant contact's network a -10 score, by adding it into > whiteSenderBase like > ^constantcontact\.com$=>-10 > I don't want to blindly let through constant contact signed messages, but > if it's coming from their network, make it a little easier for messages to > pass through. That's worked well for a long long time. > > > Recently, I'm seeing several bulk senders having legitimate messages DKIM > signed by the bulk sender them, but being sent through Amazon AWS ( > *amazonses.com* <http://amazonses.com/>) and is classified by senderbase > as being Amazon / *amazonses.com* <http://amazonses.com/>. There's a lot > of volume coming in from *amazonses.com* <http://amazonses.com/>, but > unfortunately, it's a mix of perfectly legitimate messages and others that > are pure garbage. So that takes Senderbase off the table. Coming from > amazonses shouldn't impact the score either way. And I can't DKIMWLAddress > the signature, then bad stuff would absolutely get through. > > An example is Square, the credit card processor and software company. > They send mail, DKIM signed @*squaremktg.com* <http://squaremktg.com/> on > behalf of clients. Most mail from square is good, but sometimes it gets > spammy, just like we see with mail from other bulk senders. Real world, I > paid for a car wash using their mobile payment platform, I received the > receipt and later got an email with a promotion from the car wash. All > good. The provider's signature was in DKIMWLAddresses. Today, I received > an advertisement from them for what is apparently a "gentleman's club" next > door, offering a complimentary car wash (I took that literally) for > visiting the establishment. The language in that email would have > absolutely had it rejected if it hadn't been on DKIMWLAddresses. Worse, it > wound up in the not-spam corpus. > > > So, I'd like for certain DKIM signatures to be able to SCORE. DKIM > scoring would help it get through (or make it harder depending on the > score) without automatically passing it and adding it to the corpus like > DKIMWLAddresses does. That would let me give the message a negative score > based on the DKIM but still let Bayesian/HMM and other features stay in > play to score the message further. > > Conceptually, I could see this working similarly to senderbase. There > would be a default valance like > dkimBonusValancePB > set to a default of -25 > > Then we'd have a list, maybe called DKIMBousScoreList. Like > DKIMWLAddresses, it would match the end of the validated DKIM identity, but > also accepts a score override: > (@|.)*squaremktg.com* <http://squaremktg.com/> <--- gets the default > of -25 > (@|.)someUsuallyOKsigner.com=>-12 <-- gets -12 for a score > (@|.)*prettygood.com* <http://prettygood.com/>=>5 > <--- gets 1/5 of the default -25 -25/5 = -5 > (@|.)UsuallyBad.com=>-5 <-- this isn't a bonus, a > negative default divided by a negative is a positive. it will be -25/-5 or > adding 5 to the score > > > From a management standpoint, it would certainly be easier to "just" be > able to assign an optional 2nd parameter to DKIMWLAddresses that would > score instead of whitelisting, but I feel like that could be too big of a > coding project. > > I tried to come up with a way to accomplish the same thing based on DKIM > signature, but came up very short. I know I could ignore DKIM and just > score based on the from line, but I really appreciate the certainty that > DKIM gives that the message is really from that organization. > > What do you think? Would a DKIMBousScoreList feature have universal > appeal? > > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
