Join Log in
Score:2
Tim Altgeld avatar Server

SpamAssassin: custom rules and score

np flag
Tim Altgeld

For my mailserver, i want do add some custom rules and scores for spamasassin DKIM and SPF checks.

Currently i use following custom settings:

score   DKIM_SIGNED 0
score   DKIM_VALID  -1
score   SPF_NONE    1
score   SPF_PASS    -1

Problem:

there exists a tag if a mail has no spf, but no setting if a mail is not dkim signed. how can i use or implement

score   DKIM_UNSIGNED   1

Any help is apreciated.

229
0 + 0
spf
us flag
glts
You will probs get an answer much quicker by posting on the [mailing list](https://cwiki.apache.org/confluence/display/SPAMASSASSIN/MailingLists#MailingLists-Users)
0
Reply
Score:3
avatar Server
gb flag
Adam Katz

You can do that like this:

ifplugin Mail::SpamAssassin::Plugin::DKIM
score DKIM_SIGNED    -0.01
meta  DKIM_UNSIGNED  !DKIM_SIGNED
score DKIM_UNSIGNED  1
endif

(Assigning a zero score to a rule disables its evaluation, so !DKIM_SIGNED would always be true. The solution is to give it a trivial score. It also uses a conditional to ensure the plugin is loaded, as otherwise !DKIM_SIGNED would again always be true.)

⚠ However, I recommend neither that nor tinkering with DKIM/SPF weights.

Lots of spammers and dirty marketers implement SPF and DKIM. Then there's all of the attacks that come in through freemail providers like GMail, Yahoo, Hotmail/Outlook, etc. Those infrastructures all have proper DKIM and SPF signing. You'd be giving all of them a big ham weight (-2), making it that much harder for SpamAssassin to convict them.

Similarly, lots of legitimate mails fail to use (or correctly implement) either SPF or DKIM.

You can look this up and see: Consider the public SpamAssassin Rule QA logs for 2022-01-12. Since these don't run the DKIM plugin on all tests, let's look at __DKIM_EXISTS (there is a DKIM signature header) instead of DKIM_SIGNED (there is a properly-formatted DKIM signature header) or DKIM_VALID (it matches). __DKIM_EXISTS is nearly identical to DKIM_SIGNED.

22.5% of spam and 71.4% of ham have DKIM, meaning 87.5% of spam and 38.6% of ham lack it.

Do you really want to remove 2 points from a ~quarter of your spam and add 1 point to a ~third of your ham?

Instead, I'd recommend explicitly blessing known-safe domains:

whitelist_from_dkim *@safe.example.com *@serverfault.com
whitelist_from_spf  *@safe.example.com *@serverfault.com

This allows valid DKIM-signed and SPF-authorized mail from just the listed domains. You can also use def_whitelist_from_dkim and def_whitelist_from_spf for lighter ham weights.

You could also consider doing this automatically via TxRep, but only after making sure you're properly using IP DNSBLs (see DnsBlocklists). I'd say DNSBLs and Bayesian content inspection are the two best weapons to combat spam overall.

0 + 0
jp flag
Esa Jokinen
Excellent answer! Only a DMARC policy can tell whether an unsigned message is a problem or not. Additionally, failed SPF or DMARC checks can also be used for *connection-stage rejection*.
1
Reply
gb flag
Adam Katz
I just added efficacy data to my answer which reinforces Esa's and my "don't do this" sentiment. I _very_ strongly advise against SMTP actions for SPF. Just DMARC, and even that has some doubt from more conservative admins given the misconfigurations out there.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.