Shot for sharing David !!!
Regards
Brent Clark
P.s. I wonder what other tricks you have up your sleeve that you would
be willing to share. :)
On 2019/05/10 16:48, David Jones wrote:
On 5/10/19 1:52 AM, Pedro David Marco wrote:
Hi Kurt,
On the contrary, most spam i see is valid DKIM signed... tons of
hacked sites... tons of emails from free trials of big-cheeses...
Nevertheless...
meta NO_DKIM_SIGNED ! DKIM_SIGNED
score NO_DKIM_SIGNED 2
describe NO_DKIM_SIGNED Email does not have DKIM signature
That alone is too risky to score alone and should be used in a meta rule
like this:
meta SPAM_NOT_DKIM_SIGNED !DKIM_SIGNED && (MISSING_HEADERS ||
FSL_BULK_SIG || RDNS_DYNAMIC || OTHER_RULE_COMMONLY_SEEN_AS_SPAM)
score SPAM_NOT_DKIM_SIGNED 2
describe SPAM_NOT_DKIM_SIGNED Spammy characteristics and not DKIM signed
Pedro.
----------------
>
>On Friday, May 10, 2019, 4:26:46 AM GMT+2, Kurt Fitzner
<k...@va1der.ca> wrote:
>
>I've noticed on my mail server that DKIM signing is almost diagnostic of
>spam. Almost no legitimate sender is without DKIM, and about 90% of my
>spam is unsigned, so I want to bias non-DKIM-signed heavily towards
>spam. To that end I was wondering if there are any built-in rules I can
>activate to score emails that are not DKIM-signed? I'd rather use a
>built-in rule than roll my own.
I caution against this since non-DKIM signed email has no relation to
spam or ham. How did you come up with the "about 90%" number? Did you
grep logs to get real numbers over a couple of months?
Any compromised account from Office 365 (and there are a lot) is going
to have DKIM_SIGNED by Microsoft's "tenant.onmicrosoft.com" domain which
means absolutely nothing when determining ham/spam. All that means is
it was signed by Microsoft mail servers on the way out. If DKIM_VALID
was hit, then it means the spam wasn't modified.
