Re: Spamassassin rule

Fri, 17 Nov 2023 03:31:52 -0800 

On 17.11.23 11:19, natan wrote:

How it realy realy works in SA ? I ask beacuse warking not so cool:

example:

ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/ askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/ 

meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
score DMARC_REJECT 1
meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
score DMARC_QUAR 0.5
meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
score DMARC_NONE 0.1
endif
Note that SPF uses envelope from domain whie DKIM uses header From, so it must be combined with HEADER_FROM_DIFFERENT_DOMAINS so something like: 

meta DMARC_REJECT __DMARC_POLICY_REJECT && !(DKIM_VALID_AU || (SPF_PASS && 
!HEADER_FROM_DIFFERENT_DOMAINS))

However there is stock SA rule that uses Mail::SpamAssassin::Plugin::DMARC:

header DMARC_REJECT eval:check_dmarc_reject()


Log:
Nov 17 11:10:49 amavis5 amavis[598804]: (598804-07) spam-tag, <3jtxxzrapacwkwuumvba-vwzmxtglwka.owwotm....@chime-notifications.bounces.google.com> -> <u...@domain.ltd>, No, score=4.865 tagged_above=3.6 required=6 tests=[AWL=-0.124, BAYES_00=-1.9, DCC_CHECK=4, DKIMWL_WL_MED=-0.001,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, DMARC_REJECT=1, FROM_NOT_RETURN_PATH=2,
root@amavis5:/etc/mail/spamassassin# host -t txt chime-notifications.bounces.google.com chime-notifications.bounces.google.com descriptive text "v=spf1 redirect=_spf.google.com" 

root@amavis5:/etc/mail/spamassassin# host -t txt _spf.google.com
_spf.google.com descriptive text "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
root@amavis5:/etc/mail/spamassassin# host -t txt _dmarc.chime-notifications.bounces.google.com _dmarc.chime-notifications.bounces.google.com descriptive text "v=spf1 redirect=_spf.google.com" 

E-mail was signed DKIM but why SA set "DMARC_REJECT" in this time ?


it's hard to see this without envelope and header from:

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
   One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them

Reply via email to