From: Thore Boedecker <m...@foxxx0.de> >Hello folks, >over the last couple of months I have received some nasty spam, >delivered by the Yahoo mail servers.
>After looking at the headers it became clear what the issue was: Please post the email in pastebin.com or something so we can help. >It seems that Yahoo (at least yahoo.co.jp) is allowing emails from >@gmail.com senders to be sent through their servers. >The funny thing is, that there is a @gmail.com address in both the >'From:' and 'Return-Path:' headers, but a @yahoo.com address in the >'Reply-To:' and 'Sender:' headers. >Somehow Yahoo sees no problem in that and is happy to DKIM sign those >emails with a correct *Yahoo* signature. >Over on my side, the receiving end of these emails, there is my >spamassassin. SA discovers the DKIM signature and is able to validate >this signature against the Yahoo server which is totally undesirable >in my opinion. DKIM is only meant to authenticate that the emails did come from a Yahoo server. It has nothing to do with authorization which is what you are looking for. SPF handles authorization so these emails should have a SPF_FAIL rule hit that we can confirm once we see it in pastebin.com. >Maybe strict DKIM alignment is not always the best choice, because >sometimes the emails are signed by different servers without sharing >one signing key for the entire domain. >So is there any way to make SA perform at least a relaxed DKIM >alignment check on the headers so that the DKIM signature domain has >to belong to the 'From:' address? This is done by DMARC. Currently you have to implement something like OpenDMARC in your MTA and then add custom rules that use the headers added specifically by your MTA (yourserverhere). header DMARC_PASS Authentication-Results =~ /yourserverhere; dmarc=pass/ describe DMARC_PASS DMARC check passed score DMARC_PASS -0.01 header DMARC_FAIL Authentication-Results =~ /yourserverhere; dmarc=fail/ describe DMARC_FAIL DMARC check failed score DMARC_FAIL 0.01 header DMARC_NONE Authentication-Results =~ /yourserverhere; dmarc=none/ describe DMARC_NONE DMARC check neutral score DMARC_NONE 0.01 Dave
