/usr/share/spamassassin/60_adsp_override_dkim.cf is in spamassassin 3.4.2-1~deb9u1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 | # SpamAssassin rules file: default DKIM ADSP overrides
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
###########################################################################
# DKIM ADSP overrides
ifplugin Mail::SpamAssassin::Plugin::DKIM
# Later rules override previous, so to override any of the pre-sets here, just
# declare the domain as unknown, e.g.: 'adsp_override somedomain unknown' .
#
# 'discardable' is implied in absence of the second argument.
adsp_override ebay.com
adsp_override ebay.at
adsp_override ebay.be
adsp_override ebay.ca
adsp_override ebay.ch
adsp_override ebay.de
adsp_override ebay.ee
adsp_override ebay.es
adsp_override ebay.fr
adsp_override ebay.hu
adsp_override ebay.ie
adsp_override ebay.in
adsp_override ebay.it
adsp_override ebay.nl
adsp_override ebay.ph
adsp_override ebay.pl
adsp_override ebay.pt
adsp_override ebay.se
adsp_override ebay.co.kr
adsp_override ebay.co.uk
adsp_override ebay.com.au
adsp_override ebay.com.cn
adsp_override ebay.com.hk
adsp_override ebay.com.mx
adsp_override ebay.com.my
adsp_override ebay.com.sq
adsp_override paypal.com
adsp_override paypal.co.uk
adsp_override ealerts.bankofamerica.com
adsp_override alert.bankofamerica.com
adsp_override americangreetings.com
adsp_override yahoo.americangreetings.com
adsp_override msn.americangreetings.com
adsp_override egreetings.com
adsp_override bluemountain.com
adsp_override hallmark.com
adsp_override update.hallmark.com
adsp_override *.hallmark.com
adsp_override amazon.com all
adsp_override amazon.co.uk all
adsp_override amazon.de all
adsp_override amazon.fr all
adsp_override birthdayalarm.com all
adsp_override astrology.com all
adsp_override linkedin.com all
adsp_override *.linkedin.com all
adsp_override facebookmail.com all
adsp_override *.greenpeace.org all
adsp_override lists.sourceforge.net all
adsp_override lufthansa.com all
adsp_override *.lufthansa.com all
adsp_override *.delivery.net all
adsp_override youtube.com custom_high
adsp_override google.com custom_med
adsp_override gmail.com custom_med
adsp_override googlemail.com custom_med
adsp_override yahoo.com custom_med
adsp_override yahoo.com.ar custom_med
adsp_override yahoo.com.au custom_med
adsp_override yahoo.com.br custom_med
adsp_override yahoo.com.cn custom_med
adsp_override yahoo.com.hk custom_med
adsp_override yahoo.com.mx custom_med
adsp_override yahoo.com.my custom_med
adsp_override yahoo.com.ph custom_med
adsp_override yahoo.com.sg custom_med
adsp_override yahoo.com.tw custom_med
adsp_override yahoo.co.id custom_med
adsp_override yahoo.co.in custom_med
adsp_override yahoo.co.jp custom_med
adsp_override yahoo.co.nz custom_med
adsp_override yahoo.co.th custom_med
adsp_override yahoo.co.uk custom_med
adsp_override yahoo.ca custom_med
adsp_override yahoo.cn custom_med
adsp_override yahoo.de custom_med
adsp_override yahoo.dk custom_med
adsp_override yahoo.es custom_med
adsp_override yahoo.fr custom_med
adsp_override yahoo.gr custom_med
adsp_override yahoo.ie custom_med
adsp_override yahoo.it custom_med
adsp_override yahoo.no custom_med
adsp_override yahoo.pl custom_med
adsp_override yahoo.se custom_med
# Ignore linting, makes unnecessary lookups
adsp_override compiling.spamassassin.taint.org unknown
# To effectively disable ADSP network DNS lookups for all other domains:
# adsp_override * unknown
# Currently few domains publish their signing practices (draft-ietf-dkim-ssp,
# ADSP), partly because the ADSP draft/rfc is rather new, partly because they
# think hardly any recipient bothers to check it, and partly for fear that
# some recipients might lose mail due to problems in their signature validation
# procedures or mail mangling by mailers beyond their control.
#
# Nevertheless, recipients could benefit by knowing signing practices of a
# sending (author's) domain, for example to recognize forged mail claiming
# to be from certain domains which are popular targets for phishing, like
# financial institutions. Unfortunately, as signing practices are seldom
# published or are weak, it is hardly justifiable to look them up in DNS.
#
# To overcome this chicken-or-the-egg problem, the adsp_override mechanism
# allows recipients using SpamAssassin to override published or defaulted
# ADSP for certain domains. This makes it possible to manually specify a
# stronger (or weaker) signing practices than a signing domain is willing
# to publish (explicitly or by default), and also save on a DNS lookup.
#
# Note that ADSP (published or overridden) is only consulted for messages
# which do not contain a valid DKIM signature from the author's domain.
#
# According to ADSP draft, signing practices can be one of the following:
# unknown, all and discardable.
#
# unknown: Messages from this domain might or might not have an author
# signature. This is a default if a domain exists in DNS but no ADSP record
# is found.
#
# all: All messages from this domain are signed with an Author Signature.
#
# discardable: All messages from this domain are signed with an Author
# Signature. If a message arrives without a valid Author Signature, the
# domain encourages the recipient(s) to discard it.
#
# ADSP lookup can also determine that a domain is "out of scope", i.e., the
# domain does not exist (NXDOMAIN) in the DNS.
#
# To override domain's signing practices in a SpamAssassin configuration file,
# specify an adsp_override directive for each sending domain to be overridden.
#
# Its first argument is a domain name. Author's domain is matched against it,
# matching is case insensitive. This is not a regular expression or a file-glob
# style wildcard, but limited wildcarding is still available: if this argument
# starts by a "*." (or is a sole "*"), author's domain matches if it is a
# subdomain (to one or more levels) of the argument. Otherwise (with no
# leading asterisk) the match must be exact (not a subdomain).
#
# An optional second parameter is one of the following keywords
# (case-insensitive): nxdomain, unknown, all, discardable,
# custom_low, custom_med, custom_high.
#
# Absence of this second parameter implies discardable. If a domain is not
# listed by a adsp_override directive nor does it explicitly publish any
# ADSP record, then unknown is implied for valid domains, and nxdomain
# for domains not existing in DNS. (Note: domain validity may be unchecked
# with current versions of Mail::DKIM, so nxdomain may never turn up.)
#
# The strong setting discardable is useful for domains which are known
# to always sign their mail and to always send it directly to recipients
# (not to mailing lists), and are frequent targets of fishing attempts,
# such as financial institutions. The discardable is also appropriate
# for domains which are known never to send any mail.
#
# When a message does not contain a valid signature by the author's domain
# (the domain in a From header field), the signing practices pertaining
# to author's domain determine which of the following rules fire and
# contributes its score: DKIM_ADSP_NXDOMAIN, DKIM_ADSP_ALL, DKIM_ADSP_DISCARD,
# DKIM_ADSP_CUSTOM_LOW, DKIM_ADSP_CUSTOM_MED, DKIM_ADSP_CUSTOM_HIGH. Not more
# than one of these rules can fire. The last three can only result from a
# 'signing_practices' as given in a adsp_override directive (not from a
# DNS lookup), and can serve as a convenient means of providing a different
# score if scores assigned to DKIM_ADSP_ALL or DKIM_ADSP_DISCARD are not
# considered suitable for some domains.
#
# As a precaution against firing DKIM_ADSP_* rules when there is a known
# local reason for a signature verification failure, the domain's ADSP is
# considered unknown when DNS lookups are disabled or a DNS lookup encountered
# a temporary problem on fetching a public key from the author's domain.
# Similarly, ADSP is considered unknown when this plugin did its own signature
# verification (signatures were not passed to SA by a caller) and a metarule
# __TRUNCATED was triggered, indicating the caller intentionally passed a
# truncated message to SpamAssassin, which was a likely reason for a signature
# verification failure.
endif # Mail::SpamAssassin::Plugin::DKIM
|