https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6087
Summary: DKIM plugin support for domain signing practices (ADSP),
with overrides
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Plugins
AssignedTo: [email protected]
ReportedBy: [email protected]
It all started as a small enhancement to a DKIM plugin to be able to take
advantage of already checked signatures elsewhere (subject to another problem
report), but I got carried away with Spring cleaning of code (like renaming
variable $scan to $pms, along with renaming some other internal objects to
better reflect the current shape of terminology and style).
...But I ended up with reshaping terminology from a DomainKeys term POLICY,
to what used to be a SSP (Sender Signing Practices), and is now known as
ADSP, Author Domain Signing Practices (draft-ietf-dkim-ssp-09). One thing
lead to another and the major new feature of these changes turned out to be
a way to manually override the ADSP (which is typically still unpublished
nowadays). This allows for more comfortably penalizing forged mail claiming
to be from domains like ebay.com, paypal.com, but is also (to a lesser degree)
useful for domains like yahoo.com, gmail.com, etc. A new eval rule for
fetching ADSP is also replacing former ones.
The DKIM is fully compatible with existing 3.3 code and rules, and I also
made it compatible with 3.2.5, in case someone wants to use it there.
When examining the code, please do not bother to check the diffs, as it
is large, partly due to indentation changes, shifting of code sections,
variable renames and comment updates. Just examine the plugin itself.
I'll let my POD docs from the plugin take it from here:
full DKIM_SIGNED eval:check_dkim_signed()
full DKIM_VALID eval:check_dkim_valid()
full DKIM_VALID_AU eval:check_dkim_valid_author_sig()
header DKIM_ADSP_NXDOMAIN eval:check_dkim_adsp('N')
header DKIM_ADSP_ALL eval:check_dkim_adsp('A')
header DKIM_ADSP_DISCARD eval:check_dkim_adsp('D')
header DKIM_ADSP_CUSTOM_LOW eval:check_dkim_adsp('1')
header DKIM_ADSP_CUSTOM_MED eval:check_dkim_adsp('2')
header DKIM_ADSP_CUSTOM_HIGH eval:check_dkim_adsp('3')
describe DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
describe DKIM_VALID Message has at least one valid DKIM or DK signature
describe DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
describe DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
describe DKIM_ADSP_ALL No valid author signature, domain signs all mail
describe DKIM_ADSP_DISCARD No valid author signature, domain signs all mail
and suggests unsigned mail be discarded
describe DKIM_ADSP_CUSTOM_LOW No valid author signature, adsp_override is
CUSTOM_LOW
describe DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is
CUSTOM_MED
describe DKIM_ADSP_CUSTOM_HIGH No valid author signature, adsp_override is
CUSTOM_HIGH
For compatibility, the following are synonyms:
OLD: eval:check_dkim_verified = NEW: eval:check_dkim_valid
OLD: eval:check_dkim_signall = NEW: eval:check_dkim_adsp('A')
OLD: eval:check_dkim_signsome = NEW: redundant, semantically always true
[...]
=item adsp_override domain [signing_practices]
Currently few domains publish their signing practices (draft-ietf-dkim-ssp,
ADSP), partly because the ADSP draft/rfc is rather new, partly because they
think hardly any recipient bothers to check it, and partly for fear that
some recipients might lose mail due to problems in their signature validation
procedures or mail mangling by mailers beyond their control.
Nevertheless, recipients could benefit by knowing signing practices of a
sending (author's) domain, for example to recognize forged mail claiming
to be from certain domains which are popular targets for phishing, like
financial institutions. Unfortunately, as signing practices are seldom
published or are weak, it is hardly justifiable to look them up in DNS.
To overcome this chicken-and-egg problem, the C<adsp_override> mechanism
allows recipients using SpamAssassin to override published or defaulted
ADSP for certain domains. This makes it possible to manually specify a
stronger (or weaker) signing practices than a signing domain is willing
to publish (explicitly or by default), and also save on a DNS lookup.
Note that ADSP (published or overridden) is only consulted for messages
which do not contain a valid DKIM signature from the author's domain.
According to ADSP draft, signing practices can be one of the following:
C<unknown>, C<all> and C<discardable>.
C<unknown>: Messages from this domain might or might not have an author
signature. This is a default if a domain exists in DNS but no ADSP record
is found.
C<all>: All messages from this domain are signed with an Author Signature.
C<discardable>: All messages from this domain are signed with an Author
Signature. If a message arrives without a valid Author Signature, the domain
encourages the recipient(s) to discard it.
ADSP lookup can also determine that a domain is "out of scope", i.e., the
domain does not exist (NXDOMAIN) in the DNS.
To override domain's signing practices in a SpamAssassin configuration file,
specify an C<adsp_override> directive for each sending domain to be overridden.
Its first argument is a domain name. Author's domain is matched against it,
matching is case insensitive. This is not a regular expression or a file-glob
style wildcard, but limited wildcarding is still available: if this arguments
starts by a "*." (or is a sole "*"), author's domain matches if it is a
subdomain (to one or more levels) of the argument. Otherwise (with no leading
asterisk) the match must be exact (not a subdomain).
An optional second parameter is one of the following keywords
(case-insensitive): C<nxdomain>, C<unknown>, C<all>, C<discardable>,
C<custom_low>, C<custom_med>, C<custom_high>.
Absence of this second parameter implies C<discardable>. If a domain is not
listed by a C<adsp_override> directive nor does it explicitly publish any
ADSP record, then C<unknown> is implied for valid domains, and C<nxdomain>
for domains not existing in DNS. (Note: domain validity may not be checked
with current versions of Mail::DKIM, so C<nxdomain> may never turn up)
The strong setting C<discardable> is useful for domains which are known
to always sign their mail and to always send it directly to recipients
(not to mailing lists), and are frequent targets of fishing attempts,
such as financial institutions. The C<discardable> is also appropriate
for domains which are known never to send any mail.
When a message does not contain a valid signature by the author's domain
(the domain in a From header field), the signing practices pertaining
to author's domain determine which of the following rules fire and
contributes its score: DKIM_ADSP_NXDOMAIN, DKIM_ADSP_ALL, DKIM_ADSP_DISCARD,
DKIM_ADSP_CUSTOM_LOW, DKIM_ADSP_CUSTOM_MED, DKIM_ADSP_CUSTOM_HIGH. Not more
than one of these rules can fire. The last three can only result from a
'signing_practices' as given in a C<adsp_override> directive (not from a
DNS lookup), and can serve as a convenient means of providing a different
score if scores assigned to DKIM_ADSP_ALL or DKIM_ADSP_DISCARD are not
considered suitable for some domains.
Example:
adsp_override *.mydomain.example.com discardable
adsp_override *.neversends.example.com discardable
adsp_override ebay.com discardable
adsp_override *.ebay.com discardable
adsp_override ebay.co.uk discardable
adsp_override *.ebay.co.uk discardable
adsp_override paypal.com discardable
adsp_override *.paypal.com discardable
adsp_override amazon.com discardable
adsp_override alert.bankofamerica.com discardable
adsp_override google.com all
adsp_override gmail.com all
adsp_override googlemail.com all
adsp_override yahoo.com all
adsp_override yahoo.com.au custom_low
adsp_override yahoo.se custom_low
adsp_override youtube.com custom_high
adsp_override skype.net custom_high
adsp_override junkmailerkbw0rr.com nxdomain
adsp_override junkmailerd2hlsg.com nxdomain
# effectively disables ADSP network DNS lookups for all other domains:
adsp_override * unknown
score DKIM_ADSP_ALL 1.5
score DKIM_ADSP_DISCARD 25
score DKIM_ADSP_NXDOMAIN 3
score DKIM_ADSP_CUSTOM_LOW 1
score DKIM_ADSP_CUSTOM_MED 3.5
score DKIM_ADSP_CUSTOM_HIGH 8
--
Configure bugmail:
https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
