Hi,
All the way back in 2016, RW posted these rules on pastebin for DMARC,
before it was part of SA proper:
https://pastebin.com/gr41CvCc
Is this effectively what's been implemented in functions in the latest SA?
The scores from the above are a lot more aggressive than what's currently
in SA 50_rules - if DMARC fails and it instructs to quarantine, isn't that
what it should do, and not just add on a few points?
score DMARC_REJECT 0.001 1.797 0.001 1.797 # n=0 n=2
score DMARC_QUAR 0.001 1.198 0.001 1.198 # n=0 n=2
score DMARC_NONE 0.001 0.898 0.001 0.898 # n=0 n=2
This became an issue for me when I received an email from ny.frb.org.
Because the email hit BAYES_00, the DMARC rule only added 0.1 points. It
also appeared that the email passed SPF, so I'm really not sure how it even
failed DMARC.
X-Envelope-From: <frb.advicemailbox@ny.frb.org>>
...
X-Spam-Status: Yes, score=8.613 tag=-200 tag2=5 kill=5 tests=[.BAYES_00=-1.9,
DMARC_FAIL_REJECT=5.5, DMARC_REJECT=0.1, DMARC_REJ_NO_DKIM=1,
FORGED_SPF_HELO=1, KAM_DMARC_REJECT=1, KAM_DMARC_STATUS=0.01,
KAM_LAZY_DOMAIN_SECURITY=1, RELAYCOUNTRY_US=0.01, SPF_HELO_PASS=-0.001,
TXREP=0.874, T_DMARC_POLICY_REJECT=0.01, T_DMARC_TESTS_FAIL=0.01]
autolearn=disabled
X-Spam-Report:
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* 0.0 T_DMARC_POLICY_REJECT No description available.
* 1.0 DMARC_REJ_NO_DKIM MARC policy is reject without any DKIM signatures
* 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict
* Alignment
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 0.0 RELAYCOUNTRY_US Relayed through United States
* 1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
* anti-forgery methods
* 1.0 FORGED_SPF_HELO No description available.
* 5.5 DMARC_FAIL_REJECT DMARC validation failed and policy is to reject
* 0.0 T_DMARC_TESTS_FAIL No description available.
* 1.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
* and the domain has a DMARC reject policy
* 0.1 DMARC_REJECT DMARC reject policy
* 0.9 TXREP TXREP: Score normalizing based on sender's reputation
...
X-Spam-RelaysUntrusted: [ ip=199.30.234.79 rdns=spfdal-b.zixsmbhosted.com
The 199.30.234.79 IP is in the SPF record:
$ dig txt ny.frb.org|grep v=spf1
ny.frb.org. 3593 IN TXT "v=spf1 ip4:199.169.200.4
ip4:199.169.204.4 ip4:199.169.240.69 ip4:199.169.208.69 ip4:199.169.174.2
ip4:170.209.35.2 ip4:199.30.234.56/29 ip4:74.203.184.208/30 ip4:
199.30.234.64/26 ip4:199.30.234.192/27 ip4:74.203.184.32/27 ip4:
68.142.184.144/28 ip4:68.142" ".185.0/25 ip4:209.190.248.144/28
ip4:199.169.200.5 ip4:152.70.150.118 ip4:129.213.11.79 exists:%{i}.
spf.frb.iphmx.com include:_spf.qualtrics.com include:service.govdelivery.com
include:amazonses.com ~all"
There seems to be a lot wrong here. I'd appreciate some pointers on what's
going on. Of course I realize it's my choice to add the other DMARC rules
and scores on top of the default, but the default scores don't make sense
to me.
All the way back in 2016, RW posted these rules on pastebin for DMARC,
before it was part of SA proper:
https://pastebin.com/gr41CvCc
Is this effectively what's been implemented in functions in the latest SA?
The scores from the above are a lot more aggressive than what's currently
in SA 50_rules - if DMARC fails and it instructs to quarantine, isn't that
what it should do, and not just add on a few points?
score DMARC_REJECT 0.001 1.797 0.001 1.797 # n=0 n=2
score DMARC_QUAR 0.001 1.198 0.001 1.198 # n=0 n=2
score DMARC_NONE 0.001 0.898 0.001 0.898 # n=0 n=2
This became an issue for me when I received an email from ny.frb.org.
Because the email hit BAYES_00, the DMARC rule only added 0.1 points. It
also appeared that the email passed SPF, so I'm really not sure how it even
failed DMARC.
X-Envelope-From: <frb.advicemailbox@ny.frb.org>>
...
X-Spam-Status: Yes, score=8.613 tag=-200 tag2=5 kill=5 tests=[.BAYES_00=-1.9,
DMARC_FAIL_REJECT=5.5, DMARC_REJECT=0.1, DMARC_REJ_NO_DKIM=1,
FORGED_SPF_HELO=1, KAM_DMARC_REJECT=1, KAM_DMARC_STATUS=0.01,
KAM_LAZY_DOMAIN_SECURITY=1, RELAYCOUNTRY_US=0.01, SPF_HELO_PASS=-0.001,
TXREP=0.874, T_DMARC_POLICY_REJECT=0.01, T_DMARC_TESTS_FAIL=0.01]
autolearn=disabled
X-Spam-Report:
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* 0.0 T_DMARC_POLICY_REJECT No description available.
* 1.0 DMARC_REJ_NO_DKIM MARC policy is reject without any DKIM signatures
* 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict
* Alignment
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 0.0 RELAYCOUNTRY_US Relayed through United States
* 1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
* anti-forgery methods
* 1.0 FORGED_SPF_HELO No description available.
* 5.5 DMARC_FAIL_REJECT DMARC validation failed and policy is to reject
* 0.0 T_DMARC_TESTS_FAIL No description available.
* 1.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
* and the domain has a DMARC reject policy
* 0.1 DMARC_REJECT DMARC reject policy
* 0.9 TXREP TXREP: Score normalizing based on sender's reputation
...
X-Spam-RelaysUntrusted: [ ip=199.30.234.79 rdns=spfdal-b.zixsmbhosted.com
The 199.30.234.79 IP is in the SPF record:
$ dig txt ny.frb.org|grep v=spf1
ny.frb.org. 3593 IN TXT "v=spf1 ip4:199.169.200.4
ip4:199.169.204.4 ip4:199.169.240.69 ip4:199.169.208.69 ip4:199.169.174.2
ip4:170.209.35.2 ip4:199.30.234.56/29 ip4:74.203.184.208/30 ip4:
199.30.234.64/26 ip4:199.30.234.192/27 ip4:74.203.184.32/27 ip4:
68.142.184.144/28 ip4:68.142" ".185.0/25 ip4:209.190.248.144/28
ip4:199.169.200.5 ip4:152.70.150.118 ip4:129.213.11.79 exists:%{i}.
spf.frb.iphmx.com include:_spf.qualtrics.com include:service.govdelivery.com
include:amazonses.com ~all"
There seems to be a lot wrong here. I'd appreciate some pointers on what's
going on. Of course I realize it's my choice to add the other DMARC rules
and scores on top of the default, but the default scores don't make sense
to me.