Am 21.09.2014 um 04:37 schrieb John Hardin: > On Sun, 21 Sep 2014, Reindl Harald wrote: >> Am 21.09.2014 um 04:08 schrieb John Hardin: >>> On Sun, 21 Sep 2014, Reindl Harald wrote: >>>> Am 21.09.2014 um 03:29 schrieb John Hardin: >>>>> Would you care to share the spam that you posted the scores for at the >>>>> start of this thread? There's not much >>>>> we can do with just the rules that hit beside post vague guesses. The >>>>> critical part is: which domain is that >>>>> whitelisted DKIM signature for? >>>> >>>> no message content available - we don't store anything on the gateway >>>> 3 cases with score -5 twice and one time -2 >>>> >>>> message-id=<....@xtinmta4208.xt.local >>>> bounce-...@bounce.mail.hotels.com >>> >>> OK, mail.hotels.com is in the default DKIM whitelist. >>> >>> I haven't looked through the DKIM whitelist code but I note that >>> def_whitelist_from_dkim supports specification >>> of the domain in the DKIM signature, and the mail.hotels.com entry does not >>> specify the signing domain. >>> >>> Speculation: I wonder if it's possible that message was a forged hotels.com >>> email signed with DKIM from *another >>> domain* and that's why the default DKIM whitelist rule triggered. >>> >>> Can someone with more familiarity with the details of DKIM comment on that >>> possibility? >> >> yes, please >> >> all other "def_whitelist_from_dkim" looks sane in the logs and have -10 to >> -16 scores because no bayes hit and no >> other tags - only that 3 messages which looks questionable > > Are all three of those messages related to hotels.com?
yes! and all 3 have "AC_DIV_BONANZA,BAYES_99,BAYES_999" and besides "USER_IN_DEF_DKIM_WL" a lot of other WL tags which makes them unblockable - the problem with DKIM is that if messages are signed automatically and someone manged to abuse "mta2.mail.hotels.com" he won the game because "USER_IN_DEF_DKIM_WL" and the other whitelistings assigned to the sending host that's why i am a little bit suspect which such high WL scores in general even if the message triggers a bunde of "LOT_OF_MONEY" rules and bayes it can't be blocked because unconditional reputation ____________________________________________________________________________________ cat maillog | grep USER_IN_DEF_DKIM_WL | grep AC_DIV_BONANZA,BAYES_99,BAYES_999 Sep 18 22:07:07 mail-gw spamd[794]: spamd: result: . -5 - AC_DIV_BONANZA,BAYES_99,BAYES_999,CUST_DNSWL_2,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_06,HTML_MESSAGE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,RP_MATCHES_RCVD,SPF_PASS,USER_IN_DEF_DKIM_WL scantime=0.5,size=37869,user=sa-milt,uid=189,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=45683,mid=<c7226d0b-71f1-4073-916c-3befbe4a2...@xtinmta1203.xt.local>,bayes=0.999286,autolearn=disabled Sep 20 02:19:31 mail-gw spamd[2292]: spamd: result: . -5 - AC_DIV_BONANZA,BAYES_99,BAYES_999,CUST_DNSWL_2,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,RP_MATCHES_RCVD,SPF_PASS,USER_IN_DEF_DKIM_WL scantime=2.2,size=64731,user=sa-milt,uid=189,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=52217,mid=<85a8a7cc-deb6-417e-a84a-8fc1ae9d5...@xtinmta1203.xt.local>,bayes=0.999995,autolearn=disabled Sep 20 02:19:37 mail-gw spamd[2292]: spamd: result: . -2 - AC_DIV_BONANZA,BAYES_99,BAYES_999,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_RP_SAFE,RP_MATCHES_RCVD,SPF_PASS,USER_IN_DEF_DKIM_WL scantime=5.1,size=63944,user=sa-milt,uid=189,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=52219,mid=<866eaeb0-d57b-4585-b0d3-c73247fa3...@xtinmta4208.xt.local>,bayes=0.999525,autolearn=disabled ____________________________________________________________________________________ Sep 18 22:07:05 mail-gw postfix/smtpd[2667]: 3hzTjP3cM0z1l: client=mta2.mail.hotels.com[66.231.92.97] Sep 18 22:07:05 mail-gw postfix/cleanup[4074]: 3hzTjP3cM0z1l: message-id=<c7226d0b-71f1-4073-916c-3befbe4a2...@xtinmta1203.xt.local> Sep 18 22:07:07 mail-gw postfix/qmgr[2114]: 3hzTjP3cM0z1l: from=<bounce-1935712_html-1467588252-20587959-177351-...@bounce.mail.hotels.com>, size=37627, nrcpt=1 (queue active) Sep 20 02:19:28 mail-gw postfix/smtpd[6121]: 3j0CG819Njz1l: client=mta2.email.hotels.com[66.231.84.80] Sep 20 02:19:28 mail-gw postfix/cleanup[12995]: 3j0CG819Njz1l: message-id=<85a8a7cc-deb6-417e-a84a-8fc1ae9d5...@xtinmta1203.xt.local> Sep 20 02:19:31 mail-gw postfix/qmgr[14151]: 3j0CG819Njz1l: from=<bounce-1935712_html-1530991121-20588407-177351-...@bounce.mail.hotels.com>, size=64489, nrcpt=1 (queue active) Sep 20 02:19:30 mail-gw postfix/smtpd[6157]: 3j0CGB4DWBz1y: client=mta2.email.hotels.com[66.231.84.80] Sep 20 02:19:31 mail-gw postfix/cleanup[13002]: 3j0CGB4DWBz1y: message-id=<866eaeb0-d57b-4585-b0d3-c73247fa3...@xtinmta4208.xt.local> Sep 20 02:19:37 mail-gw postfix/qmgr[14151]: 3j0CGB4DWBz1y: from=<bounce-1935712_html-1531355010-20588407-177351-...@bounce.mail.hotels.com>, size=63702, nrcpt=1 (queue active)
signature.asc
Description: OpenPGP digital signature
