I'm sorry but the example
\@.+\.docusign\.net(?{&CorrectASSPcfg::myWantedDKIMCheck($fh)})=>60
should be better
~<<<(\@.+\.docusign\.net|next domain|next
domain|...|...)(?(?{&CorrectASSPcfg::myWantedDKIMCheck($fh,$+)})|(*FAIL))>>>~=>60
The first one does not fail if CorrectASSPcfg::myWantedDKIMCheck returns
0, The second provides $fh and the matched string to the sub
CorrectASSPcfg::myWantedDKIMCheck.
short example for CorrectASSPcfg::myWantedDKIMCheck
sub CorrectASSPcfg::myWantedDKIMCheck {
my ($fh,$match) = @_;
my $this = ($fh && exists($main::Con{$fh})) ? $main::Con{$fh} :'';
return unless $this;
return unless $this->{isDKIM};
return 1 if $this->{dkimresult} eq 'pass';
return 1 if $this->{dkimverified} eq 'verified-OK';
my $re = qr/
domain1\.org
| \.domain2\.org
| user[^@]+?\@.+?\.domain3\.org
/xis;
return ($match !~ /$re/);
}
Thomas
Von: "Thomas Eckardt" <[email protected]>
An: "ASSP development mailing list" <[email protected]>
Datum: 08.07.2022 16:53
Betreff: Re: [Assp-test] blockStrictDKIMRe -- also thoughts on
DMARC rejects
If such a feature would be implemented, it will result in havy coding.
>I want to outright block any message from @*.docusign.net that isn't
signed or that has an invalid signature. I don't care if it's from a
whitelisted email address, from an IP that's in the SPF record, and with a
message body that is 100% great.
You want not only to make the test domain based strict, you want to ignore
flags like 'whitelisted' - that's ok - but if I would start to allow any
flag exceptions, other users may want to have other or more flag
exception.
- noprocessing
- whitelisted
- spamlover
- domain based scoring values
- SMIME/PGP signed
.....
Yes, a great feature - but who would need it?
The best way would be to create a level 1 plugin for this purpose. There
you can check the dkim result, flags, ip's ... what ever you want - and
based on your logic, you can block or pass the mail.
But knowing (and thinking like) assp, will open other ways (solution
workarounds) - for example.
we assume the DKIM check is set to scoring - and the scoring value is 20
points below the penalty limit.
If a DKIM signature is invalid - assp scores.
If the domain has ever sent a mail with a valid DKIM signature before (a
DKIMCache entry is found), assp scores for DKIM if a mail without a DKIM
signature from this domain is received.
Now, if there was not added any other score (the mail is 100% ok, except
DKIM) the mail will pass because the penalty limit is not reached. But you
want to block the mail if the sender matches @*.docusign.net
sender??? ... matches???... - assp has weighted regular expressions -
like: bombSenderRe - where you can add or remove scoring points
if you set there
\@.+\.docusign\.net=>20
all mails from those domains will get a penalty of 20 points, which is
harmless if there is everything else ok with the mail
if dkim fails, the penalty limit will be reached and the mail will be
blocked
this can be finetuned using :>NWLI
You are also able to implement code in to the regex (for example to check
for the DKIM result). This is much less complicated than writing a plugin.
\@.+\.docusign\.net(?{&CorrectASSPcfg::myWantedDKIMCheck($fh)})=>60
"score with 60 if the sender matches and the sub
CorrectASSPcfg::myWantedDKIMCheck returned 1"
Both examples should only show, that there are more ways to get wanted
results in assp. If someone solved a similar problem using another way, it
would be nice to hear, how this was done.
Thomas
Von: "K Post" <[email protected]>
An: "ASSP development mailing list"
<[email protected]>
Datum: 07.07.2022 15:56
Betreff: Re: [Assp-test] blockStrictDKIMRe -- also thoughts on
DMARC rejects
All of your points are clear, and the explanation is greatly appreciated.
I now understand why it may be unwise to generally honor reject DMARC
policy if we've overridden spf/dkim policy once we start manipulating
results with ASSP. That makes sense.
I still feel like a blockStrictDKIMRe type of new feature, where a failed
OR missing dkim signature where the message matches the regex would be
strictly blocked (just like we can do with blockstrictSPFRe for spf
failures) would be helpful.
For example (hopefully this is more illustrative of the desire), I want to
outright block any message from @*.docusign.net that isn't signed or that
has an invalid signature. I don't care if it's from a whitelisted email
address, from an IP that's in the SPF record, and with a message body that
is 100% great. If there's no DKIM signature or an invalid one for a
message that matches the regex, reject the message (just like their DMARC
policy says to do).
Is there another way with current ASSP features to accomplish this only if
a message matches this proposed regex?
Ken
On Fri, Jun 17, 2022 at 4:35 AM Thomas Eckardt <[email protected]
> wrote:
>Would you please consider adding a feature to do the same for a failed
DKIM signature?
NO!
Contrary to SPF, a DKIM signature has only two options : OK and FAIL -
Based on the signature it self or based on a trusted forwarders
authentication result (ARC).
A DKIM signature has to be valid every time for any of the above reasons.
> I score failed spf and score failed dkim, so DoDMARC is only scoring
even though p=reject.
What else makes sense?
If SPF is scored and DKIM is scored and DMARC is score - AND the resulting
score does'nt block the mail at the pealtybox, your settings are wrong!
>If DMARC says p=reject, why shouldn't assp outright honor that,
regardless of if we have spf / dkim failures set to only score?
SPF has too many options to change/override the original result in assp
(more or less strict, overwrite, skip ....), some these options also
exists for DKIM.
If we ignore/change/override .... sender policies for SPF and DKIM, it is
not wise to honor the reject DMARC policy strictly.
Thomas
Von: "K Post" <[email protected]>
An: "ASSP development mailing list" <
[email protected]>
Datum: 16.06.2022 19:28
Betreff: [Assp-test] blockStrictDKIMRe -- also thoughts on DMARC
rejects
The ability to block failed SPF, instead of just scoring them, for delect
regex matches has been a terrific feature of ASSP for a long time. (Block
SPF Processing Regex* (blockstrictSPFRe) ) Would you please consider
adding a feature to do the same for a failed DKIM signature? Outright
blocking of a matching message that fails DKIM, regardless of the domain's
DMARC settings. -- maybe that's not necessary if DoDMARC will honor
=reject, see more below.
Reasoning:
I already score failed DKIM signatures, but I can't set that score too
high because so many organizations still send messages through 3rd parties
with invalid DKIM signatures. It really is incredible how many I see. But
for frequently abused sender addresses (docusign for example), who are
often spoofed but send otherwise unspammy content, I want to outright
block if the DKIM signature fails. blockStrictSPFRe usually works because
these bad DKIM sigs are on mails that also violate SPF rules, still though
it would be helpful if I could also just say "if a specific regex is
matched on an email with an invalid DKIM, reject the message"
RELATED: DMARC p=reject should always reject if failed
Docusign.net has a dmarc rule of p=reject. I want to honor that. The
last scam that came in from them failed SPF and failed DKIM validation,
but the message was from a whitelisted address.. DoDMARC says that the
blocking will be the "most less aggressive" (least aggressive) and the
published DMARC record. I score failed spf and score failed dkim, so
DoDMARC is only scoring even though p=reject.
Enable DMARC Check (DoDMARC)
If enabled and ValidateSPF and DoDKIM are enabled and the sending domain
has published a DMARC-record/policy, assp will act on the mail according
to the senders DMARC-policy using the results of the SPF and DKIM check
and validating the SPF/DKIM address/domain Identifier Alignment rules
(RFC7489 section 3). It is safe to leave this feature ON, it will not
produce false positives! The blocking mode (block, monitor, score,
testmode) is adapted from the most less aggressive setting of ValidateSPF
and DoDKIM - and the published DMARC record
([p][sp]=[reject][quarantine]). Scoring is done using dmarcValencePB.
If DMARC says p=reject, why shouldn't assp outright honor that, regardless
of if we have spf / dkim failures set to only score?
Thanks
Ken
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
