DKIM / DomainKeys

I enabled the DK/DKIM plugins in my SA 3.1.7 setup and I see that the
default scores for their tests are negligible, presumably because
they're still a bit experimental.

Is anyone using these and can suggest appropriate scores for these
plugins, or are these really just too unripe for serious use at the
moment?

Cheers,

-- A.

Alexis Manning wrote: Why don't you keep an eye on the activity for those scores and then decide?

--
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Fax. +353 (0) 59  9164239

michele@... says...
> Alexis Manning wrote:
[DK/DKIM plugins]
> > Is anyone using these and can suggest appropriate scores for these
> > plugins, or are these really just too unripe for serious use at the
> > moment?
>
> Why don't you keep an eye on the activity for those scores and then decide?

Because I'm just an impatient kind of chap and thought I could short-
circuit that by stealing other people's work :)

But fairy snuff, I'll wait observantly and see what tweaking seems
appropriate.

-- A.

Alexis,

> I enabled the DK/DKIM plugins in my SA 3.1.7 setup and I see that the
> default scores for their tests are negligible, presumably because
> they're still a bit experimental.
>
> Is anyone using these and can suggest appropriate scores for these
> plugins, or are these really just too unripe for serious use at the
> moment?

One thing worth noting first: the current verision 0.22 of Mail::DKIM
handles both the DKIM as well as older DomainKeys signatures,
and is better maintained and more optimal than Mail::DomainKeys.
This means that one can now safely disable the SA plugin for
DomainKeys and just keep the DKIM plugin, it will cover for both.

Next, the most important role for DKIM/DK is to be able to safely
whitelist sender domains, or to penalize somewhat the mail claiming
to be coming from domains that are known to be signing all mail
(like yahoo and gmail.com), but do not bear a valid sigature.
I say 'somewhat' because some mailing list also corrupt signatures,
and some people use gmail/yahoo sending address even when posting
through some other ISP. Before this practice is rooted out,
one should probably not score invalid signature from these
two domains too harshly.

Regarding scoring of a mere presence of a valid signature, this is
not a good indication of spam/ham. Some types of spam carry a valid
signature from throw-away (kitted) domains, so although a little
bit of favourizing a valid signature is a good thing (providing
incentive for more people to start signing their mail), the bonus
points should not be too high (without also being associated with
known to be nonspamming domains, i.e. whitelist_from_dkim).

Here are some DKIM-related rules that I use.
Don't use these blindly without understanding the topic.

# slightly favourize a mere presence of a valid signature
score DKIM_VERIFIED -1.5
score DKIM_POLICY_TESTING 0

# whitelist some known-to-be-honest domains
score USER_IN_DKIM_WHITELIST -12
whitelist_from_dkim  *@intl.paypal.com  paypal.com

# add some penalty points to mail from yahoo and gmail.com which
# does not carry a valid signature; exempt mail from mailing lists
header __L_ML1       Precedence =~ m{\b(list|bulk)\b}i
header __L_ML2       exists:List-Id
header __L_ML3       exists:List-Post
header __L_ML4       exists:Mailing-List
header __L_HAS_SNDR  exists:Sender
meta   __L_VIA_ML    __L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR
header __L_FROM_Y1   From:addr =~ m{[@.]yahoo\.com$}i
header __L_FROM_Y2   From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i
header __L_FROM_Y3   From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i
header __L_FROM_Y4   From:addr =~ m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i
meta   __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4
header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i
meta     L_UNVERIFIED_YAHOO  !DKIM_VERIFIED && __L_FROM_YAHOO && !__L_VIA_ML
priority L_UNVERIFIED_YAHOO  500
score    L_UNVERIFIED_YAHOO  2.5
meta     L_UNVERIFIED_GMAIL  !DKIM_VERIFIED && __L_FROM_GMAIL && !__L_VIA_ML
priority L_UNVERIFIED_GMAIL  500
score    L_UNVERIFIED_GMAIL  2.5


  Mark

Mark.Martinec+sa@... says...
> [...] some mailing list also corrupt signatures,
> and some people use gmail/yahoo sending address even when posting
> through some other ISP. Before this practice is rooted out,
> one should probably not score invalid signature from these
> two domains too harshly.

Thanks Mark.  I have to admit that this hadn't occurred to me, even
though I am one of those people myself!


> Regarding scoring of a mere presence of a valid signature, this is
> not a good indication of spam/ham. Some types of spam carry a valid
> signature from throw-away (kitted) domains

Also something I hadn't really considered.

Thanks again for your scoring information.  I need to go and have a
think about how I should use DKIM; not sure how much of a pain it'll be
to keep the DKIM whitelist up to date, and, as you say, that's really
where the benefit comes from.

Cheers,

-- A.

Mark Martinec writes:
Well, that's handy -- so it does!

Still a little poorly documented, though -- the POD docs don't
mention it, just the http://jason.long.name/dkimproxy/ web site ;)

> Next, the most important role for DKIM/DK is to be able to safely
> whitelist sender domains, or to penalize somewhat the mail claiming
> to be coming from domains that are known to be signing all mail
> (like yahoo and gmail.com), but do not bear a valid sigature.
> I say 'somewhat' because some mailing list also corrupt signatures,
> and some people use gmail/yahoo sending address even when posting
> through some other ISP. Before this practice is rooted out,
> one should probably not score invalid signature from these
> two domains too harshly.

Yes -- this is why currently we're only providing negative points
for valid sigs, and not providing positive points in the other
direction...

> Regarding scoring of a mere presence of a valid signature, this is
> not a good indication of spam/ham.

+1.

--j.

Heya,

We leave the score at 0.00 and use it in a test for Yahoo, since there
is a lot of valid Yahoo messages getting tagged because of the RFC
Ignorant rules.  We check for it coming from a Yahoo server, and then
test for DK_VERIFIED.  If both are correct, then we apply a -3.00 to the
 score to compensate for the RFC rules that will more than likely fire off.



Terry

Terry Soucy, Systems Analyst              Integrated Technology Services
University of New Brunswick, Fredericton Campus   http://www.unbf.ca/its
Voice: 506.447.3018        Fax: 506.453.3590       E-mail: tsoucy@...
**    ITS is a scent-reduced workplace -  www.unbf.ca/its/policies    **


Alexis Manning wrote: