Matus UHLAR - fantomas <uh...@fantomas.sk> writes: > I noticed that pure existence of DKIM signature can push score under zero: > > DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, > > ...so the cumulative score is -0.2. > > I'm aware that we don't have many rules with negative scores, but multiple > scores for single valid DKIM sinature should not be redundant.
I don't follow the logic in "should not be redundant" especially for scores with such low values of -0.1. You're talking about "below 0", but what matters is "<5", per SA doctrine. As I see it SIGNED and VALID are intended to cancel, causing a signature that isn't valid to get a +0.1. That seems sensible, although given how much DKIM is broken by mailing lists that (incorrectly IMHO) modify messages, it doesn't seem really useful to make that higher. And then there's -0.1 for a valid dkim matching From: and another -0.1 for valid dkim matching the envelope sender, which is often different. So -0.2 means that there are two dkim signatures, one for each, and they are both valid. Not a guarantee of ham of course, but -0.2 is a small score. It's a fair question to ask how these shake out with masscheck, but I see nothing intrinsically wrong. > do you people modify scores of these rules? > I would turn both off, but DKIM_VALID is used in some meta rules... I am someone who tweaks a lot of scores, but basically my tweaking reduces scores of +3 or more down a few points because I find they hit ham, and scoring up things of 1-2 to higher because they hit my spam and I find they don't really hit my ham. I have never been motivated to adjust these. For me, the biggest deal with dkim is that I can whitelist_from_dkim for senders, and avoid whitelisting forged mail not actually from them. > BTW, looking at metas in 72_active.cf: > > meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE > && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE > meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE > && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS > > !DKIM_VALID && !DKIM_VALID_AU is redundant and !DKIM_VALID_AU should be enough I don't think so. These are negated. And, a dkim signature from some random domain that is not the From: or envelope-from will cause DKIM_VALID. But I do think !DKIM_VALID will impliy !DKIM_VALID_AU. Still, I'm 50/50 whether I'm write or I'm about to learn something. > > meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && > !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && > !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID > > meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || > ALL_TRUSTED # yes DKIM, no SPF > meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH > || ALL_TRUSTED # yes DKIM, yes SPF > > shouldn't these contain DKIM_VALID_AU instead? perhaps, but the problem is that there is a lot of mail that is From: i...@foobank.com and has envelope-from of foobank-sen...@bankserviceprovider.com with a dkim from bankserviceprovider.com. This is bogus; people who deal with foobank.com should be able to whitelist_from_dkim *@foobank.com and treat everything else claiming to be from foobank as spam/phish. But the world isn't like that.
signature.asc
Description: PGP signature
