Hi,
All the way back in 2016, RW posted these rules on pastebin for DMARC,
before it was part of SA proper:
https://pastebin.com/gr41CvCc
Is this effectively what's been implemented in functions in the latest SA?
The scores from the above are a lot more aggressive than what's currently
in SA 50_rules - if DMARC fails and it instructs to quarantine, isn't that
what it should do, and not just add on a few points?
score DMARC_REJECT 0.001 1.797 0.001 1.797 # n=0 n=2
score DMARC_QUAR 0.001 1.198 0.001 1.198 # n=0 n=2
score DMARC_NONE 0.001 0.898 0.001 0.898 # n=0 n=2
This became an issue for me when I received an email from ny.frb.org.
Because the email hit BAYES_00, the DMARC rule only added 0.1 points. It
also appeared that the email passed SPF, so I'm really not sure how it even
failed DMARC.
X-Envelope-From: <frb.advicemail...@ny.frb.org>>
...
X-Spam-Status: Yes, score=8.613 tag=-200 tag2=5 kill=5 tests=[BAYES_00=-1.9,
DMARC_FAIL_REJECT=5.5, DMARC_REJECT=0.1, DMARC_REJ_NO_DKIM=1,
FORGED_SPF_HELO=1, KAM_DMARC_REJECT=1, KAM_DMARC_STATUS=0.01,
KAM_LAZY_DOMAIN_SECURITY=1, RELAYCOUNTRY_US=0.01, SPF_HELO_PASS=-0.001,
TXREP=0.874, T_DMARC_POLICY_REJECT=0.01, T_DMARC_TESTS_FAIL=0.01]
autolearn=disabled
X-Spam-Report:
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* 0.0 T_DMARC_POLICY_REJECT No description available.
* 1.0 DMARC_REJ_NO_DKIM MARC policy is reject without any DKIM signatures
* 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict
* Alignment
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 0.0 RELAYCOUNTRY_US Relayed through United States
* 1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
* anti-forgery methods
* 1.0 FORGED_SPF_HELO No description available.
* 5.5 DMARC_FAIL_REJECT DMARC validation failed and policy is to reject
* 0.0 T_DMARC_TESTS_FAIL No description available.
* 1.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
* and the domain has a DMARC reject policy
* 0.1 DMARC_REJECT DMARC reject policy
* 0.9 TXREP TXREP: Score normalizing based on sender's reputation
...
X-Spam-RelaysUntrusted: [ ip=199.30.234.79 rdns=spfdal-b.zixsmbhosted.com
The 199.30.234.79 IP is in the SPF record:
$ dig txt ny.frb.org|grep v=spf1
ny.frb.org. 3593 IN TXT "v=spf1 ip4:199.169.200.4
ip4:199.169.204.4 ip4:199.169.240.69 ip4:199.169.208.69 ip4:199.169.174.2
ip4:170.209.35.2 ip4:199.30.234.56/29 ip4:74.203.184.208/30 ip4:
199.30.234.64/26 ip4:199.30.234.192/27 ip4:74.203.184.32/27 ip4:
68.142.184.144/28 ip4:68.142" ".185.0/25 ip4:209.190.248.144/28
ip4:199.169.200.5 ip4:152.70.150.118 ip4:129.213.11.79 exists:%{i}.
spf.frb.iphmx.com include:_spf.qualtrics.com include:service.govdelivery.com
include:amazonses.com ~all"
There seems to be a lot wrong here. I'd appreciate some pointers on what's
going on. Of course I realize it's my choice to add the other DMARC rules
and scores on top of the default, but the default scores don't make sense
to me.
