Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
How to deal with bounce messages
mysqlstudent at gmail
Apr 22, 2022, 5:40 AM
Post #1 of 13 (922 views)
Permalink
Hi,

I'm seeing bounce messages being tagged incorrectly and would like
some help in how to fix it. This is mail sent from our servers.

https://pastebin.com/s032ndrA

It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but
also KAM_DMARC_REJECT, giving it no opportunity to ever get delivered.
I'm assuming it's failing DMARC because the envelope sender is the
same as the original message but the message body and From address are
that of the rejecting server.

How do others deal with this? I'm just now seeing
welcomelist_bounce_relays - I don't think I've seen that before or
have defined it. The description says the BOUNCE_MESSAGE won't fire if
this isn't defined, yet this rule was triggered.

It's also somehow hitting BAYES_99 - do you train your bounce messages?

Thanks,
Alex
Re: How to deal with bounce messages [ In reply to ]
uhlar at fantomas
Apr 22, 2022, 5:51 AM
Post #2 of 13 (922 views)
Permalink
On 22.04.22 08:40, Alex wrote:
>I'm seeing bounce messages being tagged incorrectly and would like
>some help in how to fix it. This is mail sent from our servers.
>
>https://pastebin.com/s032ndrA
>
>It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but

where did you get these from?

>also KAM_DMARC_REJECT, giving it no opportunity to ever get delivered.
>I'm assuming it's failing DMARC because the envelope sender is the
>same as the original message but the message body and From address are
>that of the rejecting server.

DMARC is built on header From:, this needs either correct DKIM, or correct SPF
with envelope from domain equal to header From: domain.

this message has no DKIM signature. policy is reject:

_dmarc.deltra.de. 86400 IN TXT "v=DMARC1;p=reject;rua=mailto:postmaster@deltra.de"

and spf is unapplicable since the envelope from is null.

so the DMARC reject is correct.

>How do others deal with this? I'm just now seeing
>welcomelist_bounce_relays - I don't think I've seen that before or
>have defined it. The description says the BOUNCE_MESSAGE won't fire if
>this isn't defined, yet this rule was triggered.
>
>It's also somehow hitting BAYES_99 - do you train your bounce messages?

yes.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
Re: How to deal with bounce messages [ In reply to ]
mysqlstudent at gmail
Apr 22, 2022, 7:02 AM
Post #3 of 13 (922 views)
Permalink
> >https://pastebin.com/s032ndrA
> >
> >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but
>
> where did you get these from?

I just realized these are from my local rules, put together from a
conversation many years ago, apparently from before SA had built-in
DMARC support.

https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html

> DMARC is built on header From:, this needs either correct DKIM, or correct SPF
> with envelope from domain equal to header From: domain.
>
> this message has no DKIM signature. policy is reject:
>
> _dmarc.deltra.de. 86400 IN TXT "v=DMARC1;p=reject;rua=mailto:postmaster@deltra.de"

Ah yes, thanks.

> and spf is unapplicable since the envelope from is null.

Isn't that the case with all bounce messages?

> >It's also somehow hitting BAYES_99 - do you train your bounce messages?
>
> yes.

Great, thanks.
Re: How to deal with bounce messages [ In reply to ]
uhlar at fantomas
Apr 22, 2022, 7:10 AM
Post #4 of 13 (922 views)
Permalink
>> >https://pastebin.com/s032ndrA
>> >
>> >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but
>>
>> where did you get these from?

On 22.04.22 10:02, Alex wrote:
>I just realized these are from my local rules, put together from a
>conversation many years ago, apparently from before SA had built-in
>DMARC support.
>
>https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html

now I really wonder why these aren't part of stock SA rules.

>> DMARC is built on header From:, this needs either correct DKIM, or correct SPF
>> with envelope from domain equal to header From: domain.
>>
>> this message has no DKIM signature. policy is reject:
>>
>> _dmarc.deltra.de. 86400 IN TXT "v=DMARC1;p=reject;rua=mailto:postmaster@deltra.de"
>
>Ah yes, thanks.
>
>> and spf is unapplicable since the envelope from is null.
>
>Isn't that the case with all bounce messages?

usually yes, it should be. But we of course can't guarantee that.

This also means that SPF can't be used, thus either those messages have DKIM
signatures, or they CAN NOT pass DMARC.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: How to deal with bounce messages [ In reply to ]
dbuergin at gluet
Apr 22, 2022, 7:22 AM
Post #5 of 13 (922 views)
Permalink
Matus UHLAR - fantomas:
> > > and spf is unapplicable since the envelope from is null.
> >
> > Isn't that the case with all bounce messages?
>
> usually yes, it should be. But we of course can't guarantee that.
>
> This also means that SPF can't be used, thus either those messages have DKIM
> signatures, or they CAN NOT pass DMARC.

In SPF, when the reverse-path is null, the HELO name is instead
verified. So a null reverse-path can work fine with relaxed alignment.
Re: How to deal with bounce messages [ In reply to ]
uhlar at fantomas
Apr 24, 2022, 11:13 AM
Post #6 of 13 (919 views)
Permalink
>> > > and spf is unapplicable since the envelope from is null.
>> >
>> > Isn't that the case with all bounce messages?

>Matus UHLAR - fantomas:
>> usually yes, it should be. But we of course can't guarantee that.
>>
>> This also means that SPF can't be used, thus either those messages have DKIM
>> signatures, or they CAN NOT pass DMARC.

On 22.04.22 16:22, David B?rgin wrote:
>In SPF, when the reverse-path is null, the HELO name is instead
>verified. So a null reverse-path can work fine with relaxed alignment.

but related to DMARC, this could only be applied only in case of the HELO
being identical to From: domain I guess

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
Re: How to deal with bounce messages [ In reply to ]
dbuergin at gluet
Apr 24, 2022, 11:39 AM
Post #7 of 13 (919 views)
Permalink
Matus UHLAR - fantomas:
> > > > > and spf is unapplicable since the envelope from is null.
> > > >
> > > > Isn't that the case with all bounce messages?
>
> > Matus UHLAR - fantomas:
> > > usually yes, it should be. But we of course can't guarantee that.
> > >
> > > This also means that SPF can't be used, thus either those messages have DKIM
> > > signatures, or they CAN NOT pass DMARC.
>
> On 22.04.22 16:22, David Bürgin wrote:
> > In SPF, when the reverse-path is null, the HELO name is instead
> > verified. So a null reverse-path can work fine with relaxed alignment.
>
> but related to DMARC, this could only be applied only in case of the HELO
> being identical to From: domain I guess

If some mail server sends you a bounce message, part of the conversation
will be:

EHLO mail.mydomain.org
MAIL FROM:<>
...
From: me <me@mydomain.org>

When MAIL FROM is empty, SPF will verify the HELO domain (with
local-part ‘postmaster’) instead. In this example, given the proper
setup, mail.mydomain.org would pass SPF, and using the default relaxed
alignment, DMARC would pass based on SPF alone.
Re: How to deal with bounce messages [ In reply to ]
mysqlstudent at gmail
Apr 24, 2022, 11:39 AM
Post #8 of 13 (919 views)
Permalink
Hi,

> >> >https://pastebin.com/s032ndrA
> >> >
> >> >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but
> >>
> >> where did you get these from?
>
> On 22.04.22 10:02, Alex wrote:
> >I just realized these are from my local rules, put together from a
> >conversation many years ago, apparently from before SA had built-in
> >DMARC support.
> >
> >https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html
>
> now I really wonder why these aren't part of stock SA rules.

Does this mean you are investigating further?

Are these rules from the link above useful?
Re: How to deal with bounce messages [ In reply to ]
uhlar at fantomas
Apr 25, 2022, 2:48 AM
Post #9 of 13 (919 views)
Permalink
>> >> >https://pastebin.com/s032ndrA
>> >> >
>> >> >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but
>> >>
>> >> where did you get these from?
>>
>> On 22.04.22 10:02, Alex wrote:
>> >I just realized these are from my local rules, put together from a
>> >conversation many years ago, apparently from before SA had built-in
>> >DMARC support.
>> >
>> >https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html

>> now I really wonder why these aren't part of stock SA rules.

On 24.04.22 14:39, Alex wrote:
>Does this mean you are investigating further?

not me, as I'm not involved in SA deployment more than by being active here.
perhaps you could fill a wishlist report...

>Are these rules from the link above useful?

looks like they are. KAM.cf contains similar rules, but having them in stock
SA would be nice.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
Re: How to deal with bounce messages [ In reply to ]
hege at hege
Apr 25, 2022, 2:50 AM
Post #10 of 13 (919 views)
Permalink
On Mon, Apr 25, 2022 at 11:48:52AM +0200, Matus UHLAR - fantomas wrote:
> > > >> >https://pastebin.com/s032ndrA
> > > >> >
> > > >> >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but
> > > >>
> > > >> where did you get these from?
> > >
> > > On 22.04.22 10:02, Alex wrote:
> > > >I just realized these are from my local rules, put together from a
> > > >conversation many years ago, apparently from before SA had built-in
> > > >DMARC support.
> > > >
> > > >https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html
>
> > > now I really wonder why these aren't part of stock SA rules.
>
> On 24.04.22 14:39, Alex wrote:
> > Does this mean you are investigating further?
>
> not me, as I'm not involved in SA deployment more than by being active here.
> perhaps you could fill a wishlist report...
>
> > Are these rules from the link above useful?
>
> looks like they are. KAM.cf contains similar rules, but having them in stock
> SA would be nice.

Soon released 4.0.0 already has a dedicated DMARC plugin, such rules should
become obsolete. Testers would be appreciated..
Re: How to deal with bounce messages [ In reply to ]
giovanni at paclan
Apr 25, 2022, 5:21 AM
Post #11 of 13 (919 views)
Permalink
On Mon, Apr 25, 2022 at 12:50:49PM +0300, Henrik K wrote:
> On Mon, Apr 25, 2022 at 11:48:52AM +0200, Matus UHLAR - fantomas wrote:
> > > > >> >https://pastebin.com/s032ndrA
> > > > >> >
> > > > >> >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but
> > > > >>
> > > > >> where did you get these from?
> > > >
> > > > On 22.04.22 10:02, Alex wrote:
> > > > >I just realized these are from my local rules, put together from a
> > > > >conversation many years ago, apparently from before SA had built-in
> > > > >DMARC support.
> > > > >
> > > > >https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html
> >
> > > > now I really wonder why these aren't part of stock SA rules.
> >
> > On 24.04.22 14:39, Alex wrote:
> > > Does this mean you are investigating further?
> >
> > not me, as I'm not involved in SA deployment more than by being active here.
> > perhaps you could fill a wishlist report...
> >
> > > Are these rules from the link above useful?
> >
> > looks like they are. KAM.cf contains similar rules, but having them in stock
> > SA would be nice.
>
> Soon released 4.0.0 already has a dedicated DMARC plugin, such rules should
> become obsolete. Testers would be appreciated..
>
KAM.cf has already all the needed glue, if you update to trunk and enable DMARC plugin, DMARC rules will use new plugin code.
Giovannin
Re: How to deal with bounce messages [ In reply to ]
hege at hege
Apr 25, 2022, 5:48 AM
Post #12 of 13 (919 views)
Permalink
On Mon, Apr 25, 2022 at 02:21:49PM +0200, Giovanni Bechis wrote:
> On Mon, Apr 25, 2022 at 12:50:49PM +0300, Henrik K wrote:
> > On Mon, Apr 25, 2022 at 11:48:52AM +0200, Matus UHLAR - fantomas wrote:
> > > > > >> >https://pastebin.com/s032ndrA
> > > > > >> >
> > > > > >> >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but
> > > > > >>
> > > > > >> where did you get these from?
> > > > >
> > > > > On 22.04.22 10:02, Alex wrote:
> > > > > >I just realized these are from my local rules, put together from a
> > > > > >conversation many years ago, apparently from before SA had built-in
> > > > > >DMARC support.
> > > > > >
> > > > > >https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html
> > >
> > > > > now I really wonder why these aren't part of stock SA rules.
> > >
> > > On 24.04.22 14:39, Alex wrote:
> > > > Does this mean you are investigating further?
> > >
> > > not me, as I'm not involved in SA deployment more than by being active here.
> > > perhaps you could fill a wishlist report...
> > >
> > > > Are these rules from the link above useful?
> > >
> > > looks like they are. KAM.cf contains similar rules, but having them in stock
> > > SA would be nice.
> >
> > Soon released 4.0.0 already has a dedicated DMARC plugin, such rules should
> > become obsolete. Testers would be appreciated..
> >
> KAM.cf has already all the needed glue, if you update to trunk and enable DMARC plugin, DMARC rules will use new plugin code.
> Giovannin

KAM.cf is not from SA project, not everyone uses it.. the DMARC stuff
should be implemented in stock rules for 4.0.0.
Re: How to deal with bounce messages [ In reply to ]
hege at hege
Apr 25, 2022, 10:11 AM
Post #13 of 13 (919 views)
Permalink
On Mon, Apr 25, 2022 at 03:48:01PM +0300, Henrik K wrote:
> On Mon, Apr 25, 2022 at 02:21:49PM +0200, Giovanni Bechis wrote:
> > KAM.cf has already all the needed glue, if you update to trunk and enable DMARC plugin, DMARC rules will use new plugin code.
> > Giovannin
>
> KAM.cf is not from SA project, not everyone uses it.. the DMARC stuff
> should be implemented in stock rules for 4.0.0.

Committed to stock rules:
https://svn.apache.org/repos/asf/spamassassin/trunk/rules/25_dmarc.cf

Please someone double check that it looks usable, my covid brain can only do
so much right now. Automatic updates are still on pause for a few days due
to welcomelist changes, so it's not going live yet. Trunk is getting very
near to 4.0.0 pre-releases, so if people could actually install and test it,
would be great..

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal