]>
Commit | Line | Data |
---|---|---|
b780ea8d SI |
1 | # SpamAssassin rules file: default DKIM ADSP overrides |
2 | # | |
3 | # Please don't modify this file as your changes will be overwritten with | |
4 | # the next update. Use /etc/mail/spamassassin/local.cf instead. | |
5 | # See 'perldoc Mail::SpamAssassin::Conf' for details. | |
6 | # | |
7 | # <@LICENSE> | |
8 | # Licensed to the Apache Software Foundation (ASF) under one or more | |
9 | # contributor license agreements. See the NOTICE file distributed with | |
10 | # this work for additional information regarding copyright ownership. | |
11 | # The ASF licenses this file to you under the Apache License, Version 2.0 | |
12 | # (the "License"); you may not use this file except in compliance with | |
13 | # the License. You may obtain a copy of the License at: | |
14 | # | |
15 | # http://www.apache.org/licenses/LICENSE-2.0 | |
16 | # | |
17 | # Unless required by applicable law or agreed to in writing, software | |
18 | # distributed under the License is distributed on an "AS IS" BASIS, | |
19 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
20 | # See the License for the specific language governing permissions and | |
21 | # limitations under the License. | |
22 | # </@LICENSE> | |
23 | ||
24 | ########################################################################### | |
25 | # DKIM ADSP overrides | |
26 | ||
27 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
28 | ||
29 | # Later rules override previous, so to override any of the pre-sets here, just | |
30 | # declare the domain as unknown, e.g.: 'adsp_override somedomain unknown' . | |
31 | # | |
32 | # 'discardable' is implied in absence of the second argument. | |
33 | ||
34 | adsp_override ebay.com | |
35 | adsp_override ebay.at | |
36 | adsp_override ebay.be | |
37 | adsp_override ebay.ca | |
38 | adsp_override ebay.ch | |
39 | adsp_override ebay.de | |
40 | adsp_override ebay.ee | |
41 | adsp_override ebay.es | |
42 | adsp_override ebay.fr | |
43 | adsp_override ebay.hu | |
44 | adsp_override ebay.ie | |
45 | adsp_override ebay.in | |
46 | adsp_override ebay.it | |
47 | adsp_override ebay.nl | |
48 | adsp_override ebay.ph | |
49 | adsp_override ebay.pl | |
50 | adsp_override ebay.pt | |
51 | adsp_override ebay.se | |
52 | adsp_override ebay.co.kr | |
53 | adsp_override ebay.co.uk | |
54 | adsp_override ebay.com.au | |
55 | adsp_override ebay.com.cn | |
56 | adsp_override ebay.com.hk | |
57 | adsp_override ebay.com.mx | |
58 | adsp_override ebay.com.my | |
59 | adsp_override ebay.com.sq | |
60 | ||
61 | adsp_override paypal.com | |
62 | adsp_override paypal.co.uk | |
63 | ||
64 | adsp_override ealerts.bankofamerica.com | |
65 | adsp_override alert.bankofamerica.com | |
66 | adsp_override americangreetings.com | |
67 | adsp_override yahoo.americangreetings.com | |
68 | adsp_override msn.americangreetings.com | |
69 | adsp_override egreetings.com | |
70 | adsp_override bluemountain.com | |
71 | adsp_override hallmark.com | |
72 | adsp_override update.hallmark.com | |
73 | adsp_override *.hallmark.com | |
74 | ||
75 | adsp_override amazon.com all | |
76 | adsp_override amazon.co.uk all | |
77 | adsp_override amazon.de all | |
78 | adsp_override amazon.fr all | |
79 | adsp_override birthdayalarm.com all | |
80 | adsp_override astrology.com all | |
81 | adsp_override linkedin.com all | |
82 | adsp_override *.linkedin.com all | |
83 | adsp_override facebookmail.com all | |
84 | adsp_override *.greenpeace.org all | |
85 | adsp_override lists.sourceforge.net all | |
86 | adsp_override lufthansa.com all | |
87 | adsp_override *.lufthansa.com all | |
88 | adsp_override *.delivery.net all | |
89 | ||
90 | adsp_override youtube.com custom_high | |
91 | ||
92 | adsp_override google.com custom_med | |
93 | adsp_override gmail.com custom_med | |
94 | adsp_override googlemail.com custom_med | |
95 | ||
96 | adsp_override yahoo.com custom_med | |
97 | adsp_override yahoo.com.ar custom_med | |
98 | adsp_override yahoo.com.au custom_med | |
99 | adsp_override yahoo.com.br custom_med | |
100 | adsp_override yahoo.com.cn custom_med | |
101 | adsp_override yahoo.com.hk custom_med | |
102 | adsp_override yahoo.com.mx custom_med | |
103 | adsp_override yahoo.com.my custom_med | |
104 | adsp_override yahoo.com.ph custom_med | |
105 | adsp_override yahoo.com.sg custom_med | |
106 | adsp_override yahoo.com.tw custom_med | |
107 | adsp_override yahoo.co.id custom_med | |
108 | adsp_override yahoo.co.in custom_med | |
109 | adsp_override yahoo.co.jp custom_med | |
110 | adsp_override yahoo.co.nz custom_med | |
111 | adsp_override yahoo.co.th custom_med | |
112 | adsp_override yahoo.co.uk custom_med | |
113 | adsp_override yahoo.ca custom_med | |
114 | adsp_override yahoo.cn custom_med | |
115 | adsp_override yahoo.de custom_med | |
116 | adsp_override yahoo.dk custom_med | |
117 | adsp_override yahoo.es custom_med | |
118 | adsp_override yahoo.fr custom_med | |
119 | adsp_override yahoo.gr custom_med | |
120 | adsp_override yahoo.ie custom_med | |
121 | adsp_override yahoo.it custom_med | |
122 | adsp_override yahoo.no custom_med | |
123 | adsp_override yahoo.pl custom_med | |
124 | adsp_override yahoo.se custom_med | |
125 | ||
126 | ||
127 | # Ignore linting, makes unnecessary lookups | |
128 | adsp_override compiling.spamassassin.taint.org unknown | |
129 | ||
130 | # To effectively disable ADSP network DNS lookups for all other domains: | |
131 | # adsp_override * unknown | |
132 | ||
133 | ||
134 | # Currently few domains publish their signing practices (draft-ietf-dkim-ssp, | |
135 | # ADSP), partly because the ADSP draft/rfc is rather new, partly because they | |
136 | # think hardly any recipient bothers to check it, and partly for fear that | |
137 | # some recipients might lose mail due to problems in their signature validation | |
138 | # procedures or mail mangling by mailers beyond their control. | |
139 | # | |
140 | # Nevertheless, recipients could benefit by knowing signing practices of a | |
141 | # sending (author's) domain, for example to recognize forged mail claiming | |
142 | # to be from certain domains which are popular targets for phishing, like | |
143 | # financial institutions. Unfortunately, as signing practices are seldom | |
144 | # published or are weak, it is hardly justifiable to look them up in DNS. | |
145 | # | |
146 | # To overcome this chicken-or-the-egg problem, the adsp_override mechanism | |
147 | # allows recipients using SpamAssassin to override published or defaulted | |
148 | # ADSP for certain domains. This makes it possible to manually specify a | |
149 | # stronger (or weaker) signing practices than a signing domain is willing | |
150 | # to publish (explicitly or by default), and also save on a DNS lookup. | |
151 | # | |
152 | # Note that ADSP (published or overridden) is only consulted for messages | |
153 | # which do not contain a valid DKIM signature from the author's domain. | |
154 | # | |
155 | # According to ADSP draft, signing practices can be one of the following: | |
156 | # unknown, all and discardable. | |
157 | # | |
158 | # unknown: Messages from this domain might or might not have an author | |
159 | # signature. This is a default if a domain exists in DNS but no ADSP record | |
160 | # is found. | |
161 | # | |
162 | # all: All messages from this domain are signed with an Author Signature. | |
163 | # | |
164 | # discardable: All messages from this domain are signed with an Author | |
165 | # Signature. If a message arrives without a valid Author Signature, the | |
166 | # domain encourages the recipient(s) to discard it. | |
167 | # | |
168 | # ADSP lookup can also determine that a domain is "out of scope", i.e., the | |
169 | # domain does not exist (NXDOMAIN) in the DNS. | |
170 | # | |
171 | # To override domain's signing practices in a SpamAssassin configuration file, | |
172 | # specify an adsp_override directive for each sending domain to be overridden. | |
173 | # | |
174 | # Its first argument is a domain name. Author's domain is matched against it, | |
175 | # matching is case insensitive. This is not a regular expression or a file-glob | |
176 | # style wildcard, but limited wildcarding is still available: if this argument | |
177 | # starts by a "*." (or is a sole "*"), author's domain matches if it is a | |
178 | # subdomain (to one or more levels) of the argument. Otherwise (with no | |
179 | # leading asterisk) the match must be exact (not a subdomain). | |
180 | # | |
181 | # An optional second parameter is one of the following keywords | |
182 | # (case-insensitive): nxdomain, unknown, all, discardable, | |
183 | # custom_low, custom_med, custom_high. | |
184 | # | |
185 | # Absence of this second parameter implies discardable. If a domain is not | |
186 | # listed by a adsp_override directive nor does it explicitly publish any | |
187 | # ADSP record, then unknown is implied for valid domains, and nxdomain | |
188 | # for domains not existing in DNS. (Note: domain validity may be unchecked | |
189 | # with current versions of Mail::DKIM, so nxdomain may never turn up.) | |
190 | # | |
191 | # The strong setting discardable is useful for domains which are known | |
192 | # to always sign their mail and to always send it directly to recipients | |
193 | # (not to mailing lists), and are frequent targets of fishing attempts, | |
194 | # such as financial institutions. The discardable is also appropriate | |
195 | # for domains which are known never to send any mail. | |
196 | # | |
197 | # When a message does not contain a valid signature by the author's domain | |
198 | # (the domain in a From header field), the signing practices pertaining | |
199 | # to author's domain determine which of the following rules fire and | |
200 | # contributes its score: DKIM_ADSP_NXDOMAIN, DKIM_ADSP_ALL, DKIM_ADSP_DISCARD, | |
201 | # DKIM_ADSP_CUSTOM_LOW, DKIM_ADSP_CUSTOM_MED, DKIM_ADSP_CUSTOM_HIGH. Not more | |
202 | # than one of these rules can fire. The last three can only result from a | |
203 | # 'signing_practices' as given in a adsp_override directive (not from a | |
204 | # DNS lookup), and can serve as a convenient means of providing a different | |
205 | # score if scores assigned to DKIM_ADSP_ALL or DKIM_ADSP_DISCARD are not | |
206 | # considered suitable for some domains. | |
207 | # | |
208 | # As a precaution against firing DKIM_ADSP_* rules when there is a known | |
209 | # local reason for a signature verification failure, the domain's ADSP is | |
210 | # considered unknown when DNS lookups are disabled or a DNS lookup encountered | |
211 | # a temporary problem on fetching a public key from the author's domain. | |
212 | # Similarly, ADSP is considered unknown when this plugin did its own signature | |
213 | # verification (signatures were not passed to SA by a caller) and a metarule | |
214 | # __TRUNCATED was triggered, indicating the caller intentionally passed a | |
215 | # truncated message to SpamAssassin, which was a likely reason for a signature | |
216 | # verification failure. | |
217 | ||
218 | endif # Mail::SpamAssassin::Plugin::DKIM |