Justin Mason wrote: > > That should not be a problem - if the message is re-signed, and the > > resigner inserts his own Sender header field as it is supposed to do, > > outer DK and DKIM signatures will succeed and the rule will not fire > > yeah -- in a perfect world, maybe ;)
How does one move a mountain? Stone by stone. > > Checking the last 12 hours of the log, I found two false positives, > > one was a yahoo user with a regular yahoo account, who posted > > directly through his home ISP's mailer (not through yahoo), > > but provided his yahoo From address. ... > > The former is pretty common, fwiw. All solutions (including SPF) seem to go in the direction that the roaming poster will need to submit his mail through the provider/service/domain whose domain name is used in his sending address. SASL and TLS are common now, most popular mail readers support it, and most MTAs. People will need to adjust, to avoid their mail being treated as second-class. Until then, giving such second-class mail small number of positive score points is not too bad - well intended mail still passes with no trouble. > > # give some incentive for people to start signing their mail: > > score DKIM_VERIFIED -1.5 > > score DK_VERIFIED -1.0 > > SpamAssassin has some merit and influence on the population, > > so it may just as well be setting some trends. > > If spamers start signing their mail, so much the better. > > I'd prefer not to do this without some kind of DKIM reputation service up > and running, so that we don't give bonuses to spammers who sign their > mails. In our experience, spammers will quickly exploit any SpamAssassin > bonuses available, and this would be pretty easy. Give a little - gain a lot! If they start signing their mail with a valid signature corresponding to a sending domain, that is perfect: they get 1.5 points of a bonus, we get the assurance that whoever placed a domain name in From header field actually owns (or ownz) that domain. So how can a spammer validly sign a message: - by owning a legitimate permanent domain, such as genuine commercial bulk mailers do, not trying to hide it - good, they get 1.5 bonus points, we may blacklist them if we want; - by using a public mail service such as Yahoo - good, they get 1.5 bonus points, there may be increased interest of spammers on legitimate Yahoo accounts, Yahoo gets more pressure from other legitimate users since its reputation is at stake, they take action to minimize misuse of their accounts - we all win (except for spammers); - by stealing a private key from legitimate domain - not likely, and easy to fix by switching to a new key; - by using throw-away domains, like being discussed on this ML not that long ago. Countermeasures are already being build, RBL lists of few-days old domains. And registrats may get bored with the scheme and actually do something about it. - by using zombies sending through legitimate company's mailer with a legitimate sender address of that company - the company's reputation is at stake, and if it goes on for a long time, we may add few positive score points for such domains (RBL) or just blacklist them. Is there another way? For now I'd stick with "Give a little - gain a lot!" Mark
