DKIM scoring with spamassassin

Discussion:

Quanah Gibson-Mount

2013-02-16 00:34:30 UTC

Does anyone tweak the DKIM scores given by SA? There are plenty of
scenarios where DKIM has failed, yet SA does not give the email a
particularly high spam mark. 3 example test cases below. I guess I was
expecting SA would score DKIM failures more aggressively if there are
problems with the signing:

Case 1. Actively modify "from" field of the message and send in manually via
SMTP keeping the same signature.

X-Spam-Status: No, score=-1.379 tagged_above=-10 required=6.6
tests=[ALL_TRUSTED=-1, BAYES_05=-0.5, DKIM_SIGNED=0.1,
NO_DNS_FOR_FROM=0.001, T_DKIM_INVALID=0.01,
T_HEADER_FROM_DIFFERENT_DOMAINS=0.01, T_NOT_A_PERSON=-0.01,
T_UNKNOWN_ORIGIN=0.01] autolearn=no
Authentication-Results: zqa-398.eng.vmware.com (amavisd-new);
dkim=fail (1024-bit key) reason="fail (message has been altered)"
header.d=dkimtest.com

Case 2. Update signature on a domain, but don't update it in DNS.

X-Spam-Status: No, score=-0.057 tagged_above=-10 required=6.6
tests=[ALL_TRUSTED=-1, BAYES_20=-0.001, DKIM_SIGNED=0.1,
NO_DNS_FOR_FROM=0.001, RDNS_NONE=0.793, T_BIG_HEADERS_2K=0.01,
T_DKIM_INVALID=0.01, T_HELO_NO_DOMAIN=0.01,
T_LONG_HEADER_LINE_80=0.01, T_NOT_A_PERSON=-0.01,
T_THREAD_INDEX_BAD=0.01, T_UNKNOWN_ORIGIN=0.01] autolearn=no
Authentication-Results: zqa-398.eng.vmware.com (amavisd-new);
dkim=fail (1024-bit key) reason="fail (bad RSA signature)"
header.d=dkimtest.com

Case 3. Don't populate DNS record with DKIM signature at all

X-Spam-Status: No, score=-1.957 tagged_above=-10 required=6.6
tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, DKIM_SIGNED=0.1,
RDNS_NONE=0.793, T_BIG_HEADERS_2K=0.01, T_DKIM_INVALID=0.01,
T_HELO_NO_DOMAIN=0.01, T_LONG_HEADER_LINE_80=0.01,
T_NOT_A_PERSON=-0.01, T_THREAD_INDEX_BAD=0.01,
T_UNKNOWN_ORIGIN=0.01]
autolearn=no
Authentication-Results: zqa-398.eng.vmware.com (amavisd-new); dkim=neutral
reason="invalid (public key: not available)" header.d=dkimtest.com

Thanks,
Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration

John Hardin

2013-02-16 01:01:24 UTC

Permalink

DKIM and SPF are anti-forgery tools, not anti-spam tools.

If you take a DKIM-signed email that is whitelisted because of
whitelist_auth and make a change that invalidates the signature, does it
still get whitelisted? If not, then SA is doing all that it can reasonably
be expected to do with the invalid signature.

DKIM or SPF pass or fail *by itself* is not useful as a spam sign. Taken
together with other factors (such as DKIM invalid + claims to be from
Wells Fargo) it's useful.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
***@impsec.org FALaholic #11174 pgpk -a ***@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
-----------------------------------------------------------------------
7 days until George Washington's 281st Birthday

Quanah Gibson-Mount

2013-02-16 02:16:16 UTC

Permalink

--On Friday, February 15, 2013 5:01 PM -0800 John Hardin

Post by John Hardin

Post by Quanah Gibson-Mount
Does anyone tweak the DKIM scores given by SA? There are plenty of
scenarios where DKIM has failed, yet SA does not give the email a
particularly high spam mark. 3 example test cases below. I guess I
was expecting SA would score DKIM failures more aggressively if there

Ok, thanks. If any of our users ask, this is a good summary. :)

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration

Patrick Ben Koetter

2013-02-17 19:54:00 UTC

Permalink

Quanah,

Post by Quanah Gibson-Mount
--On Friday, February 15, 2013 5:01 PM -0800 John Hardin

Post by John Hardin

Ok, thanks. If any of our users ask, this is a good summary. :)

if you want your spam filters to benefit from DKIM, you need to build
reputation. You need to account if or if not a domain uses DKIM and what the
average spam score of that sender domains is.

The OpenDKIM reputation project has introduced a local reputation database and
uses SpamAssassin to get the spam score. You might want to investigate in the
project if you want to use DKIM (as one of many methods) to filter spam.

***@rick

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich