[Rspamd-Users] RSPAMD_URIBL question

Lauri Anteploon lauri at zone.ee
Tue Jun 16 11:49:10 UTC 2020 

On 2020-06-12 19:47, Arno Welzel wrote:
> Lauri Anteploon via Users:
>
>> One of the e-mails got RSPAMD_URIBL(4.50){planfix.ru:dkim;}
> Which translates to:
>
> The sender of the e-mail was found in in the blacklist "planfix.ru".
You are saying RSpamD checked the e-mail againsta a blacklist on planfix.ru?
This makes everything even more confusing.
I have configured such blacklist. I was under the impression that the 
"planfix.ru" in that TAG or message is the subject of the score. I. e. 
the domain name that got extracted from e-mail contents or headers.

Are you sure about in saying that my Rrspamd is using a blacklist hosted 
on planfix.ru? This would be somewhat worrying, because I don't have 
anything mentioning "planfix.ru" in the Rspamd configuration files.

>> I read the documentation https://rspamd.com/doc/modules/rbl.html and I
>> am sorry to say, but I don't understand what does it mean.
> "The RBL module provides support for checking various messages elements,
> such as senders IP addresses, URLs, Emails, Received headers chains,
> SMTP data (such as HELO domain) and so on, against the set of Runtime
> Black Lists (RBL) usually provided by means of dedicated DNS zones."
>
> What exaclty don't you understand?
For instance what does the ":dkim" in the TAG string mean.
As in what sort of check was performed.

If my assumption is correct and this is not a blacklist and actually the 
tag subject, then it totally strange that some sort of DKIM check was 
run on the domain name because the domain does not have that requirement 
in it's DMARC nor SPF.


>
>> The "dkim" bit in there seems to point towards there being a problem
>> with a dkim, but the domain has no DKIM requirement nor does the e-mail
>> have any DKIM.
> The DKIM bits only say that *if* the domain has a valid DKIM signature
> it will *also* be checked. By default emails from domains with a valid
> DKIM signature will *not* be checked.
>
> If you enable checking of DKIM signed emails you can also select with
> "default_dkim_domainonly" if you want to test only the top level domain
> (e.g. example.com if the mail was sent by subdomain.example.com) and you
> can select with "default_dkim_match_from" to check the aligned DKIM domain.
>
> More about DKIM alignment see here:
>
> <https://mxtoolbox.com/dmarc/dkim/dkim-alignment>

The e-mail was not DKIM signed nor did the domain warrant any such 
signage, yet it triggered a score... and the confusing bit for me is why 
DKIM is mentioned there in the tag.

I can somewhat understand the logic that the ":dkim" in the tag string 
is just to inform that some sort of optional check may or may not have 
been made about the e-mails DKIM.
I don't agree to this logic, but ok.

>
> HTH,
> Arno

More information about the Users mailing list