spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From RW <rwmailli...@googlemail.com>
Subject Re: Custom DMARC_FAIL rule
Date Tue, 27 Nov 2018 13:46:01 GMT
On Mon, 26 Nov 2018 20:13:12 -0500
Robert Fitzpatrick wrote:

> I have the following custom rules working pretty well in testing, but 
> ran into this message with two "Authentication-Results" headers:
> 
> > Authentication-Results: mx3.webtent.org; dmarc=none (p=none
> > dis=none) header.from=email.monoprice.com
> > Authentication-Results: mx3.webtent.org;
> > 	dkim=fail reason="signature verification failed" (2048-bit
> > key; unprotected) header.d=email.monoprice.com
> > header.i=@email.monoprice.com header.b=JvTxQQIc  
> 
> This triggers DMARC_FAIL in my custom rules below, but all I want to 
> pick up on is 'header.from' failures. What do I need to change the 
> regular expression to also pick up on header.from in the header?
> Would I just add '.*header.form' after =fail?
> 
> > # DMARC rules
> > header __DMARC_FAIL Authentication-Results =~ /webtent.org;
> > (dmarc|dkim)=fail / 


dkim=fail doesn't imply the email failed DMARC. Just look for
dmarc=fail. Using header.from is just a roundabout way of eliminating
the unneccessary dkim=fail matches.



> > meta     WT_FORGED_SENDER (DMARC_FAIL && !DKIM_VALID)


Valid DKIM doesn't imply an email is not forged, the signature could be
unrelated to the author. If you want a sanity check you can use
DKIM_VALID_AU.




> >header __DMARC_PASS Authentication-Results =~ /webtent.org;
> > (dmarc|dkim)=pass / 

Again remove the dkim pass.


Mime
View raw message