Mailing List Archive

DKIM_* scores
Hello,

I noticed that pure existence of DKIM signature can push score under zero:

DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,

...so the cumulative score is -0.2.

I'm aware that we don't have many rules with negative scores, but multiple
scores for single valid DKIM sinature should not be redundant.



do you people modify scores of these rules?
I would turn both off, but DKIM_VALID is used in some meta rules...

score DKIM_VALID -0.001
score DKIM_VALID_EF -0.001

I have also tuned tflags, for sure:

tflags DKIM_VALID noautolearn net nice
tflags DKIM_VALID_EF noautolearn net nice


BTW, looking at metas in 72_active.cf:

meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS

!DKIM_VALID && !DKIM_VALID_AU is redundant and !DKIM_VALID_AU should be enough


meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID

meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF
meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF

shouldn't these contain DKIM_VALID_AU instead?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
Re: DKIM_* scores [ In reply to ]
Matus UHLAR - fantomas <uhlar@fantomas.sk> writes:

> I noticed that pure existence of DKIM signature can push score under zero:
>
> DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
>
> ...so the cumulative score is -0.2.
>
> I'm aware that we don't have many rules with negative scores, but multiple
> scores for single valid DKIM sinature should not be redundant.

I don't follow the logic in "should not be redundant" especially for
scores with such low values of -0.1.

You're talking about "below 0", but what matters is "<5", per SA
doctrine.

As I see it SIGNED and VALID are intended to cancel, causing a signature
that isn't valid to get a +0.1. That seems sensible, although given how
much DKIM is broken by mailing lists that (incorrectly IMHO) modify
messages, it doesn't seem really useful to make that higher.

And then there's -0.1 for a valid dkim matching From: and another -0.1
for valid dkim matching the envelope sender, which is often different.
So -0.2 means that there are two dkim signatures, one for each, and they
are both valid. Not a guarantee of ham of course, but -0.2 is a small
score.

It's a fair question to ask how these shake out with masscheck, but I
see nothing intrinsically wrong.

> do you people modify scores of these rules?
> I would turn both off, but DKIM_VALID is used in some meta rules...

I am someone who tweaks a lot of scores, but basically my tweaking
reduces scores of +3 or more down a few points because I find they hit
ham, and scoring up things of 1-2 to higher because they hit my spam and
I find they don't really hit my ham. I have never been motivated to
adjust these.

For me, the biggest deal with dkim is that I can whitelist_from_dkim for
senders, and avoid whitelisting forged mail not actually from them.

> BTW, looking at metas in 72_active.cf:
>
> meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
> meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS
>
> !DKIM_VALID && !DKIM_VALID_AU is redundant and !DKIM_VALID_AU should be enough

I don't think so. These are negated. And, a dkim signature from some
random domain that is not the From: or envelope-from will cause
DKIM_VALID. But I do think !DKIM_VALID will impliy !DKIM_VALID_AU.
Still, I'm 50/50 whether I'm write or I'm about to learn something.
>
> meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST &&
> !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED &&
> !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID
>
> meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF
> meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF
>
> shouldn't these contain DKIM_VALID_AU instead?

perhaps, but the problem is that there is a lot of mail that is From:
info@foobank.com and has envelope-from of
foobank-sender@bankserviceprovider.com with a dkim from
bankserviceprovider.com. This is bogus; people who deal with
foobank.com should be able to
whitelist_from_dkim *@foobank.com
and treat everything else claiming to be from foobank as spam/phish.
But the world isn't like that.
Re: DKIM_* scores [ In reply to ]
Correct. The fact that there are some scores that add up to approximately
-0.2 is negligible when compared to a standard threshold of 5.0.

Do you have false positives being caused by these emails? Do you have false
negatives? That's more important to look at then just focusing on one set
of rules.

Regards, KAM

On Mon, Jul 26, 2021, 08:08 Greg Troxel <gdt@lexort.com> wrote:

>
> Matus UHLAR - fantomas <uhlar@fantomas.sk> writes:
>
> > I noticed that pure existence of DKIM signature can push score under
> zero:
> >
> > DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
> >
> > ...so the cumulative score is -0.2.
> >
> > I'm aware that we don't have many rules with negative scores, but
> multiple
> > scores for single valid DKIM sinature should not be redundant.
>
> I don't follow the logic in "should not be redundant" especially for
> scores with such low values of -0.1.
>
> You're talking about "below 0", but what matters is "<5", per SA
> doctrine.
>
> As I see it SIGNED and VALID are intended to cancel, causing a signature
> that isn't valid to get a +0.1. That seems sensible, although given how
> much DKIM is broken by mailing lists that (incorrectly IMHO) modify
> messages, it doesn't seem really useful to make that higher.
>
> And then there's -0.1 for a valid dkim matching From: and another -0.1
> for valid dkim matching the envelope sender, which is often different.
> So -0.2 means that there are two dkim signatures, one for each, and they
> are both valid. Not a guarantee of ham of course, but -0.2 is a small
> score.
>
> It's a fair question to ask how these shake out with masscheck, but I
> see nothing intrinsically wrong.
>
> > do you people modify scores of these rules?
> > I would turn both off, but DKIM_VALID is used in some meta rules...
>
> I am someone who tweaks a lot of scores, but basically my tweaking
> reduces scores of +3 or more down a few points because I find they hit
> ham, and scoring up things of 1-2 to higher because they hit my spam and
> I find they don't really hit my ham. I have never been motivated to
> adjust these.
>
> For me, the biggest deal with dkim is that I can whitelist_from_dkim for
> senders, and avoid whitelisting forged mail not actually from them.
>
> > BTW, looking at metas in 72_active.cf:
> >
> > meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED &&
> !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
> > meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED &&
> !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
> && !SPF_PASS
> >
> > !DKIM_VALID && !DKIM_VALID_AU is redundant and !DKIM_VALID_AU should be
> enough
>
> I don't think so. These are negated. And, a dkim signature from some
> random domain that is not the From: or envelope-from will cause
> DKIM_VALID. But I do think !DKIM_VALID will impliy !DKIM_VALID_AU.
> Still, I'm 50/50 whether I'm write or I'm about to learn something.
> >
> > meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST &&
> > !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED &&
> > !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID
> >
> > meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH ||
> ALL_TRUSTED # yes DKIM, no SPF
> > meta __NOT_SPOOFED SPF_PASS || DKIM_VALID ||
> !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF
> >
> > shouldn't these contain DKIM_VALID_AU instead?
>
> perhaps, but the problem is that there is a lot of mail that is From:
> info@foobank.com and has envelope-from of
> foobank-sender@bankserviceprovider.com with a dkim from
> bankserviceprovider.com. This is bogus; people who deal with
> foobank.com should be able to
> whitelist_from_dkim *@foobank.com
> and treat everything else claiming to be from foobank as spam/phish.
> But the world isn't like that.
>
Re: DKIM_* scores [ In reply to ]
On 2021-07-26 14:40, Kevin A. McGrail wrote:
> Correct. The fact that there are some scores that add up to
> approximately -0.2 is negligible when compared to a standard threshold
> of 5.0.
>
> Do you have false positives being caused by these emails? Do you have
> false negatives? That's more important to look at then just focusing
> on one set of rules.

i bet when spamassassin 4.0.0 is out there would be more problems :=)

all senders can make dkim pass, all senders can make spf pass, all
recipients want to solve this, lol

now to the mix, openarc try to pass forward originating dkim/spf pass or
fails to forwarded recipients, to be retested in dmarc stage, but
opendmarc is not ready yet since only opendmarc in trunk support it
still (AR header parsing)

in spamassassin 4.0.0 it will be dmarc testing not trustness on forged
headers anyway, will spamassassin evaluate arc chains ?, hope it will

if anything should change it could be change scores so its not fyssicly
seen as -0.1 for each negative scores but more of a 0 score while its
really in perl is -0.01, that make it more stronger not counting much,
while not breaking anything

its still raining......
Re: DKIM_* scores [ In reply to ]
On Mon, 26 Jul 2021 08:08:10 -0400
Greg Troxel wrote:



> So -0.2 means that there are two dkim signatures, one for each, and
> they are both valid.

It could do, but usually it just means that the sender and author
domains are the same.


>
> > BTW, looking at metas in 72_active.cf:
> >
> > meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED &&
> > !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU &&
> > !RCVD_IN_DNSWL_NONE meta XPRIO __XPRIO_MINFP &&
> > !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU
> > && !RCVD_IN_DNSWL_NONE && !SPF_PASS
> >
> > !DKIM_VALID && !DKIM_VALID_AU is redundant and !DKIM_VALID_AU
> > should be enough
>
> I don't think so. These are negated.


"&& !DKIM_SIGNED " means the rule can only be true if there's no
signature, so none of the terms with __DKIM_DEPENDABLE, DKIM_VALID, and
DKIM_VALID_AU make any difference.

It's usually not a good idea to use DKIM_SIGNED because it relies on
the plugin, whereas __DKIM_EXISTS and the duplicate rule
__HAS_DKIM_SIGHD don't.
Re: DKIM_* scores [ In reply to ]
On Mon, 26 Jul 2021 18:05:35 +0100
RW wrote:


> "&& !DKIM_SIGNED " means the rule can only be true if there's no
> signature, so none of the terms with __DKIM_DEPENDABLE, DKIM_VALID,
> and DKIM_VALID_AU make any difference.

Actually it's worse than that __DKIM_DEPENDABLE is always true if there
are no signatures, so !DKIM_SIGNED && !__DKIM_DEPENDABLE is always
false.

The ruleqa shows one hit on XPRIO.
Re: DKIM_* scores [ In reply to ]
>On Mon, 26 Jul 2021 08:08:10 -0400 Greg Troxel wrote:
>> So -0.2 means that there are two dkim signatures, one for each, and
>> they are both valid.

On 26.07.21 18:05, RW wrote:
>It could do, but usually it just means that the sender and author
>domains are the same.

>> > BTW, looking at metas in 72_active.cf:
>> >
>> > meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED &&
>> > !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU &&
>> > !RCVD_IN_DNSWL_NONE meta XPRIO __XPRIO_MINFP &&
>> > !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU
>> > && !RCVD_IN_DNSWL_NONE && !SPF_PASS
>> >
>> > !DKIM_VALID && !DKIM_VALID_AU is redundant and !DKIM_VALID_AU
>> > should be enough
>>
>> I don't think so. These are negated.

if there's no valid signature, there can't be valid author domain
signature.

If there's valid author domain signature, there's surely at least valid
signature.

imho we should compare author domain signature, not any (random) signature.


>"&& !DKIM_SIGNED " means the rule can only be true if there's no
>signature, so none of the terms with __DKIM_DEPENDABLE, DKIM_VALID, and
>DKIM_VALID_AU make any difference.
>
>It's usually not a good idea to use DKIM_SIGNED because it relies on
>the plugin, whereas __DKIM_EXISTS and the duplicate rule
>__HAS_DKIM_SIGHD don't.

yes, more rules are kinda redundant here

!DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU

if message is not signed, then signature can't be valid or invalid. If any
of signatures is valid, the message is signed.

the !DKIM_SIGNED is useless here unless it's a performance optimization.
Is it?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.
Re: DKIM_* scores [ In reply to ]
On 26.07.21 08:40, Kevin A. McGrail wrote:
>Correct. The fact that there are some scores that add up to approximately
>-0.2 is negligible when compared to a standard threshold of 5.0.
>
>Do you have false positives being caused by these emails? Do you have false
>negatives? That's more important to look at then just focusing on one set
>of rules.

to be more precise, I have case where these caused mail to be autolearned as
ham which is even worse than a FN

I tried to filter out other rules that could cause it.

Unfortunately no other rules hit that could avoid trainin.

>> Matus UHLAR - fantomas <uhlar@fantomas.sk> writes:
>>
>> > I noticed that pure existence of DKIM signature can push score under zero:
>> >
>> > DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
>> >
>> > ...so the cumulative score is -0.2.
>> >
>> > I'm aware that we don't have many rules with negative scores, but
>> multiple
>> > scores for single valid DKIM sinature should not be redundant.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
Re: DKIM_* scores [ In reply to ]
On Mon, 26 Jul 2021, RW wrote:

> On Mon, 26 Jul 2021 18:05:35 +0100
> RW wrote:
>
>
>> "&& !DKIM_SIGNED " means the rule can only be true if there's no
>> signature, so none of the terms with __DKIM_DEPENDABLE, DKIM_VALID,
>> and DKIM_VALID_AU make any difference.
>
> Actually it's worse than that __DKIM_DEPENDABLE is always true if there
> are no signatures, so !DKIM_SIGNED && !__DKIM_DEPENDABLE is always
> false.

Thanks for pointing that out.

Those are "FP exclusions", not part of the base rule logic - generated by
inspecting the rulequ results and excluding hits on other rules where the
combination is hammy and not (or very weakly, like 1%) spammy. The
interactions of combinations of those exclusions isn't considered.

They also need to be reviewed periodically, which I'm doing now for XPRIO.
__DKIM_DEPENDABLE is no longer a useful FP exclusion for XPRIO, as it hits
100% of the spam hits.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim IX: Never turn your back on an enemy.
-----------------------------------------------------------------------
8 days until the 286th anniversary of John Peter Zenger's acquittal