Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
_DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule)
uhlar at fantomas
Oct 1, 2022, 7:42 AM
Post #1 of 10 (715 views)
Permalink
>>>> askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT

On 30.09.22 20:57, Matus UHLAR - fantomas wrote:
>I'm not sure it should be done with _DKIMDOMAIN_, it's described to
>contain all valid signatures:
>
> _DKIMDOMAIN_
> Signing Domain Identifier (SDID) (the 'd' tag) from valid signatures;
>
>
>the rule should be used with from domain, and only when DKIM_VALID_AU applies.
>
>I have checked with one of mails in my archive and added to user_prefs
>add_header all dkimdomain _DKIMDOMAIN_
>
>the result:
>
>Authentication-Results: fantomas.fantomas.sk;
> dkim=pass (2048-bit key; unprotected) header.d=threecollectivemarketing.com header.i=info@threecollectivemarketing.com header.a=rsa-sha256 header.s=ipz header.b=LJOUNANX;
> dkim=pass (2048-bit key; unprotected) header.d=mx-router-i.com header.i=@mx-router-i.com header.a=rsa-sha256 header.s=ipzs2 header.b=qAQp4Ntr;
>From: Zebra Blinds <info@threecollectivemarketing.com>
>X-Spam-dkimdomain: threecollectivemarketing.com mx-router-i.com
>
>so I guess the rules published on https://www.dnswl.org/?p=311
>are invalid
>
>... unless _DKIMDOMAIN_ is used as array - multiple times

I have found other rules using _DKIMDOMAIN_:

20_dnsbl_tests.cf:#askdns __DKIMDOMAIN_IN_DWL_ANY _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT

72_active.cf:askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/
72_active.cf:askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/
72_active.cf:askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/
72_active.cf:askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/
72_active.cf:askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/
72_active.cf:askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/
72_active.cf:askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/


perhaps these all should replace _DKIMDOMAIN_ by _AUTHORDOMAIN_ and AND-ed
with DKIM_VALID_AU.

can these checks be made the way DNS queries are done only when DKIM_VALID_AU
matches?

perhaps playing with priority

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule) [ In reply to ]
uhlar at fantomas
Oct 7, 2022, 1:59 AM
Post #2 of 10 (707 views)
Permalink
Hello,

just bumping this if anyone has idea how to process DKIMWL and spamhaus DWL
in more efficient matter.

On 01.10.22 16:42, Matus UHLAR - fantomas wrote:
>>>>> askdns LOCAL_DNSWL_IN_DWL _DKIMDOMAIN_.dwl.dnswl.org TXT
>
>On 30.09.22 20:57, Matus UHLAR - fantomas wrote:
>>I'm not sure it should be done with _DKIMDOMAIN_, it's described to
>>contain all valid signatures:
>>
>> _DKIMDOMAIN_
>> Signing Domain Identifier (SDID) (the 'd' tag) from valid signatures;
>>
>>
>>the rule should be used with from domain, and only when DKIM_VALID_AU applies.
>>
>>I have checked with one of mails in my archive and added to user_prefs
>>add_header all dkimdomain _DKIMDOMAIN_
>>
>>the result:
>>
>>Authentication-Results: fantomas.fantomas.sk;
>> dkim=pass (2048-bit key; unprotected) header.d=threecollectivemarketing.com header.i=info@threecollectivemarketing.com header.a=rsa-sha256 header.s=ipz header.b=LJOUNANX;
>> dkim=pass (2048-bit key; unprotected) header.d=mx-router-i.com header.i=@mx-router-i.com header.a=rsa-sha256 header.s=ipzs2 header.b=qAQp4Ntr;
>>From: Zebra Blinds <info@threecollectivemarketing.com>
>>X-Spam-dkimdomain: threecollectivemarketing.com mx-router-i.com
>>
>>so I guess the rules published on https://www.dnswl.org/?p=311
>>are invalid
>>
>>... unless _DKIMDOMAIN_ is used as array - multiple times
>
>I have found other rules using _DKIMDOMAIN_:
>
>20_dnsbl_tests.cf:#askdns __DKIMDOMAIN_IN_DWL_ANY _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT
>
>72_active.cf:askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/
>72_active.cf:askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/
>72_active.cf:askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/
>72_active.cf:askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/
>72_active.cf:askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/
>72_active.cf:askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/
>72_active.cf:askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/
>
>
>perhaps these all should replace _DKIMDOMAIN_ by _AUTHORDOMAIN_ and
>AND-ed with DKIM_VALID_AU.
>
>can these checks be made the way DNS queries are done only when
>DKIM_VALID_AU matches?
>
>perhaps playing with priority

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ [ In reply to ]
me at junc
Oct 7, 2022, 5:35 AM
Post #3 of 10 (707 views)
Permalink
Matus UHLAR - fantomas skrev den 2022-10-07 10:59:

> just bumping this if anyone has idea how to process DKIMWL and spamhaus
> DWL
> in more efficient matter.

there is no data in dwl.spamhaus.org but the rule for testing is still
in current spamassassin as disabled rule

grep -r dwl ...
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ [ In reply to ]
uhlar at fantomas
Oct 7, 2022, 6:01 AM
Post #4 of 10 (707 views)
Permalink
>Matus UHLAR - fantomas skrev den 2022-10-07 10:59:
>>just bumping this if anyone has idea how to process DKIMWL and
>>spamhaus DWL
>>in more efficient matter.

On 07.10.22 14:35, Benny Pedersen wrote:
>there is no data in dwl.spamhaus.org but the rule for testing is still
>in current spamassassin as disabled rule

I must to write it again because you have removed the important part:

the rule is apparently invalid.

the _DKIMDOMAIN_ can contain multiple domains if mail is signed using
multiple valid keys.

the same applies for DKIMWL rules.

the _AUTHORDOMAIN_ should be used instead.


further:

these rules should be imho only used if DKIM_VALID_AU matches, because
there's no point to check DWL/DKIMWL if the mail is not (correctly)
DKIM-signed with sender domain, but with any other domain no matter if it's
listed.

we could possibly spare DWL lookup.


... unless the poing of DWL and DKIMWL is to increate score for mail DKIM-signed
with domain in particular list, even if the domain in From: does not match
the one listed.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ [ In reply to ]
hege at hege
Oct 7, 2022, 6:35 AM
Post #5 of 10 (706 views)
Permalink
On Fri, Oct 07, 2022 at 03:01:17PM +0200, Matus UHLAR - fantomas wrote:
>
> the _DKIMDOMAIN_ can contain multiple domains if mail is signed using
> multiple valid keys.

Not a problem, as AskDNS doc says:

"Tags which produce multiple values will result in multiple queries
launched, each with an expanded template using one of the tag values. An
example is a DKIMDOMAIN tag which yields a list of signing domains, one for
each valid signature in a signed message."

_DKIMDOMAIN_ contains verified domains.

_AUTHORDOMAIN_ is simply the From: address without any verification. It has
nothing to do with DKIM. So it would make no sense to use this.
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule) [ In reply to ]
hege at hege
Oct 7, 2022, 6:41 AM
Post #6 of 10 (706 views)
Permalink
On Sat, Oct 01, 2022 at 04:42:09PM +0200, Matus UHLAR - fantomas wrote:
>
> perhaps these all should replace _DKIMDOMAIN_ by _AUTHORDOMAIN_ and AND-ed
> with DKIM_VALID_AU.
>
> can these checks be made the way DNS queries are done only when
> DKIM_VALID_AU matches?
>
> perhaps playing with priority

It's not possible to use priority with askdns. The rule is launched then
the all dependent tags are set, nothing more, nothing less.

So there would have to be a _DKIMAUTHORDOMAIN_ or such, which would be set
from From: address when valid DKIM author sig is found. This would
obviously require changing DKIM.pm plugin code to set it.

Other than that, I have no idea if something like that would be useful, I
leave that up for others to ponder.
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule) [ In reply to ]
hege at hege
Oct 7, 2022, 6:44 AM
Post #7 of 10 (706 views)
Permalink
On Fri, Oct 07, 2022 at 04:41:57PM +0300, Henrik K wrote:
> It's not possible to use priority with askdns. The rule is launched then
> the all dependent tags are set, nothing more, nothing less.

... obvious typo but just to clarify, _when_ all tags are set..
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ [ In reply to ]
uhlar at fantomas
Oct 7, 2022, 7:55 AM
Post #8 of 10 (706 views)
Permalink
>On Fri, Oct 07, 2022 at 03:01:17PM +0200, Matus UHLAR - fantomas wrote:
>> the _DKIMDOMAIN_ can contain multiple domains if mail is signed using
>> multiple valid keys.

On 07.10.22 16:35, Henrik K wrote:
>Not a problem, as AskDNS doc says:
>
>"Tags which produce multiple values will result in multiple queries
>launched, each with an expanded template using one of the tag values. An
>example is a DKIMDOMAIN tag which yields a list of signing domains, one for
>each valid signature in a signed message."

oh, I should better read docs then

>_DKIMDOMAIN_ contains verified domains.
>
>_AUTHORDOMAIN_ is simply the From: address without any verification. It has
>nothing to do with DKIM. So it would make no sense to use this.

as I undesstand it, it only makes sense to lookup domain in From:
(_AUTHORDOMAIN_) and only when the mail is DKIM-signed with this domain.
That means, it only makes sende when DKIM_VALID_AU matches.

unless, of course, we want decrease score in case of e-mail has valid DKIM
signature from any listed domain, no matter if it comes from that domain or
not.
- but I don't think this is the case.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule) [ In reply to ]
uhlar at fantomas
Oct 11, 2022, 2:52 AM
Post #9 of 10 (697 views)
Permalink
>On Sat, Oct 01, 2022 at 04:42:09PM +0200, Matus UHLAR - fantomas wrote:
>> perhaps these all should replace _DKIMDOMAIN_ by _AUTHORDOMAIN_ and AND-ed
>> with DKIM_VALID_AU.
>>
>> can these checks be made the way DNS queries are done only when
>> DKIM_VALID_AU matches?
>>
>> perhaps playing with priority

On 07.10.22 16:41, Henrik K wrote:
>It's not possible to use priority with askdns. The rule is launched then
>the all dependent tags are set, nothing more, nothing less.

I see bug 7735 now and am curious if the cvhange only affects order of rule
calling or calling them at all.

So, if I make meta rule dependend on other rules:

meta DOMAIN_IN_DNSWL_DWL (DKIM_VALID_AU && __DOMAIN_IN_DNSWL_DWL)
askdns __DOMAIN_IN_DNSWL_DWL _AUTHORDOMAIN_.dwl.dnswl.org TXT
describe __DOMAIN_IN_DNSWL_DWL author domain is listed in dwl.dnswl.org

will __DOMAIN_IN_DNSWL_DWL always be called?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: _DKIMDOMAIN_ vs. _AUTHORDOMAIN_ (was: Re: dnswl dwl rule) [ In reply to ]
hege at hege
Oct 11, 2022, 3:40 AM
Post #10 of 10 (697 views)
Permalink
On Tue, Oct 11, 2022 at 11:52:17AM +0200, Matus UHLAR - fantomas wrote:
> > On Sat, Oct 01, 2022 at 04:42:09PM +0200, Matus UHLAR - fantomas wrote:
> > > perhaps these all should replace _DKIMDOMAIN_ by _AUTHORDOMAIN_ and AND-ed
> > > with DKIM_VALID_AU.
> > >
> > > can these checks be made the way DNS queries are done only when
> > > DKIM_VALID_AU matches?
> > >
> > > perhaps playing with priority
>
> On 07.10.22 16:41, Henrik K wrote:
> > It's not possible to use priority with askdns. The rule is launched then
> > the all dependent tags are set, nothing more, nothing less.
>
> I see bug 7735 now and am curious if the cvhange only affects order of rule
> calling or calling them at all.

It has no relevance on rule order or calling. It just affects when meta
rule result will be evaluated.

> So, if I make meta rule dependend on other rules:
>
> meta DOMAIN_IN_DNSWL_DWL (DKIM_VALID_AU && __DOMAIN_IN_DNSWL_DWL)
> askdns __DOMAIN_IN_DNSWL_DWL _AUTHORDOMAIN_.dwl.dnswl.org TXT
> describe __DOMAIN_IN_DNSWL_DWL author domain is listed in dwl.dnswl.org
>
> will __DOMAIN_IN_DNSWL_DWL always be called?

__DOMAIN_IN_DNSWL_DWL is a standalone askdns rule. It does not know about
anything metas or stuff that depends on it, so yes it's always called.
Network lookups are generally always launched at the start of the scan
(priority -100 to be exact), and results are checked later on when answer
arrives. If you are hoping to prevent unnecessary DNS query, it's not
possible.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal