DKIM with MailScanner
am.lists
am.lists at gmail.com
Thu Mar 8 19:03:36 CET 2007
On 3/8/07, Arthur Sherman <arturs at netvision.net.il> wrote:
> What config should I alter to definy policy?
>
Let's start by understanding which rules are out there:
# snippet from /usr/share/spamassassin/50_scores.cf
# DON'T MODIFY THIS FILE
# DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
score DKIM_POLICY_SIGNALL 0.001
score DKIM_POLICY_SIGNSOME 0
score DKIM_POLICY_TESTING 0.001
score DKIM_SIGNED 0.001
score DKIM_VERIFIED -0.001
endif # Mail::SpamAssassin::Plugin::DKIM
Now, on its own, by default, this isn't very useful.
But:
Consider this: We know some things. If there's a policy that says "I
sign all" and the message is not signed, we can penalize. But you
have to make a combination (meta) rule to do this:
Example of how:
(in my /etc/mail/spamassassin folder, add to mailscanner.cf at the
bottom, under "Your Edits Go Here" section)
meta DKIM_FAIL_NOTSIGNED (DKIM_POLICY_SIGNALL && !DKIM_SIGNED)
describe DKIM_FAIL_NOTSIGNED DKIM Policy says they sign all messages,
but messaege not signed.
score DKIM_FAIL_NOTSIGNED 3.0
Translated into English, "let's create a new rule called
DKIM_FAIL_NOTSIGNED that fires when DKIM_POLICY_SIGNALL evaluates true
and DKIM_SIGNED evaulates false and give this a 3.0 score"
We can't do anything with the sign-some policy (remember, my policy is
that I'm not rewarding anyone, only penalizing the blatently bad).
Personally, I'm mostly worried that spammy organizations that I really
don't want mail from will start signing messages with DK / DKIM and
get through under the score thresholds.
But your purpose and mission may vary. Your policy may state that as
long as the message passes verification you should accept it.
Best,
Angelo
More information about the MailScanner
mailing list