bump version to 3.4.6-2+1

[proxmox-spamassassin.git] / sa-updates / 60_adsp_override_dkim.cf

# SpamAssassin rules file: default DKIM ADSP overrides
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at:
# 
#     http://www.apache.org/licenses/LICENSE-2.0
# 
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>

###########################################################################
# DKIM ADSP overrides

ifplugin Mail::SpamAssassin::Plugin::DKIM

# Later rules override previous, so to override any of the pre-sets here, just
# declare the domain as unknown, e.g.: 'adsp_override somedomain unknown' .
#
# 'discardable' is implied in absence of the second argument.

adsp_override ebay.com
adsp_override ebay.at
adsp_override ebay.be
adsp_override ebay.ca
adsp_override ebay.ch
adsp_override ebay.de
adsp_override ebay.ee
adsp_override ebay.es
adsp_override ebay.fr
adsp_override ebay.hu
adsp_override ebay.ie
adsp_override ebay.in
adsp_override ebay.it
adsp_override ebay.nl
adsp_override ebay.ph
adsp_override ebay.pl
adsp_override ebay.pt
adsp_override ebay.se
adsp_override ebay.co.kr
adsp_override ebay.co.uk
adsp_override ebay.com.au
adsp_override ebay.com.cn
adsp_override ebay.com.hk
adsp_override ebay.com.mx
adsp_override ebay.com.my
adsp_override ebay.com.sq

adsp_override paypal.com
adsp_override paypal.co.uk

adsp_override ealerts.bankofamerica.com
adsp_override alert.bankofamerica.com
adsp_override americangreetings.com
adsp_override yahoo.americangreetings.com
adsp_override msn.americangreetings.com
adsp_override egreetings.com
adsp_override bluemountain.com
adsp_override hallmark.com
adsp_override update.hallmark.com
adsp_override *.hallmark.com

adsp_override amazon.com            all
adsp_override amazon.co.uk          all
adsp_override amazon.de             all
adsp_override amazon.fr             all
adsp_override birthdayalarm.com     all
adsp_override astrology.com         all
adsp_override linkedin.com          all
adsp_override *.linkedin.com        all
adsp_override facebookmail.com      all
adsp_override *.greenpeace.org      all
adsp_override lists.sourceforge.net all
adsp_override lufthansa.com         all
adsp_override *.lufthansa.com       all
adsp_override *.delivery.net        all

adsp_override youtube.com    custom_high

adsp_override google.com     custom_med
adsp_override gmail.com      custom_med
adsp_override googlemail.com custom_med

adsp_override yahoo.com      custom_med
adsp_override yahoo.com.ar   custom_med
adsp_override yahoo.com.au   custom_med
adsp_override yahoo.com.br   custom_med
adsp_override yahoo.com.cn   custom_med
adsp_override yahoo.com.hk   custom_med
adsp_override yahoo.com.mx   custom_med
adsp_override yahoo.com.my   custom_med
adsp_override yahoo.com.ph   custom_med
adsp_override yahoo.com.sg   custom_med
adsp_override yahoo.com.tw   custom_med
adsp_override yahoo.co.id    custom_med
adsp_override yahoo.co.in    custom_med
adsp_override yahoo.co.jp    custom_med
adsp_override yahoo.co.nz    custom_med
adsp_override yahoo.co.th    custom_med
adsp_override yahoo.co.uk    custom_med
adsp_override yahoo.ca       custom_med
adsp_override yahoo.cn       custom_med
adsp_override yahoo.de       custom_med
adsp_override yahoo.dk       custom_med
adsp_override yahoo.es       custom_med
adsp_override yahoo.fr       custom_med
adsp_override yahoo.gr       custom_med
adsp_override yahoo.ie       custom_med
adsp_override yahoo.it       custom_med
adsp_override yahoo.no       custom_med
adsp_override yahoo.pl       custom_med
adsp_override yahoo.se       custom_med


# Ignore linting, makes unnecessary lookups
adsp_override compiling.spamassassin.taint.org unknown

# To effectively disable ADSP network DNS lookups for all other domains:
# adsp_override *            unknown


# Currently few domains publish their signing practices (draft-ietf-dkim-ssp,
# ADSP), partly because the ADSP draft/rfc is rather new, partly because they
# think hardly any recipient bothers to check it, and partly for fear that
# some recipients might lose mail due to problems in their signature validation
# procedures or mail mangling by mailers beyond their control.
# 
# Nevertheless, recipients could benefit by knowing signing practices of a
# sending (author's) domain, for example to recognize forged mail claiming
# to be from certain domains which are popular targets for phishing, like
# financial institutions. Unfortunately, as signing practices are seldom
# published or are weak, it is hardly justifiable to look them up in DNS.
# 
# To overcome this chicken-or-the-egg problem, the adsp_override mechanism
# allows recipients using SpamAssassin to override published or defaulted
# ADSP for certain domains. This makes it possible to manually specify a
# stronger (or weaker) signing practices than a signing domain is willing
# to publish (explicitly or by default), and also save on a DNS lookup.
# 
# Note that ADSP (published or overridden) is only consulted for messages
# which do not contain a valid DKIM signature from the author's domain.
# 
# According to ADSP draft, signing practices can be one of the following:
# unknown, all and discardable.
# 
# unknown: Messages from this domain might or might not have an author
# signature. This is a default if a domain exists in DNS but no ADSP record
# is found.
# 
# all: All messages from this domain are signed with an Author Signature.
# 
# discardable: All messages from this domain are signed with an Author
# Signature. If a message arrives without a valid Author Signature, the
# domain encourages the recipient(s) to discard it.
# 
# ADSP lookup can also determine that a domain is "out of scope", i.e., the
# domain does not exist (NXDOMAIN) in the DNS.
# 
# To override domain's signing practices in a SpamAssassin configuration file,
# specify an adsp_override directive for each sending domain to be overridden.
# 
# Its first argument is a domain name. Author's domain is matched against it,
# matching is case insensitive. This is not a regular expression or a file-glob
# style wildcard, but limited wildcarding is still available: if this argument
# starts by a "*." (or is a sole "*"), author's domain matches if it is a
# subdomain (to one or more levels) of the argument. Otherwise (with no
# leading asterisk) the match must be exact (not a subdomain).
# 
# An optional second parameter is one of the following keywords
# (case-insensitive): nxdomain, unknown, all, discardable,
# custom_low, custom_med, custom_high.
# 
# Absence of this second parameter implies discardable. If a domain is not
# listed by a adsp_override directive nor does it explicitly publish any
# ADSP record, then unknown is implied for valid domains, and nxdomain
# for domains not existing in DNS. (Note: domain validity may be unchecked
# with current versions of Mail::DKIM, so nxdomain may never turn up.)
# 
# The strong setting discardable is useful for domains which are known
# to always sign their mail and to always send it directly to recipients
# (not to mailing lists), and are frequent targets of fishing attempts,
# such as financial institutions. The discardable is also appropriate
# for domains which are known never to send any mail.
# 
# When a message does not contain a valid signature by the author's domain
# (the domain in a From header field), the signing practices pertaining
# to author's domain determine which of the following rules fire and
# contributes its score: DKIM_ADSP_NXDOMAIN, DKIM_ADSP_ALL, DKIM_ADSP_DISCARD,
# DKIM_ADSP_CUSTOM_LOW, DKIM_ADSP_CUSTOM_MED, DKIM_ADSP_CUSTOM_HIGH. Not more
# than one of these rules can fire. The last three can only result from a
# 'signing_practices' as given in a adsp_override directive (not from a
# DNS lookup), and can serve as a convenient means of providing a different
# score if scores assigned to DKIM_ADSP_ALL or DKIM_ADSP_DISCARD are not
# considered suitable for some domains.
# 
# As a precaution against firing DKIM_ADSP_* rules when there is a known
# local reason for a signature verification failure, the domain's ADSP is
# considered unknown when DNS lookups are disabled or a DNS lookup encountered
# a temporary problem on fetching a public key from the author's domain.
# Similarly, ADSP is considered unknown when this plugin did its own signature
# verification (signatures were not passed to SA by a caller) and a metarule
# __TRUNCATED was triggered, indicating the caller intentionally passed a
# truncated message to SpamAssassin, which was a likely reason for a signature
# verification failure.

endif # Mail::SpamAssassin::Plugin::DKIM