Bug 7310 - suggested rule: DomainKey-Signature with invalid DNS
Summary: suggested rule: DomainKey-Signature with invalid DNS
Status: NEW
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 3.4.1
Hardware: PC Linux
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
Depends on:
Reported: 2016-04-13 21:36 UTC by Matt Domsch
Modified: 2016-04-13 21:43 UTC (History)
1 user (show)

Attachment Type Modified Status Actions Submitter/CLA Status
domainkey-signature header spam mbox application/mbox None Matt Domsch [NoCLA]

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Domsch 2016-04-13 21:36:16 UTC
The predominance of spam I receive that is not otherwise detected or filtered has the same pattern - it includes a DomainKey-Signature header (which is considered obsolete I know, nonetheless it remains present) yet the selector (s=foo) and domain (d=foo) portion of the header are fictitious.

As an example:

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=gamma; d=countingbooks.com;

by DomainKey rules, our filter should look up gamma._domainkey.countingbooks.com TXT record in DNS to find the public key corresponding to the signer of this message.  However, this does not exist.  This is akin to the __DKIM_EXISTS rule testing for the existence of the header, and the DKIM_ADSP_NXDOMAIN rule that looks up a DKIM ADSP record in DNS, but in this case we're merely looking up the public key record.

The opendkim milter (http://opendkim.org) has a specific test and configuration option for how to handle such DNS lookup failures on a DKIM-Signature header, but does not do likewise for (obsolete) DomainKey-Signature headers.

The perl(Mail::DKIM) module already used by SpamAssassin to handle the DKIM-Signature header can also handle the DomainKey-Signature header, and the SpamAssassin Plugin DKIM.pm indicates it will also check the DomainKey-Signature heder, but does not seem to do so.

I have so far found only a single false positive on this test - that on mail from the Boy Scouts of America <scoutstuff@scoutstuff.org> where they included a DomainKey-Signature header with incorrect d= value, yet included a correct DKIM-Signature header with the correct d=value.
Comment 1 Matt Domsch 2016-04-13 21:43:53 UTC
Created attachment 5384 [details]
domainkey-signature header spam mbox

Spam corpus, with a single false positive due to a misconfigured mail server at scoutstuff.org.