Mailing List Archive

On Tue, May 24, 2022 at 1:09 PM Matus UHLAR - fantomas <uhlar@fantomas.sk>
wrote:

> >>> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
> >>>
> >>> ... and this is the perl library.
> >>>
> >>> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
> >>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
> >>> isn't available, but uses the library if it does.
> >>>
> >>> could you (temporarily) uninstall the
> >>> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
> >>> if it fixes the problem?
>
> >On Mon, May 23, 2022 at 8:16 PM Alex <mysqlstudent@gmail.com> wrote:
> >> Since uninstalling it this morning, there have been no other occurrences
> >> of KAM_DMARC_REJECT all day for any emails.
>
> have there been rejects often before?
>

I have hundreds of these over the last few days (week?), but they could go
back even further than that. It appears to primarily hit mailing lists or
statements from providers like AmEx or notices from Delta, for example.



> can you re-run spamassassin over those messages to see if uninstalling
> that
> package fixed the error with the same e-mails?
>

Yes, without that library, there's no reference to DMARC in the SA results
at all, even when T_DMARC_POLICY_NONE or T_DMARC_SIMPLE_DKIM would trigger.

>> >>> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>> >>>
>> >>> ... and this is the perl library.
>> >>>
>> >>> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
>> >>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
>> >>> isn't available, but uses the library if it does.
>> >>>
>> >>> could you (temporarily) uninstall the
>> >>> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
>> >>> if it fixes the problem?
>>
>> >On Mon, May 23, 2022 at 8:16 PM Alex <mysqlstudent@gmail.com> wrote:
>> >> Since uninstalling it this morning, there have been no other occurrences
>> >> of KAM_DMARC_REJECT all day for any emails.


>On Tue, May 24, 2022 at 1:09 PM Matus UHLAR - fantomas <uhlar@fantomas.sk>
>wrote:
>> have there been rejects often before?

On 24.05.22 13:58, Alex wrote:
>I have hundreds of these over the last few days (week?), but they could go
>back even further than that. It appears to primarily hit mailing lists or
>statements from providers like AmEx or notices from Delta, for example.


>> can you re-run spamassassin over those messages to see if uninstalling
>> that package fixed the error with the same e-mails?

>Yes, without that library, there's no reference to DMARC in the SA results
>at all, even when T_DMARC_POLICY_NONE or T_DMARC_SIMPLE_DKIM would trigger.

but you still get KAM_DMARC_REJECT for some mail? because KAM_DMARC_REJECT
has a workaround where it works w/o Mail::Dmarc::PurePerl


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.

>
>
>
> >On Tue, May 24, 2022 at 1:09 PM Matus UHLAR - fantomas <uhlar@fantomas.sk
> >
> >wrote:
> >> have there been rejects often before?
>
> On 24.05.22 13:58, Alex wrote:
> >I have hundreds of these over the last few days (week?), but they could go
> >back even further than that. It appears to primarily hit mailing lists or
> >statements from providers like AmEx or notices from Delta, for example.
>
>
> >> can you re-run spamassassin over those messages to see if uninstalling
> >> that package fixed the error with the same e-mails?
>
> >Yes, without that library, there's no reference to DMARC in the SA results
> >at all, even when T_DMARC_POLICY_NONE or T_DMARC_SIMPLE_DKIM would
> trigger.
>
> but you still get KAM_DMARC_REJECT for some mail? because
> KAM_DMARC_REJECT
> has a workaround where it works w/o Mail::Dmarc::PurePerl
>

No, I haven't seen any hits since uninstalling the perl library.

I also haven't any references to DMARC whatsoever from any SA rules since
it was uninstalled.

I otherwise have no way of telling if there should have been any hits, but
I'd imagine there should have been at least one in 24-hours.

It appears to have disabled DMARC functionality entirely.

>> >On Tue, May 24, 2022 at 1:09 PM Matus UHLAR - fantomas <uhlar@fantomas.sk
>> >wrote:
>> >> have there been rejects often before?
>>
>> On 24.05.22 13:58, Alex wrote:
>> >I have hundreds of these over the last few days (week?), but they could go
>> >back even further than that. It appears to primarily hit mailing lists or
>> >statements from providers like AmEx or notices from Delta, for example.
>>
>>
>> >> can you re-run spamassassin over those messages to see if uninstalling
>> >> that package fixed the error with the same e-mails?
>>
>> >Yes, without that library, there's no reference to DMARC in the SA results
>> >at all, even when T_DMARC_POLICY_NONE or T_DMARC_SIMPLE_DKIM would
>> trigger.
>>
>> but you still get KAM_DMARC_REJECT for some mail? because
>> KAM_DMARC_REJECT
>> has a workaround where it works w/o Mail::Dmarc::PurePerl

On 24.05.22 14:10, Alex wrote:
>No, I haven't seen any hits since uninstalling the perl library.
>
>I also haven't any references to DMARC whatsoever from any SA rules since
>it was uninstalled.

>I otherwise have no way of telling if there should have been any hits, but
>I'd imagine there should have been at least one in 24-hours.
>
>It appears to have disabled DMARC functionality entirely.

KAM.cf has some DMARC rules even without Mail::SpamAssassin::Plugin::DMARC
available, but I'm not sure if loading that plugin doesn't disable them.

I have disabled loading it so let's see.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.

Hi,

>
> >I also haven't any references to DMARC whatsoever from any SA rules since
> >it was uninstalled.
>
> >I otherwise have no way of telling if there should have been any hits, but
> >I'd imagine there should have been at least one in 24-hours.
> >
> >It appears to have disabled DMARC functionality entirely.
>
> KAM.cf has some DMARC rules even without Mail::SpamAssassin::Plugin::DMARC
> available, but I'm not sure if loading that plugin doesn't disable them.
>
> I have disabled loading it so let's see.
>

Any further thoughts on this? It appears removing the DMARC perl library
has disabled any DMARC support altogether.

>> >I also haven't any references to DMARC whatsoever from any SA rules since
>> >it was uninstalled.
>>
>> >I otherwise have no way of telling if there should have been any hits, but
>> >I'd imagine there should have been at least one in 24-hours.
>> >
>> >It appears to have disabled DMARC functionality entirely.
>>
>> KAM.cf has some DMARC rules even without Mail::SpamAssassin::Plugin::DMARC
>> available, but I'm not sure if loading that plugin doesn't disable them.
>>
>> I have disabled loading it so let's see.

On 26.05.22 09:34, Alex wrote:
>Any further thoughts on this? It appears removing the DMARC perl library
>has disabled any DMARC support altogether.

disabling Mail::SpamAssassin::Plugin::DMARC should make KAM.cf revert to
it's simpler DMARC functioality

note that it requires:
Mail::SpamAssassin::Plugin::AskDNS
Mail::SpamAssassin::Plugin::DKIM
Mail::SpamAssassin::Plugin::SPF

no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)

On Thu, May 26, 2022 at 03:48:57PM +0200, Matus UHLAR - fantomas wrote:
> > > >I also haven't any references to DMARC whatsoever from any SA rules since
> > > >it was uninstalled.
> > >
> > > >I otherwise have no way of telling if there should have been any hits, but
> > > >I'd imagine there should have been at least one in 24-hours.
> > > >
> > > >It appears to have disabled DMARC functionality entirely.
> > >
> > > KAM.cf has some DMARC rules even without Mail::SpamAssassin::Plugin::DMARC
> > > available, but I'm not sure if loading that plugin doesn't disable them.
> > >
> > > I have disabled loading it so let's see.
>
> On 26.05.22 09:34, Alex wrote:
> > Any further thoughts on this? It appears removing the DMARC perl library
> > has disabled any DMARC support altogether.
>
> disabling Mail::SpamAssassin::Plugin::DMARC should
> make KAM.cf revert to it's simpler DMARC
> functioality
>
> note that it requires:
> Mail::SpamAssassin::Plugin::AskDNS
> Mail::SpamAssassin::Plugin::DKIM
> Mail::SpamAssassin::Plugin::SPF
>
> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not.

Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might be
relevant to this thread.

Hi,

> > Any further thoughts on this? It appears removing the DMARC perl library
> > > has disabled any DMARC support altogether.
> >
> > disabling Mail::SpamAssassin::Plugin::DMARC should
> > make KAM.cf revert to it's simpler DMARC
> > functioality
> >
> > note that it requires:
> > Mail::SpamAssassin::Plugin::AskDNS
> > Mail::SpamAssassin::Plugin::DKIM
> > Mail::SpamAssassin::Plugin::SPF
>

Yes, these plugins are already enabled.

> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not.
>
> Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might be
> relevant to this thread.
>

Okay, new version in place, but without that perl DMARC plugin, still the
same results with only KAM_DMARC_STATUS hitting.

Going back to installing the PurePerl DMARC lib now as well.

>> > Any further thoughts on this? It appears removing the DMARC perl library
>> > > has disabled any DMARC support altogether.
>> >
>> > disabling Mail::SpamAssassin::Plugin::DMARC should
>> > make KAM.cf revert to it's simpler DMARC
>> > functioality
>> >
>> > note that it requires:
>> > Mail::SpamAssassin::Plugin::AskDNS
>> > Mail::SpamAssassin::Plugin::DKIM
>> > Mail::SpamAssassin::Plugin::SPF


>> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not.
>>
>> Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might be
>> relevant to this thread.

according to:
https://github.com/apache/spamassassin/commit/63fa58d814837f5d12b5d587ab4b72fa3c7501c3

it should fix the problem.

On 26.05.22 10:40, Alex wrote:
>Okay, new version in place, but without that perl DMARC plugin, still the
>same results with only KAM_DMARC_STATUS hitting.
>
>Going back to installing the PurePerl DMARC lib now as well.

let us know

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?

On Thu, May 26, 2022 at 10:40 AM Alex <mysqlstudent@gmail.com> wrote:

> Hi,
>
> > > Any further thoughts on this? It appears removing the DMARC perl
>> library
>> > > has disabled any DMARC support altogether.
>> >
>> > disabling Mail::SpamAssassin::Plugin::DMARC should
>> > make KAM.cf revert to it's simpler DMARC
>> > functioality
>> >
>> > note that it requires:
>> > Mail::SpamAssassin::Plugin::AskDNS
>> > Mail::SpamAssassin::Plugin::DKIM
>> > Mail::SpamAssassin::Plugin::SPF
>>
>
> Yes, these plugins are already enabled.
>
> > no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not.
>>
>> Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might be
>> relevant to this thread.
>>
>
> Okay, new version in place, but without that perl DMARC plugin, still the
> same results with only KAM_DMARC_STATUS hitting.
>
> Going back to installing the PurePerl DMARC lib now as well.
>

Ugh, and again we already have DKIM_AU and SPF_PASS and DMARC_REJECT all
hitting.

* 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* -0.0 SPF_PASS SPF: sender matches SPF record
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* -0.7 DKIMWL_WL_HIGH DKIMwl.org - High trust sender
* -1.5 DKIMWL_WL ASKDNS: DKIMwl.org - Whitelisted sender
* [wish.com.lookup.dkimwl.org A:127.0.13.5]
* 0.1 DMARC_REJECT DMARC reject policy
* 1.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
* and the domain has a DMARC reject policy

It was quarantined because it also hit BAYES_99 and a local rule, despite
lowering KAM_DMARC_REJECT to just 1 point.





>
>
>

Hi,

>> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not.
> >>
> >> Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might
> be
> >> relevant to this thread.
>
> according to:
>
> https://github.com/apache/spamassassin/commit/63fa58d814837f5d12b5d587ab4b72fa3c7501c3
>
> it should fix the problem.
>

Okay, wait, it doesn't appear that I have those changes.

$ spamassassin --version
SpamAssassin version 4.0.0-r1900857
running on Perl version 5.34.1

I built SA using the following:

$ svn checkout http://svn.apache.org/repos/asf/spamassassin/trunk
Mail-SpamAssassin-4.0.0

This gave me revision 1901294.

Is that not the proper trunk?

On 2022-05-26 15:34, Alex wrote:

> Any further thoughts on this? It appears removing the DMARC perl
> library has disabled any DMARC support altogether.

disable kam channel solves it ?

if it does then wait for final spamassassin 4.x.x and hope Mail:DMARC
finaly work with the DMARC plugin in all details with AuthRes plugin
deep data

change DKIM scores to not score dkim fails as reject score, rejects
should only happen on dmarc policy

On 2022-05-26 at 11:05:59 UTC-0400 (Thu, 26 May 2022 11:05:59 -0400)
Alex <mysqlstudent@gmail.com>
is rumored to have said:

> Hi,
>
>>> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or
>>> not.
>>>>
>>>> Latest trunk has fix for DMARC waiting for SPF and DKIM results.
>>>> Might
>> be
>>>> relevant to this thread.
>>
>> according to:
>>
>> https://github.com/apache/spamassassin/commit/63fa58d814837f5d12b5d587ab4b72fa3c7501c3
>>
>> it should fix the problem.
>>
>
> Okay, wait, it doesn't appear that I have those changes.

Don't be confused: the GitHub repo is a read-only replica of the
in-house Subversion repo, which obviously uses different commit/revision
identifiers than git.


> $ spamassassin --version
> SpamAssassin version 4.0.0-r1900857

That's the last change (in the Subversion repo) to the
Mail::SpamAssassin module.

> running on Perl version 5.34.1
>
> I built SA using the following:
>
> $ svn checkout http://svn.apache.org/repos/asf/spamassassin/trunk
> Mail-SpamAssassin-4.0.0
>
> This gave me revision 1901294.
>
> Is that not the proper trunk?

That's the correct way to get our trunk.

Right now we are at r1901296, because automated ruleQA/update jobs
generate changes in trunk.



--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On 2022-05-26 at 10:59:29 UTC-0400 (Thu, 26 May 2022 10:59:29 -0400)
Alex <mysqlstudent@gmail.com>
is rumored to have said:

[...]
> Ugh, and again we already have DKIM_AU and SPF_PASS and DMARC_REJECT
> all
> hitting.

Can you get these to match by re-running the same message with the
'spamassassin' script? If so, try it with "-D DMARC" to get all the
messages from the plugin. They may be illuminating.

My suspicion *from a very quick 1st look at the code* is that the logic
for DMARC_REJECT is wrong, in that it seems to mean 'DMARC validation is
good' && 'p=reject,' which seems less than useful.

(And yes, the plugin just bails out, not returning any match, if
Mail::DMARC::PurePerl is not available.)




--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Hi,


On Thu, May 26, 2022 at 1:15 PM Bill Cole <
sausers-20150205@billmail.scconsult.com> wrote:

> On 2022-05-26 at 10:59:29 UTC-0400 (Thu, 26 May 2022 10:59:29 -0400)
> Alex <mysqlstudent@gmail.com>
> is rumored to have said:
>
> [...]
> > Ugh, and again we already have DKIM_AU and SPF_PASS and DMARC_REJECT
> > all
> > hitting.
>
> Can you get these to match by re-running the same message with the
> 'spamassassin' script? If so, try it with "-D DMARC" to get all the
> messages from the plugin. They may be illuminating.
>

This is from the example provided earlier today. It says SPF failed(?) but
it hit SPF_PASS

May 26 14:25:12.080 [370198] dbg: DMARC: using Mail::DMARC::PurePerl for
DMARC checks
May 26 14:25:12.146 [370198] dbg: DMARC: result: pass, disposition: none,
dkim: pass, spf: fail (spf: pass, spf_helo: fail)

My suspicion *from a very quick 1st look at the code* is that the logic
> for DMARC_REJECT is wrong, in that it seems to mean 'DMARC validation is
> good' && 'p=reject,' which seems less than useful.
>

Any idea when this bug may have been introduced? It seems like a pretty
serious problem to just be overlooked?

And my confusion was actually only with the comments in the new DMARC.pm
not reflecting 25_dmarc.cf with the new priority settings. It does appear
I'm using the latest.

Hi, just wondering if anyone else has any ideas on how to solve this?

Is everyone with any v4 having problems with DMARC now or is it something
specific to my environment?

On Thu, May 26, 2022 at 2:36 PM Alex <mysqlstudent@gmail.com> wrote:

> Hi,
>
>
> On Thu, May 26, 2022 at 1:15 PM Bill Cole <
> sausers-20150205@billmail.scconsult.com> wrote:
>
>> On 2022-05-26 at 10:59:29 UTC-0400 (Thu, 26 May 2022 10:59:29 -0400)
>> Alex <mysqlstudent@gmail.com>
>> is rumored to have said:
>>
>> [...]
>> > Ugh, and again we already have DKIM_AU and SPF_PASS and DMARC_REJECT
>> > all
>> > hitting.
>>
>> Can you get these to match by re-running the same message with the
>> 'spamassassin' script? If so, try it with "-D DMARC" to get all the
>> messages from the plugin. They may be illuminating.
>>
>
> This is from the example provided earlier today. It says SPF failed(?)
> but it hit SPF_PASS
>
> May 26 14:25:12.080 [370198] dbg: DMARC: using Mail::DMARC::PurePerl for
> DMARC checks
> May 26 14:25:12.146 [370198] dbg: DMARC: result: pass, disposition: none,
> dkim: pass, spf: fail (spf: pass, spf_helo: fail)
>
> My suspicion *from a very quick 1st look at the code* is that the logic
>> for DMARC_REJECT is wrong, in that it seems to mean 'DMARC validation is
>> good' && 'p=reject,' which seems less than useful.
>>
>
> Any idea when this bug may have been introduced? It seems like a pretty
> serious problem to just be overlooked?
>
> And my confusion was actually only with the comments in the new DMARC.pm
> not reflecting 25_dmarc.cf with the new priority settings. It does appear
> I'm using the latest.
>
>
>

On 2022-05-29 14:22, Alex wrote:
> Hi, just wondering if anyone else has any ideas on how to solve this?

see what ?

> Is everyone with any v4 having problems with DMARC now or is it
> something specific to my environment?

spamassassin v4 is not yet released, take it as its not supported yet

Version 4 does have pre-releases out and people are testing it. And yes,
the project needs testers so we will support questions about 4.0 including
the pre-releases and trunk etc. As we work towards a release.

We have been DMARC issues so no, it is not you Are you running the latest
trunk right now? There have been a flurry of patches and some of them are
for this issue.

I think we are having inconsistencies as well right now where the
authentication header or lack thereof results in failing SPF in my
environment soin my environment we are using other parts of the glue for a
solution.

When you look at the FPs for DMARC, are you seeing SPF failures or anything
that you can track?

KAM

On Sun, May 29, 2022, 09:25 Benny Pedersen <me@junc.eu> wrote:

> On 2022-05-29 14:22, Alex wrote:
> > Hi, just wondering if anyone else has any ideas on how to solve this?
>
> see what ?
>
> > Is everyone with any v4 having problems with DMARC now or is it
> > something specific to my environment?
>
> spamassassin v4 is not yet released, take it as its not supported yet
>
>

On 2022-05-29 16:31, Kevin A. McGrail wrote:
> Version 4 does have pre-releases out and people are testing it. And
> yes, the project needs testers so we will support questions about 4.0
> including the pre-releases and trunk etc. As we work towards a
> release.
>
> We have been DMARC issues so no, it is not you Are you running the
> latest trunk right now? There have been a flurry of patches and some
> of them are for this issue.

check.pm from trunk does not work in current 3.4.6, should it ?

> I think we are having inconsistencies as well right now where the
> authentication header or lack thereof results in failing SPF in my
> environment soin my environment we are using other parts of the glue
> for a solution.
>
> When you look at the FPs for DMARC, are you seeing SPF failures or
> anything that you can track?

Spam-Status: No, score=-8.5 required=5.0
tests=DMARC_MISSING,HTML_MESSAGE,
KAM_DMARC_STATUS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
RCVD_IN_HOSTKARMA_W,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,
T_SCC_BODY_TEXT_LINE,USER_IN_DEF_SPF_WL autolearn=no autolearn_force=no

i added dmarc plugin to 3.4.6, no problem :=)

note spf here is apache.org not orginal sender domain !!

to understand spf better check diffrent maillist without spf

hope this is common knowledge

On 2022-05-29 at 11:16:12 UTC-0400 (Sun, 29 May 2022 17:16:12 +0200)
Benny Pedersen <me@junc.eu>
is rumored to have said:

> On 2022-05-29 16:31, Kevin A. McGrail wrote:
>> Version 4 does have pre-releases out and people are testing it. And
>> yes, the project needs testers so we will support questions about 4.0
>> including the pre-releases and trunk etc. As we work towards a
>> release.
>>
>> We have been DMARC issues so no, it is not you Are you running the
>> latest trunk right now? There have been a flurry of patches and some
>> of them are for this issue.
>
> check.pm from trunk does not work in current 3.4.6, should it ?

There is no such file in trunk or 3.4.x.

Obviously the project does not support files that are not part of the distribution.

We also make no effort to make code in trunk transplantable into older versions. If you want partial backports of 4.x functions into 3.x you are of course free to do that yourself under the ASF License, but I would not expect that to be supported by the project.



--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On 2022-05-29 17:58, Bill Cole wrote:

>> check.pm from trunk does not work in current 3.4.6, should it ?
> There is no such file in trunk or 3.4.x.

in 3.4.6 i have

total 964
-r--r--r-- 1 root root 4360 Apr 9 2021 WhiteListSubject.pm
-r--r--r-- 1 root root 16387 Apr 9 2021 WLBLEval.pm
-r--r--r-- 1 root root 5098 Apr 9 2021 VBounce.pm
-r--r--r-- 1 root root 21614 Apr 9 2021 URILocalBL.pm
-r--r--r-- 1 root root 2687 Apr 9 2021 URIEval.pm
-r--r--r-- 1 root root 7396 Apr 9 2021 URIDetail.pm
-r--r--r-- 1 root root 39833 Apr 9 2021 URIDNSBL.pm
-r--r--r-- 1 root root 79563 Apr 9 2021 TxRep.pm
-r--r--r-- 1 root root 16640 Apr 9 2021 TextCat.pm
-r--r--r-- 1 root root 2005 Apr 9 2021 Test.pm
-r--r--r-- 1 root root 8565 Apr 9 2021 SpamCop.pm
-r--r--r-- 1 root root 8385 Apr 9 2021 Shortcircuit.pm
-r--r--r-- 1 root root 31888 Apr 9 2021 SPF.pm
-r--r--r-- 1 root root 9035 Apr 9 2021 Rule2XSBody.pm
-r--r--r-- 1 root root 7081 Apr 9 2021 Reuse.pm
-r--r--r-- 1 root root 4320 Apr 9 2021 ResourceLimits.pm
-r--r--r-- 1 root root 8049 Apr 9 2021 ReplaceTags.pm
-r--r--r-- 1 root root 11424 Apr 9 2021 RelayEval.pm
-r--r--r-- 1 root root 12917 Apr 9 2021 RelayCountry.pm
-r--r--r-- 1 root root 14418 Apr 9 2021 Razor2.pm
-r--r--r-- 1 root root 13201 Apr 9 2021 Pyzor.pm
-r--r--r-- 1 root root 5644 Apr 9 2021 Phishing.pm
-r--r--r-- 1 root root 7429 Apr 9 2021 PhishTag.pm
-r--r--r-- 1 root root 23609 Apr 9 2021 PDFInfo.pm
-r--r--r-- 1 root root 4569 Apr 9 2021 OneLineBodyRuleType.pm
-r--r--r-- 1 root root 27131 Apr 9 2021 OLEVBMacro.pm
-r--r--r-- 1 root root 6470 Apr 9 2021 MIMEHeader.pm
-r--r--r-- 1 root root 20876 Apr 9 2021 MIMEEval.pm
-r--r--r-- 1 root root 12886 Apr 9 2021 ImageInfo.pm
-r--r--r-- 1 root root 34450 Apr 9 2021 HeaderEval.pm
-r--r--r-- 1 root root 10201 Apr 9 2021 Hashcash.pm
-r--r--r-- 1 root root 19445 Apr 9 2021 HashBL.pm
-r--r--r-- 1 root root 3648 Apr 9 2021 HTTPSMismatch.pm
-r--r--r-- 1 root root 5667 Apr 9 2021 HTMLEval.pm
-r--r--r-- 1 root root 11942 Apr 9 2021 FromNameSpoof.pm
-r--r--r-- 1 root root 20365 Apr 9 2021 FreeMail.pm
-r--r--r-- 1 root root 19801 Apr 9 2021 DNSEval.pm
-r--r--r-- 1 root root 53447 Apr 9 2021 DKIM.pm
-r--r--r-- 1 root root 33520 Apr 9 2021 DCC.pm
-r--r--r-- 1 root root 44818 Apr 9 2021 Check.pm
-r--r--r-- 1 root root 35503 Apr 9 2021 BodyRuleBaseExtractor.pm
-r--r--r-- 1 root root 11332 Apr 9 2021 BodyEval.pm
-r--r--r-- 1 root root 55885 Apr 9 2021 Bayes.pm
-r--r--r-- 1 root root 8803 Apr 9 2021 AutoLearnThreshold.pm
-r--r--r-- 1 root root 29117 Apr 9 2021 AskDNS.pm
-r--r--r-- 1 root root 4559 Apr 9 2021 AntiVirus.pm
-r--r--r-- 1 root root 4659 Apr 9 2021 AccessDB.pm
-r--r--r-- 1 root root 19936 Apr 9 2021 AWL.pm
-r--r--r-- 1 root root 17071 Apr 9 2021 ASN.pm

> Obviously the project does not support files that are not part of the
> distribution.

oh dear

> We also make no effort to make code in trunk transplantable into older
> versions. If you want partial backports of 4.x functions into 3.x you
> are of course free to do that yourself under the ASF License, but I
> would not expect that to be supported by the project.

fair thanks

Hi,

We have been DMARC issues so no, it is not you Are you running the latest
> trunk right now? There have been a flurry of patches and some of them are
> for this issue.
>

Yes, just downloaded, compiled, and installed the latest as of this moment
and still seeing the same problems initially. This is from realtor.com,
sent through cons.6130@envfrm.rsys2.com.

X-Spam-Status: No, score=-2.383 tagged_above=-200 required=5
tests=[.BAYES_00=-1.9, DCC_REPUT_00_12=-0.4, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_REJECT=0.1,
FROM_EXCESS_BASE64=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, KAM_DMARC_REJECT=1,
KAM_REALLYHUGEIMGSRC=0.5, LOC_MKTING=0.25, MIME_HTML_ONLY=0.1,
POISEN_SPAM_PILL=0.1, POISEN_SPAM_PILL_1=0.1,
RCVD_IN_HOSTKARMA_W=-2.5, RCVD_IN_SENDERSCORE_90_100=-0.6,
RELAYCOUNTRY_US=0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
TXREP=0.714, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=disabled

However, when I run it through SA after it's received, it doesn't hit
KAM_DMARC_REJECT or DMARC_REJECT. In fact, it hits DMARC_PASS. It
also continues to hit DKIM_VALID_AU. I don't know how to explain that.

I've changed the rule scores a bit, but have otherwise made no changes.
Perhaps when I ran it manually the timing of the checks were different?

I think we are having inconsistencies as well right now where the
> authentication header or lack thereof results in failing SPF in my
> environment soin my environment we are using other parts of the glue for a
> solution.
>
> When you look at the FPs for DMARC, are you seeing SPF failures or
> anything that you can track?
>

These also typically pass SPF, which is why I suppose my welcomelist_auth
rules continue to work.

There is also a rule update for priority levels. Did you install the
latest rules too?

R

On Sun, May 29, 2022, 12:41 Alex <mysqlstudent@gmail.com> wrote:

> Hi,
>
> We have been DMARC issues so no, it is not you Are you running the latest
>> trunk right now? There have been a flurry of patches and some of them are
>> for this issue.
>>
>
> Yes, just downloaded, compiled, and installed the latest as of this moment
> and still seeing the same problems initially. This is from realtor.com,
> sent through cons.6130@envfrm.rsys2.com.
>
> X-Spam-Status: No, score=-2.383 tagged_above=-200 required=5
> tests=[.BAYES_00=-1.9, DCC_REPUT_00_12=-0.4, DKIM_SIGNED=0.1,
> DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_REJECT=0.1,
> FROM_EXCESS_BASE64=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
> HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, KAM_DMARC_REJECT=1,
> KAM_REALLYHUGEIMGSRC=0.5, LOC_MKTING=0.25, MIME_HTML_ONLY=0.1,
> POISEN_SPAM_PILL=0.1, POISEN_SPAM_PILL_1=0.1,
> RCVD_IN_HOSTKARMA_W=-2.5, RCVD_IN_SENDERSCORE_90_100=-0.6,
> RELAYCOUNTRY_US=0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
> TXREP=0.714, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=disabled
>
> However, when I run it through SA after it's received, it doesn't hit
> KAM_DMARC_REJECT or DMARC_REJECT. In fact, it hits DMARC_PASS. It
> also continues to hit DKIM_VALID_AU. I don't know how to explain that.
>
> I've changed the rule scores a bit, but have otherwise made no changes.
> Perhaps when I ran it manually the timing of the checks were different?
>
> I think we are having inconsistencies as well right now where the
>> authentication header or lack thereof results in failing SPF in my
>> environment soin my environment we are using other parts of the glue for a
>> solution.
>>
>> When you look at the FPs for DMARC, are you seeing SPF failures or
>> anything that you can track?
>>
>
> These also typically pass SPF, which is why I suppose my welcomelist_auth
> rules continue to work.
>
>
>

Hi,

On Sun, May 29, 2022 at 8:10 PM Kevin A. McGrail <kmcgrail@apache.org>
wrote:

> There is also a rule update for priority levels. Did you install the
> latest rules too?
>

Yes, sa-update runs every day. Last run was 00:29 this morning.

>We have been DMARC issues so no, it is not you Are you running the latest
>> trunk right now? There have been a flurry of patches and some of them are
>> for this issue.

On 29.05.22 12:41, Alex wrote:
>Yes, just downloaded, compiled, and installed the latest as of this moment
>and still seeing the same problems initially. This is from realtor.com,
>sent through cons.6130@envfrm.rsys2.com.
>
>X-Spam-Status: No, score=-2.383 tagged_above=-200 required=5
> tests=[.BAYES_00=-1.9, DCC_REPUT_00_12=-0.4, DKIM_SIGNED=0.1,
> DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_REJECT=0.1,
> FROM_EXCESS_BASE64=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
> HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, KAM_DMARC_REJECT=1,
> KAM_REALLYHUGEIMGSRC=0.5, LOC_MKTING=0.25, MIME_HTML_ONLY=0.1,
> POISEN_SPAM_PILL=0.1, POISEN_SPAM_PILL_1=0.1,
> RCVD_IN_HOSTKARMA_W=-2.5, RCVD_IN_SENDERSCORE_90_100=-0.6,
> RELAYCOUNTRY_US=0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
> TXREP=0.714, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=disabled

did you reload/restart amavis after installing new SA?
This header is added by amavis which uses SA libraries internally.

>However, when I run it through SA after it's received, it doesn't hit
>KAM_DMARC_REJECT or DMARC_REJECT. In fact, it hits DMARC_PASS. It
>also continues to hit DKIM_VALID_AU. I don't know how to explain that.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.