spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jones <djo...@ena.com>
Subject Re: Strict/Relaxed DKIM alignment possible with SA?
Date Sat, 06 May 2017 17:55:47 GMT
From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
    
>On 06.05.17 15:49, Thore Boedecker wrote:
>>After looking at the headers it became clear what the issue was:
>>
>>It seems that Yahoo (at least yahoo.co.jp) is allowing emails from
>>@gmail.com senders to be sent through their servers.

>@gmail.com From: and envelope from. Sender: was yahoo...

The headers imply that this was sent from the Yahoo webmail
interface which must allow users to setup an "identity" like
Thunderbird does that allows custom From: and Return-Path:
headers.  They shouldn't allow this in their webmail interface.

BTW, their webmail interface should also add an X-Originating-IP:
header of the client so we could tell which country it was sent
from.  I bet it wasn't Japan.

>>The funny thing is, that there is a @gmail.com address in both the
>>'From:' and 'Return-Path:' headers, but a @yahoo.com address in the
>>'Reply-To:' and 'Sender:' headers.
>>Somehow Yahoo sees no problem in that and is happy to DKIM sign those
>>emails with a correct *Yahoo* signature.

>I wonder why didn't THE mail hit SPF_SOFTFAIL, since it was supposed to...

The email didn't go through a Google mail server and the envelope-from
was yahoo.co.jp so SPF should have passed based on IP 183.79.57.110.

>>Over on my side, the receiving end of these emails, there is my
>>spamassassin. SA discovers the DKIM signature and is able to validate
>>this signature against the Yahoo server which is totally undesirable
>>in my opinion.

>>Maybe strict DKIM alignment is not always the best choice, because
>>sometimes the emails are signed by different servers without sharing
>>one signing key for the entire domain.

>yes: while we can agree that gmail.com is not yahoo's domain, how can DKIM
>validator know?

Yahoo should stop allowing their webmail interface to control the From:
and Return-Path: headers.  I bet this spammer tried to send the email out
from Google which blocked it so this is a way to abuse the Yahoo mail servers
that are not good at blocking the outbound spam.

>I don't think this problem lies at DKIM verification, more on
>trustworthinedd of yahoo who signs such mail, 
>and the fact of missing SPF checks that I pointed out above.

DKIM does authentication and this email was from Yahoo.  Note no
DKIM_VALID_AU since the From: header was gmail.com.

>>So is there any way to make SA perform at least a relaxed DKIM
>>alignment check on the headers so that the DKIM signature domain has
>>to belong to the 'From:' address?

>every domain using yahoo mail servers would have to delegate DKIM to
>yahoo and yahoo would need to sign under all those domains.
>the same applies about any domain that does DKIM signing (e.g. gmail)

Interestingly, _dmarc.yahoo.com TXT record has "p=reject" which would
have caused a DMARC fail with a bounce.  Looks like this spammer noticed
that yahoo.co.jp does not have a DMARC record which allowed them to
send this spam even to recipients with DMARC checks enabled and honoring
"p=reject" like my mails filters do.

>that is in fact change in requirements on DKIM itself...

I bet as we see DMARC gain traction like SPF has this will force these 
major mail hosting providers like Yahoo to shape up.  Right now they are
so big that we can't make them act responsibly.  Yahoo should start rejecting
email that is sent through them like this to prevent spammers abusing them.

Google is slowly turning up the heat with DMARC which forces the Internet
to implement it.  I know this is a pain but I went through this pain a few years
ago and now I am glad to see Google using their influence for good.  In a few
more years all of our spam filtering will be better because of this.
Mime
View raw message