Mailing List Archive

Alex <mysqlstudent@gmail.com> writes:

> And I would assume it would be DKIM for differences between the
> address in the From and the SPF record for the envelope sender,
> correct?

No. DKIM is a way for an MTA, generally the originating MTA, to sign a
message with a key belonging to a domain. A verifier looks up the key
in DNS and checks this. So you can get DKIM validity of the From:
field, or of the envelope.

For your message as received through the list, several rules fired:

DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU

but not DKIM_VALUD_EF. This is actually rare because the SA list is
one of only a few that does not modify the Subject: or add junk to the
message, both of which break the signature.

I recently received another message, via groups.io, which had
DKIM_VALID_EF but no DKIM signature on the author.

None of this has anything to do with SPF, but read about DMARC which is
sort of like SPF but can say "messages should have DKIM signatures".
And then after not being happy about mailing lists that break messages,
read about ARC. This will not be quick...

On Sat, 8 May 2021 17:04:00 -0400
Alex wrote:

> Hi,
> I'm trying to understand the FROMNAME rules and a potential conflict
> with PDS_FROM_2_EMAILS.
>
> I understand FROMNAME_SPOOF is designed to catch differences like:
>
> From: "no-reply@amazon.com" <joe@example.com>
>
> but what other spoofs is the FromName.pm plugin designed to catch?

That's pretty much it. The plugin never really needed to exist.

> I've also noticed that the PDS_FROM_2_EMAILS meta and
> PDS_FROMNAME_SPOOFED_EMAIL hits on many similar components that I
> wondered if there's overlap

Duplication is quite common.

PDS_FROMNAME_SPOOFED_EMAIL doesn't appear to exist anymore.

PDS_FROM_2_EMAILS is similar to what the plugin does, but it contains
exclusions that, amongst other things, reduce matches on mail from
actual mail servers. It include "&& !__DKIM_EXISTS", so it's useless in
the case where <joe@example.com> is from an account or mail-system
abused to gain a DMARC pass.

On Sun, 9 May 2021, RW wrote:

> PDS_FROM_2_EMAILS is similar to what the plugin does, but it contains
> exclusions that, amongst other things, reduce matches on mail from
> actual mail servers. It include "&& !__DKIM_EXISTS", so it's useless in
> the case where <joe@example.com> is from an account or mail-system
> abused to gain a DMARC pass.

That was done because only (or mostly) masscheck corpora ham was hitting
that combination.

overlap ham: 95% of __PDS_FROM_2_EMAILS hits also hit __DKIM_EXISTS; 1%
of __DKIM_EXISTS hits also hit __PDS_FROM_2_EMAILS (spam 6%)

Excluding DKIM_VALID_AU is a little better from the POV of not ignoring
spam, but it excludes less ham:

overlap ham: 72% of __PDS_FROM_2_EMAILS hits also hit DKIM_VALID_AU;
1% of DKIM_VALID_AU hits also hit __PDS_FROM_2_EMAILS (spam 2%)

...possibly because fewer sites sign the author?


If you want to build a meta rule regarding a from name mismatch, you
should be using the raw __PDS_FROM_2_EMAILS subrule, **not** the
FP-reduced scored rule PDS_FROM_2_EMAILS.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Today: the 76th anniversary of VE day