projects / proxmox-spamassassin.git / blame
| Commit | Line | Data |
|---|---|---|
| b780ea8d SI |
1 | # SpamAssassin rules file: default DKIM ADSP overrides |
| 2 | # | |
| 3 | # Please don't modify this file as your changes will be overwritten with | |
| 4 | # the next update. Use /etc/mail/spamassassin/local.cf instead. | |
| 5 | # See 'perldoc Mail::SpamAssassin::Conf' for details. | |
| 6 | # | |
| 7 | # <@LICENSE> | |
| 8 | # Licensed to the Apache Software Foundation (ASF) under one or more | |
| 9 | # contributor license agreements. See the NOTICE file distributed with | |
| 10 | # this work for additional information regarding copyright ownership. | |
| 11 | # The ASF licenses this file to you under the Apache License, Version 2.0 | |
| 12 | # (the "License"); you may not use this file except in compliance with | |
| 13 | # the License. You may obtain a copy of the License at: | |
| 14 | # | |
| 15 | # http://www.apache.org/licenses/LICENSE-2.0 | |
| 16 | # | |
| 17 | # Unless required by applicable law or agreed to in writing, software | |
| 18 | # distributed under the License is distributed on an "AS IS" BASIS, | |
| 19 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 20 | # See the License for the specific language governing permissions and | |
| 21 | # limitations under the License. | |
| 22 | # </@LICENSE> | |
| 23 | ||
| 24 | ########################################################################### | |
| 25 | # DKIM ADSP overrides | |
| 26 | ||
| 27 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
| 28 | ||
| 29 | # Later rules override previous, so to override any of the pre-sets here, just | |
| 30 | # declare the domain as unknown, e.g.: 'adsp_override somedomain unknown' . | |
| 31 | # | |
| 32 | # 'discardable' is implied in absence of the second argument. | |
| 33 | ||
| 34 | adsp_override ebay.com | |
| 35 | adsp_override ebay.at | |
| 36 | adsp_override ebay.be | |
| 37 | adsp_override ebay.ca | |
| 38 | adsp_override ebay.ch | |
| 39 | adsp_override ebay.de | |
| 40 | adsp_override ebay.ee | |
| 41 | adsp_override ebay.es | |
| 42 | adsp_override ebay.fr | |
| 43 | adsp_override ebay.hu | |
| 44 | adsp_override ebay.ie | |
| 45 | adsp_override ebay.in | |
| 46 | adsp_override ebay.it | |
| 47 | adsp_override ebay.nl | |
| 48 | adsp_override ebay.ph | |
| 49 | adsp_override ebay.pl | |
| 50 | adsp_override ebay.pt | |
| 51 | adsp_override ebay.se | |
| 52 | adsp_override ebay.co.kr | |
| 53 | adsp_override ebay.co.uk | |
| 54 | adsp_override ebay.com.au | |
| 55 | adsp_override ebay.com.cn | |
| 56 | adsp_override ebay.com.hk | |
| 57 | adsp_override ebay.com.mx | |
| 58 | adsp_override ebay.com.my | |
| 59 | adsp_override ebay.com.sq | |
| 60 | ||
| 61 | adsp_override paypal.com | |
| 62 | adsp_override paypal.co.uk | |
| 63 | ||
| 64 | adsp_override ealerts.bankofamerica.com | |
| 65 | adsp_override alert.bankofamerica.com | |
| 66 | adsp_override americangreetings.com | |
| 67 | adsp_override yahoo.americangreetings.com | |
| 68 | adsp_override msn.americangreetings.com | |
| 69 | adsp_override egreetings.com | |
| 70 | adsp_override bluemountain.com | |
| 71 | adsp_override hallmark.com | |
| 72 | adsp_override update.hallmark.com | |
| 73 | adsp_override *.hallmark.com | |
| 74 | ||
| 75 | adsp_override amazon.com all | |
| 76 | adsp_override amazon.co.uk all | |
| 77 | adsp_override amazon.de all | |
| 78 | adsp_override amazon.fr all | |
| 79 | adsp_override birthdayalarm.com all | |
| 80 | adsp_override astrology.com all | |
| 81 | adsp_override linkedin.com all | |
| 82 | adsp_override *.linkedin.com all | |
| 83 | adsp_override facebookmail.com all | |
| 84 | adsp_override *.greenpeace.org all | |
| 85 | adsp_override lists.sourceforge.net all | |
| 86 | adsp_override lufthansa.com all | |
| 87 | adsp_override *.lufthansa.com all | |
| 88 | adsp_override *.delivery.net all | |
| 89 | ||
| 90 | adsp_override youtube.com custom_high | |
| 91 | ||
| 92 | adsp_override google.com custom_med | |
| 93 | adsp_override gmail.com custom_med | |
| 94 | adsp_override googlemail.com custom_med | |
| 95 | ||
| 96 | adsp_override yahoo.com custom_med | |
| 97 | adsp_override yahoo.com.ar custom_med | |
| 98 | adsp_override yahoo.com.au custom_med | |
| 99 | adsp_override yahoo.com.br custom_med | |
| 100 | adsp_override yahoo.com.cn custom_med | |
| 101 | adsp_override yahoo.com.hk custom_med | |
| 102 | adsp_override yahoo.com.mx custom_med | |
| 103 | adsp_override yahoo.com.my custom_med | |
| 104 | adsp_override yahoo.com.ph custom_med | |
| 105 | adsp_override yahoo.com.sg custom_med | |
| 106 | adsp_override yahoo.com.tw custom_med | |
| 107 | adsp_override yahoo.co.id custom_med | |
| 108 | adsp_override yahoo.co.in custom_med | |
| 109 | adsp_override yahoo.co.jp custom_med | |
| 110 | adsp_override yahoo.co.nz custom_med | |
| 111 | adsp_override yahoo.co.th custom_med | |
| 112 | adsp_override yahoo.co.uk custom_med | |
| 113 | adsp_override yahoo.ca custom_med | |
| 114 | adsp_override yahoo.cn custom_med | |
| 115 | adsp_override yahoo.de custom_med | |
| 116 | adsp_override yahoo.dk custom_med | |
| 117 | adsp_override yahoo.es custom_med | |
| 118 | adsp_override yahoo.fr custom_med | |
| 119 | adsp_override yahoo.gr custom_med | |
| 120 | adsp_override yahoo.ie custom_med | |
| 121 | adsp_override yahoo.it custom_med | |
| 122 | adsp_override yahoo.no custom_med | |
| 123 | adsp_override yahoo.pl custom_med | |
| 124 | adsp_override yahoo.se custom_med | |
| 125 | ||
| 126 | ||
| 127 | # Ignore linting, makes unnecessary lookups | |
| 128 | adsp_override compiling.spamassassin.taint.org unknown | |
| 129 | ||
| 130 | # To effectively disable ADSP network DNS lookups for all other domains: | |
| 131 | # adsp_override * unknown | |
| 132 | ||
| 133 | ||
| 134 | # Currently few domains publish their signing practices (draft-ietf-dkim-ssp, | |
| 135 | # ADSP), partly because the ADSP draft/rfc is rather new, partly because they | |
| 136 | # think hardly any recipient bothers to check it, and partly for fear that | |
| 137 | # some recipients might lose mail due to problems in their signature validation | |
| 138 | # procedures or mail mangling by mailers beyond their control. | |
| 139 | # | |
| 140 | # Nevertheless, recipients could benefit by knowing signing practices of a | |
| 141 | # sending (author's) domain, for example to recognize forged mail claiming | |
| 142 | # to be from certain domains which are popular targets for phishing, like | |
| 143 | # financial institutions. Unfortunately, as signing practices are seldom | |
| 144 | # published or are weak, it is hardly justifiable to look them up in DNS. | |
| 145 | # | |
| 146 | # To overcome this chicken-or-the-egg problem, the adsp_override mechanism | |
| 147 | # allows recipients using SpamAssassin to override published or defaulted | |
| 148 | # ADSP for certain domains. This makes it possible to manually specify a | |
| 149 | # stronger (or weaker) signing practices than a signing domain is willing | |
| 150 | # to publish (explicitly or by default), and also save on a DNS lookup. | |
| 151 | # | |
| 152 | # Note that ADSP (published or overridden) is only consulted for messages | |
| 153 | # which do not contain a valid DKIM signature from the author's domain. | |
| 154 | # | |
| 155 | # According to ADSP draft, signing practices can be one of the following: | |
| 156 | # unknown, all and discardable. | |
| 157 | # | |
| 158 | # unknown: Messages from this domain might or might not have an author | |
| 159 | # signature. This is a default if a domain exists in DNS but no ADSP record | |
| 160 | # is found. | |
| 161 | # | |
| 162 | # all: All messages from this domain are signed with an Author Signature. | |
| 163 | # | |
| 164 | # discardable: All messages from this domain are signed with an Author | |
| 165 | # Signature. If a message arrives without a valid Author Signature, the | |
| 166 | # domain encourages the recipient(s) to discard it. | |
| 167 | # | |
| 168 | # ADSP lookup can also determine that a domain is "out of scope", i.e., the | |
| 169 | # domain does not exist (NXDOMAIN) in the DNS. | |
| 170 | # | |
| 171 | # To override domain's signing practices in a SpamAssassin configuration file, | |
| 172 | # specify an adsp_override directive for each sending domain to be overridden. | |
| 173 | # | |
| 174 | # Its first argument is a domain name. Author's domain is matched against it, | |
| 175 | # matching is case insensitive. This is not a regular expression or a file-glob | |
| 176 | # style wildcard, but limited wildcarding is still available: if this argument | |
| 177 | # starts by a "*." (or is a sole "*"), author's domain matches if it is a | |
| 178 | # subdomain (to one or more levels) of the argument. Otherwise (with no | |
| 179 | # leading asterisk) the match must be exact (not a subdomain). | |
| 180 | # | |
| 181 | # An optional second parameter is one of the following keywords | |
| 182 | # (case-insensitive): nxdomain, unknown, all, discardable, | |
| 183 | # custom_low, custom_med, custom_high. | |
| 184 | # | |
| 185 | # Absence of this second parameter implies discardable. If a domain is not | |
| 186 | # listed by a adsp_override directive nor does it explicitly publish any | |
| 187 | # ADSP record, then unknown is implied for valid domains, and nxdomain | |
| 188 | # for domains not existing in DNS. (Note: domain validity may be unchecked | |
| 189 | # with current versions of Mail::DKIM, so nxdomain may never turn up.) | |
| 190 | # | |
| 191 | # The strong setting discardable is useful for domains which are known | |
| 192 | # to always sign their mail and to always send it directly to recipients | |
| 193 | # (not to mailing lists), and are frequent targets of fishing attempts, | |
| 194 | # such as financial institutions. The discardable is also appropriate | |
| 195 | # for domains which are known never to send any mail. | |
| 196 | # | |
| 197 | # When a message does not contain a valid signature by the author's domain | |
| 198 | # (the domain in a From header field), the signing practices pertaining | |
| 199 | # to author's domain determine which of the following rules fire and | |
| 200 | # contributes its score: DKIM_ADSP_NXDOMAIN, DKIM_ADSP_ALL, DKIM_ADSP_DISCARD, | |
| 201 | # DKIM_ADSP_CUSTOM_LOW, DKIM_ADSP_CUSTOM_MED, DKIM_ADSP_CUSTOM_HIGH. Not more | |
| 202 | # than one of these rules can fire. The last three can only result from a | |
| 203 | # 'signing_practices' as given in a adsp_override directive (not from a | |
| 204 | # DNS lookup), and can serve as a convenient means of providing a different | |
| 205 | # score if scores assigned to DKIM_ADSP_ALL or DKIM_ADSP_DISCARD are not | |
| 206 | # considered suitable for some domains. | |
| 207 | # | |
| 208 | # As a precaution against firing DKIM_ADSP_* rules when there is a known | |
| 209 | # local reason for a signature verification failure, the domain's ADSP is | |
| 210 | # considered unknown when DNS lookups are disabled or a DNS lookup encountered | |
| 211 | # a temporary problem on fetching a public key from the author's domain. | |
| 212 | # Similarly, ADSP is considered unknown when this plugin did its own signature | |
| 213 | # verification (signatures were not passed to SA by a caller) and a metarule | |
| 214 | # __TRUNCATED was triggered, indicating the caller intentionally passed a | |
| 215 | # truncated message to SpamAssassin, which was a likely reason for a signature | |
| 216 | # verification failure. | |
| 217 | ||
| 218 | endif # Mail::SpamAssassin::Plugin::DKIM |