On 2023-09-26 at 20:42:28 UTC-0400 (Tue, 26 Sep 2023 20:42:28 -0400)
Alex <mysqlstud...@gmail.com>
is rumored to have said:
Hi,
All the way back in 2016, RW posted these rules on pastebin for DMARC,
before it was part of SA proper:
https://pastebin.com/gr41CvCc
Is this effectively what's been implemented in functions in the latest
SA?
No. SA does not have that jumble of rules.
The scores from the above are a lot more aggressive than what's
currently
in SA 50_rules - if DMARC fails and it instructs to quarantine, isn't
that
what it should do, and not just add on a few points?
Quarantine is a silly concept. Users hate it in practice. SpamAssassin
does not implement any form of quarantine. This is not because it's a
bad idea, but because SA doesn't implement ANY handling of delivery and
storage.
However, nothing stops anyone from implementing a quarantine and
deciding what goes there based on SA scores. I ran a largish system like
that for some years, implemented in MIMEDefang. Users never touched
their quarantines...
score DMARC_REJECT 0.001 1.797 0.001 1.797 # n=0 n=2
score DMARC_QUAR 0.001 1.198 0.001 1.198 # n=0 n=2
score DMARC_NONE 0.001 0.898 0.001 0.898 # n=0 n=2
This became an issue for me when I received an email from ny.frb.org.
Because the email hit BAYES_00, the DMARC rule only added 0.1 points.
That's not how different scores for different rulesets work. Bayes
scores do not affect which ruleset score is used, only whether or not
Bayes in enabled. DMARC rules are inherently 'net' rules so if you use
DMARC and Bayes AT ALL you will use ruleset 3: bayes+net.
It
also appeared that the email passed SPF,
"Appeared" based on what?
so I'm really not sure how it even
failed DMARC.
X-Envelope-From: <frb.advicemail...@ny.frb.org>>
Really? An extra '>'??? That shouldn't get through any MTA...
I assume that's some sort of typo. In which case, SPF passing for that
sender and the client IP would be relevant to DMARC *if and only if* the
From *header* address is in the same domain. SPF passing for a sender
address domain that is different from the From header is useless for
DMARC.
...
X-Spam-Status: Yes, score=8.613 tag=-200 tag2=5 kill=5
tests=[BAYES_00=-1.9,
DMARC_FAIL_REJECT=5.5, DMARC_REJECT=0.1, DMARC_REJ_NO_DKIM=1,
FORGED_SPF_HELO=1, KAM_DMARC_REJECT=1, KAM_DMARC_STATUS=0.01,
KAM_LAZY_DOMAIN_SECURITY=1, RELAYCOUNTRY_US=0.01,
SPF_HELO_PASS=-0.001,
TXREP=0.874, T_DMARC_POLICY_REJECT=0.01, T_DMARC_TESTS_FAIL=0.01]
autolearn=disabled
I do not see SPF_PASS there, so at the time it was checked, SA did not
think SPF for the sender address and client IP passed. SPF_HELO_PASS is
not relevant.
X-Spam-Report:
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* 0.0 T_DMARC_POLICY_REJECT No description available.
* 1.0 DMARC_REJ_NO_DKIM MARC policy is reject without any DKIM
signatures
* 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict
* Alignment
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 0.0 RELAYCOUNTRY_US Relayed through United States
* 1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
* anti-forgery methods
* 1.0 FORGED_SPF_HELO No description available.
* 5.5 DMARC_FAIL_REJECT DMARC validation failed and policy is to
reject
* 0.0 T_DMARC_TESTS_FAIL No description available.
* 1.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
message
* and the domain has a DMARC reject policy
* 0.1 DMARC_REJECT DMARC reject policy
* 0.9 TXREP TXREP: Score normalizing based on sender's reputation
...
X-Spam-RelaysUntrusted: [ ip=199.30.234.79
rdns=spfdal-b.zixsmbhosted.com
The 199.30.234.79 IP is in the SPF record:
$ dig txt ny.frb.org|grep v=spf1
ny.frb.org. 3593 IN TXT "v=spf1
ip4:199.169.200.4
ip4:199.169.204.4 ip4:199.169.240.69 ip4:199.169.208.69
ip4:199.169.174.2
ip4:170.209.35.2 ip4:199.30.234.56/29 ip4:74.203.184.208/30 ip4:
199.30.234.64/26 ip4:199.30.234.192/27 ip4:74.203.184.32/27 ip4:
68.142.184.144/28 ip4:68.142" ".185.0/25 ip4:209.190.248.144/28
ip4:199.169.200.5 ip4:152.70.150.118 ip4:129.213.11.79 exists:%{i}.
spf.frb.iphmx.com include:_spf.qualtrics.com
include:service.govdelivery.com
include:amazonses.com ~all"
There seems to be a lot wrong here. I'd appreciate some pointers on
what's
going on. Of course I realize it's my choice to add the other DMARC
rules
and scores on top of the default, but the default scores don't make
sense
to me.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire