Thank you all for the feedback. > > FWIW, I've seen a few mails that had multiple DK signatures, apparently > > as the result of going through a DK signed mailing list when the original > > message had also been signed. > > yeah, I think if the list re-signs the message, that's ok, because it then > doesn't matter if the internal signature fails (there being no need to > check that). > That may be a DKIM interpretation btw.
That should not be a problem - if the message is re-signed, and the resigner inserts his own Sender header field as it is supposed to do, outer DK and DKIM signatures will succeed and the rule will not fire thanks to && !DK_VERIFIED. > DK verification may fail if the mail goes through mailing lists. > ah. Here's another one that just occurred to me -- (c): if you're keying > off the From: header, watch out for mailing list traffic that appends a > footer to the body. That will cause a verification failure, and fire the > rule. > Bear in mind the list/forwarding issue I also noted; most list installs > don't re-sign mails, so an additional exemption for messages that contain > "List-Id" might be worthwhile. mass-check should give a good idea, anyway. Some (most?) mailing lists are indeed problematic, so the rule should not fire if it looks like the message was passed through a mailing list. I'm glad that this ML seems to do pretty well in avoiding breaking of original signatures. (and the postfix-users ML for DKIM, but not for DK, because it appends a Sender:) This is what I have now: header __L_ML0 Precedence=~ /\b(list|bulk)\b/i header __L_ML1 exists:List-Id header __L_ML2 exists:List-Post header __L_ML3 exists:Mailing-List header __L_HAS_SENDER exists:Sender meta __L_VIA_ML __L_ML0 || __L_ML1 || __L_ML2 || __L_ML3 || __L_HAS_SENDER header __L_FROM_YAHOO From:addr =~ /@yahoo\.com$/i header __L_FROM_GMAIL From:addr =~ /@gmail\.com$/i meta UNVERIFIED_YAHOO __L_FROM_YAHOO && !__L_VIA_ML && !DK_VERIFIED priority UNVERIFIED_YAHOO 500 score UNVERIFIED_YAHOO 2.5 meta UNVERIFIED_GMAIL __L_FROM_GMAIL && !__L_VIA_ML && !DK_VERIFIED priority UNVERIFIED_GMAIL 500 score UNVERIFIED_GMAIL 2.5 Checking the last 12 hours of the log, I found two false positives, one was a yahoo user with a regular yahoo account, who posted directly through his home ISP's mailer (not through yahoo), but provided his yahoo From address. The other was a forwarding through a gmail account, which did not (re)sign the message. Seems pretty good - and 2.5 score points is not too bad for an otherwise healthy message. > OK -- someone who would know, tells me: > Pretty much all user-generated mail From: yahoo-owned domains is [now] > signed, but that's not intended as a statement of spam/non-spam. Certainly not, but either way, we can be certain that the massage came from the signing domain it claims to be, which makes it easier to apply other rules like blacklisting etc, if mail happens to be spam. Which is why I'd suggest something like: # give some incentive for people to start signing their mail: score DKIM_VERIFIED -1.5 score DK_VERIFIED -1.0 SpamAssassin has some merit and influence on the population, so it may just as well be setting some trends. If spamers start signing their mail, so much the better. Mark
