> >>> On 04/30/2014 10:10 AM, Michael Storz wrote:
> >>>> Are there any plans for a DMARC plugin for SpamAssassin?
Reacting to a
> >>>> DMARC policy of reject (AOL/Yahoo) seems only feasible with
> >>>> SpamAssassin because so many exceptions are needed for
software which
> >>>> destryes DKIM signatures:
I agree that a DMARC SpamAssassin plugin would be valuable.
Currently the closest thing we have in SpamAssassin is ASDP
(Author Domain Signing Practices), implemented by the DKIM plugin.
Compared to DMARC it only cares for DKIM signatures and ignores SPF,
and offers no reporting.
If you want to implement a similar effect to the new yahoo and
aol DMARC policy by SpamAssassin, use rules similar to the
default rules in 60_adsp_override_dkim.cf:
adsp_override yahoo.com custom_med
adsp_override yahoo.com.ar custom_med
adsp_override yahoo.com.au custom_med
adsp_override yahoo.com.br custom_med
adsp_override yahoo.com.cn custom_med
adsp_override yahoo.com.hk custom_med
...
Either replace 'custom_med' with 'all' or 'discard',
and/or adjust/increase scores for:
score DKIM_ADSP_CUSTOM_LOW 0.001
score DKIM_ADSP_CUSTOM_MED 0.001
score DKIM_ADSP_CUSTOM_HIGH 0.001
score DKIM_ADSP_ALL 0 1.1 0 0.8
score DKIM_ADSP_DISCARD 0 1.8 0 1.8
score DKIM_ADSP_NXDOMAIN 0 0.8 0 0.9
> >>> How could a SA plugin help?
> >>> Isn't this something that should be handled at MTA level?
Not in my view. The SpamAssassin prides itself with collecting spam
scores based on various criteria, the DMARC or ASDP policy is just
one of such criteria. If one wants to block mail violating sender
policy one can bump up corresponding scores. More useful than hard
blacklisting is often the balanced resulting spam score.
Btw, SpamAssassin (as well as amavisd) can be coupled with an MTA
as a before-queue filter (milter or proxy), so mail can be rejected
there too (not just bounced or tagged or quarantined).
Tom writes:
> I proposed a DMARC plugin for spamassassin on the dmarc mailing
list
> last year, to make it easier for people to give DMARC a spin. They
> didn't really like the idea (I still do), because a simple plugin
Jim P. writes:
> wouldn't do the report sending, which is an important part of
DMARC.
Sending reports can leak data (think: HIPAA). Know what you are
leaking to others.
Michael writes:
Right, therefore nearly no one is sending forensic reports, only
aggregate reports.
I wouldn't do the reporting at our site, even if offered by a DMARC
plugin. Remember SpamCop plugin? I think such feedback is not of high
value to a sending or to a policy site.
So in summary, I'm in favour of a DMARC SpamAssassin plugin, as
SA already has access to SPF and DKIM results. The configuration
approaches can mimic the existing ASDP in the DKIM plugin, concepts
are very similar (apart from reporting).
Mark
