Thanks David for the first hints in the right direction and yes you are right, I'm looking for some sort of DMARC integration into SA.
I have uploaded the mail here: https://paste.foxxx0.de/wZjcT/ Thore On 06.05.17 - 14:10, David Jones wrote: > From: Thore Boedecker <[email protected]> > > >Hello folks, > > >over the last couple of months I have received some nasty spam, > >delivered by the Yahoo mail servers. > > >After looking at the headers it became clear what the issue was: > > Please post the email in pastebin.com or something so we can > help. > > >It seems that Yahoo (at least yahoo.co.jp) is allowing emails from > >@gmail.com senders to be sent through their servers. > >The funny thing is, that there is a @gmail.com address in both the > >'From:' and 'Return-Path:' headers, but a @yahoo.com address in the > >'Reply-To:' and 'Sender:' headers. > >Somehow Yahoo sees no problem in that and is happy to DKIM sign those > >emails with a correct *Yahoo* signature. > > >Over on my side, the receiving end of these emails, there is my > >spamassassin. SA discovers the DKIM signature and is able to validate > >this signature against the Yahoo server which is totally undesirable > >in my opinion. > > DKIM is only meant to authenticate that the emails did come from > a Yahoo server. It has nothing to do with authorization which is what > you are looking for. SPF handles authorization so these emails should > have a SPF_FAIL rule hit that we can confirm once we see it in > pastebin.com. > > >Maybe strict DKIM alignment is not always the best choice, because > >sometimes the emails are signed by different servers without sharing > >one signing key for the entire domain. > > >So is there any way to make SA perform at least a relaxed DKIM > >alignment check on the headers so that the DKIM signature domain has > >to belong to the 'From:' address? > > This is done by DMARC. Currently you have to implement something > like OpenDMARC in your MTA and then add custom rules that use the > headers added specifically by your MTA (yourserverhere). > > header DMARC_PASS Authentication-Results =~ > /yourserverhere; dmarc=pass/ > describe DMARC_PASS DMARC check passed > score DMARC_PASS -0.01 > > header DMARC_FAIL Authentication-Results =~ > /yourserverhere; dmarc=fail/ > describe DMARC_FAIL DMARC check failed > score DMARC_FAIL 0.01 > > header DMARC_NONE Authentication-Results =~ > /yourserverhere; dmarc=none/ > describe DMARC_NONE DMARC check neutral > score DMARC_NONE 0.01 > > Dave --
signature.asc
Description: PGP signature
