On Sun, 21 Sep 2014, Reindl Harald wrote:
Am 21.09.2014 um 04:08 schrieb John Hardin:
On Sun, 21 Sep 2014, Reindl Harald wrote:
Am 21.09.2014 um 03:29 schrieb John Hardin:
Would you care to share the spam that you posted the scores for at
the start of this thread? There's not much we can do with just the
rules that hit beside post vague guesses. The critical part is: which
domain is that whitelisted DKIM signature for?
no message content available - we don't store anything on the gateway
3 cases with score -5 twice and one time -2
message-id=<....@xtinmta4208.xt.local
bounce-...@bounce.mail.hotels.com
OK, mail.hotels.com is in the default DKIM whitelist.
I haven't looked through the DKIM whitelist code but I note that
def_whitelist_from_dkim supports specification of the domain in the
DKIM signature, and the mail.hotels.com entry does not specify the
signing domain.
Speculation: I wonder if it's possible that message was a forged
hotels.com email signed with DKIM from *another domain* and that's why
the default DKIM whitelist rule triggered.
Can someone with more familiarity with the details of DKIM comment on
that possibility?
yes, please
all other "def_whitelist_from_dkim" looks sane in the logs and have -10
to -16 scores because no bayes hit and no other tags - only that 3
messages which looks questionable
Are all three of those messages related to hotels.com?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
[People] are socialists because they are blinded by
envy and ignorance. -- economist Ludwig von Mises (1881-1973)
-----------------------------------------------------------------------
842 days since the first successful private support mission to ISS (SpaceX)
