Re: Rule for non-DKIM-signed messages
On 5/12/19 9:29 PM, Kurt Fitzner wrote: > On 2019-05-11 23:25, David Jones wrote: > > I don't have anything nearly so elaborate. But then I don't have the > spam volume either. > That's fine. Just wanted to point out that "one size doesn't fit all" for other readers on this list. The default SA rules have to follow RFCs and standard practices in a general way so SA can start out working for all then allow each admin to tune it toward the mail flow they have. > > Thanks, > > Kurt > -- David Jones
Re: Rule for non-DKIM-signed messages
Shot for sharing David !!! Regards Brent Clark P.s. I wonder what other tricks you have up your sleeve that you would be willing to share. :) On 2019/05/10 16:48, David Jones wrote: On 5/10/19 1:52 AM, Pedro David Marco wrote: Hi Kurt, On the contrary, most spam i see is valid DKIM signed... tons of hacked sites... tons of emails from free trials of big-cheeses... Nevertheless... meta NO_DKIM_SIGNED ! DKIM_SIGNED score NO_DKIM_SIGNED 2 describe NO_DKIM_SIGNED Email does not have DKIM signature That alone is too risky to score alone and should be used in a meta rule like this: metaSPAM_NOT_DKIM_SIGNED!DKIM_SIGNED && (MISSING_HEADERS || FSL_BULK_SIG || RDNS_DYNAMIC || OTHER_RULE_COMMONLY_SEEN_AS_SPAM) score SPAM_NOT_DKIM_SIGNED2 describe SPAM_NOT_DKIM_SIGNED Spammy characteristics and not DKIM signed Pedro. > >On Friday, May 10, 2019, 4:26:46 AM GMT+2, Kurt Fitzner wrote: > >I've noticed on my mail server that DKIM signing is almost diagnostic of >spam. Almost no legitimate sender is without DKIM, and about 90% of my >spam is unsigned, so I want to bias non-DKIM-signed heavily towards >spam. To that end I was wondering if there are any built-in rules I can >activate to score emails that are not DKIM-signed? I'd rather use a >built-in rule than roll my own. I caution against this since non-DKIM signed email has no relation to spam or ham. How did you come up with the "about 90%" number? Did you grep logs to get real numbers over a couple of months? Any compromised account from Office 365 (and there are a lot) is going to have DKIM_SIGNED by Microsoft's "tenant.onmicrosoft.com" domain which means absolutely nothing when determining ham/spam. All that means is it was signed by Microsoft mail servers on the way out. If DKIM_VALID was hit, then it means the spam wasn't modified.
Re: Rule for non-DKIM-signed messages
On 2019-05-11 23:25, David Jones wrote: Is this for a single mailbox? If that is the case, then it's fine to make a decision like that for a single mailbox. For those of us running mail filtering plaforms for customers, this would be a very bad rule. Not a single mailbox, no. Not nearly the size of operation you have, though. Family and a few friends. Anything they toss in their spam folders gets moved to a central spot where I can do a post mortem. I have an automated system that finds these candidates every week and adds them automatically to my SA config file. This is a whole category of email that I don't have to worry about false positives allowing me to increase the sensitivity of scores and meta rules to help block compromised accounts and zero-hour spam. I don't have anything nearly so elaborate. But then I don't have the spam volume either. My SA servers see millions of emails each week and they handle a lot of non-DKIM signed ham. I'm small potatoes, almost all my "customers" are an amateur radio club who's members all email each other more than anyone else. It wasn't until I personally started having to email a bunch of new gmail accounts that the problem with my server not having DKIM-signing really crossed the threshold from annoyance into "must fix". But I honestly don't know (and I'm curious to find out) how can any major player still get away with not having DKIM-signing? How does anyone without it manage when Google spam-boxes all their mail? My rule is in now. I'll monitor it closely. I attached less of a penalty to not having DKIM than I originally intended, based on your feedback. We'll see how it goes. Thanks, Kurt
Re: Rule for non-DKIM-signed messages
On 5/10/19 1:16 PM, Kurt Fitzner wrote: > On 2019-05-10 12:42, Matus UHLAR - fantomas wrote: > >> I wanted to comment OP's mail, but since I don't have DKIM set up, I >> wasn't >> sure it would pass :-) > > I actually didn't have DKIM signing set up myself until a couple weeks > ago. I had been lazy in setting it for a while, but I had to because > the first time I would email anyone on gmail it was going directly to > their spam folder. Hotmail too, to a lesser extent. But Google is > really aggressive with unsigned mail, and they have a strong "it's our > way or the highway" policy. > > On 10.05.19 14:48, David Jones wrote: > >>> I caution against this since non-DKIM signed email has no relation to >>> spam or ham. How did you come up with the "about 90%" number? Did you >>> grep logs to get real numbers over a couple of months? > > I should clarify. I do get DKIM-signed spam. I just don't get any > non-DKIM-signed ham. Going back and looking at my archived mail and > logs I can see that a) all legitimate emails were DKIM-signed, and b) > virtually every message that was not DKIM-signed was spam. So I intend > to assign no ham scoring weight to a message having a DKIM signature, > but I do feel pretty safe in assigning a heavy penalty to those mails > without it. > Is this for a single mailbox? If that is the case, then it's fine to make a decision like that for a single mailbox. For those of us running mail filtering plaforms for customers, this would be a very bad rule. I filter for about 60,000 to 80,000 mailboxes (can't tell for sure with Exchange accepting everything and bouncing later) and use DKIM_VALID_AU heavily with thousands of subdomain entries like: whitelist_auth *@*.joann.com whitelist_auth *@*.potterybarn.com whitelist_auth *@*.aa.com whitelist_auth *@*.saks.com whitelist_auth *@*.dominos.com whitelist_auth *@*.fandango.com I know for sure that these emails are: 1. System generated and not from user accounts that can be compromised 2. Generated by a mail server under the control or authorized by their respective domain owners. I have an automated system that finds these candidates every week and adds them automatically to my SA config file. This is a whole category of email that I don't have to worry about false positives allowing me to increase the sensitivity of scores and meta rules to help block compromised accounts and zero-hour spam. My SA servers see millions of emails each week and they handle a lot of non-DKIM signed ham. -- David Jones
Re: Rule for non-DKIM-signed messages
On 2019-05-10 12:42, Matus UHLAR - fantomas wrote: I wanted to comment OP's mail, but since I don't have DKIM set up, I wasn't sure it would pass :-) I actually didn't have DKIM signing set up myself until a couple weeks ago. I had been lazy in setting it for a while, but I had to because the first time I would email anyone on gmail it was going directly to their spam folder. Hotmail too, to a lesser extent. But Google is really aggressive with unsigned mail, and they have a strong "it's our way or the highway" policy. On 10.05.19 14:48, David Jones wrote: I caution against this since non-DKIM signed email has no relation to spam or ham. How did you come up with the "about 90%" number? Did you grep logs to get real numbers over a couple of months? I should clarify. I do get DKIM-signed spam. I just don't get any non-DKIM-signed ham. Going back and looking at my archived mail and logs I can see that a) all legitimate emails were DKIM-signed, and b) virtually every message that was not DKIM-signed was spam. So I intend to assign no ham scoring weight to a message having a DKIM signature, but I do feel pretty safe in assigning a heavy penalty to those mails without it. Sorry Matus. :) Kurt
Re: Rule for non-DKIM-signed messages
On 5/10/19 1:52 AM, Pedro David Marco wrote: On the contrary, most spam i see is valid DKIM signed... tons of hacked sites... tons of emails from free trials of big-cheeses... Nevertheless... meta NO_DKIM_SIGNED ! DKIM_SIGNED score NO_DKIM_SIGNED 2 describe NO_DKIM_SIGNED Email does not have DKIM signature On 10.05.19 14:48, David Jones wrote: That alone is too risky to score alone and should be used in a meta rule like this: metaSPAM_NOT_DKIM_SIGNED!DKIM_SIGNED && (MISSING_HEADERS || FSL_BULK_SIG || RDNS_DYNAMIC || OTHER_RULE_COMMONLY_SEEN_AS_SPAM) score SPAM_NOT_DKIM_SIGNED2 describe SPAM_NOT_DKIM_SIGNED Spammy characteristics and not DKIM signed I wanted to comment OP's mail, but since I don't have DKIM set up, I wasn't sure it would pass :-) >On Friday, May 10, 2019, 4:26:46 AM GMT+2, Kurt Fitzner wrote: > >I've noticed on my mail server that DKIM signing is almost diagnostic of >spam. Almost no legitimate sender is without DKIM, and about 90% of my >spam is unsigned, so I want to bias non-DKIM-signed heavily towards >spam. To that end I was wondering if there are any built-in rules I can >activate to score emails that are not DKIM-signed? I'd rather use a >built-in rule than roll my own. I caution against this since non-DKIM signed email has no relation to spam or ham. How did you come up with the "about 90%" number? Did you grep logs to get real numbers over a couple of months? Any compromised account from Office 365 (and there are a lot) is going to have DKIM_SIGNED by Microsoft's "tenant.onmicrosoft.com" domain which means absolutely nothing when determining ham/spam. All that means is it was signed by Microsoft mail servers on the way out. If DKIM_VALID was hit, then it means the spam wasn't modified. I also doubt if DKIM_VALID is enough. To be sure, the mail should hit DKIM_VALID_AU to prove it was signed by the sender's mail server... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: Rule for non-DKIM-signed messages
On 5/10/19 1:52 AM, Pedro David Marco wrote: > Hi Kurt, > > > On the contrary, most spam i see is valid DKIM signed... tons of > hacked sites... tons of emails from free trials of big-cheeses... > > Nevertheless... > > meta NO_DKIM_SIGNED ! DKIM_SIGNED > score NO_DKIM_SIGNED 2 > describe NO_DKIM_SIGNED Email does not have DKIM signature > That alone is too risky to score alone and should be used in a meta rule like this: metaSPAM_NOT_DKIM_SIGNED!DKIM_SIGNED && (MISSING_HEADERS || FSL_BULK_SIG || RDNS_DYNAMIC || OTHER_RULE_COMMONLY_SEEN_AS_SPAM) score SPAM_NOT_DKIM_SIGNED2 describe SPAM_NOT_DKIM_SIGNED Spammy characteristics and not DKIM signed > Pedro. > > > > > >On Friday, May 10, 2019, 4:26:46 AM GMT+2, Kurt Fitzner > wrote: > > > >I've noticed on my mail server that DKIM signing is almost diagnostic of > >spam. Almost no legitimate sender is without DKIM, and about 90% of my > >spam is unsigned, so I want to bias non-DKIM-signed heavily towards > >spam. To that end I was wondering if there are any built-in rules I can > >activate to score emails that are not DKIM-signed? I'd rather use a > >built-in rule than roll my own. I caution against this since non-DKIM signed email has no relation to spam or ham. How did you come up with the "about 90%" number? Did you grep logs to get real numbers over a couple of months? Any compromised account from Office 365 (and there are a lot) is going to have DKIM_SIGNED by Microsoft's "tenant.onmicrosoft.com" domain which means absolutely nothing when determining ham/spam. All that means is it was signed by Microsoft mail servers on the way out. If DKIM_VALID was hit, then it means the spam wasn't modified. -- David Jones
Re: Rule for non-DKIM-signed messages
Hi Kurt, On the contrary, most spam i see is valid DKIM signed... tons of hacked sites... tons of emails from free trials of big-cheeses... Nevertheless... meta NO_DKIM_SIGNED ! DKIM_SIGNEDscore NO_DKIM_SIGNED 2describe NO_DKIM_SIGNED Email does not have DKIM signature Pedro. > >On Friday, May 10, 2019, 4:26:46 AM GMT+2, Kurt Fitzner wrote: > >I've noticed on my mail server that DKIM signing is almost diagnostic of >spam. Almost no legitimate sender is without DKIM, and about 90% of my >spam is unsigned, so I want to bias non-DKIM-signed heavily towards >spam. To that end I was wondering if there are any built-in rules I can >activate to score emails that are not DKIM-signed? I'd rather use a >built-in rule than roll my own.