[Rspamd-Users] Multimap and syntax...

[Gerald Galster]

>> Rspamd includes the public suffix list (see https://publicsuffix.org/list/).
>> https://github.com/rspamd/rspamd/blob/master/contrib/publicsuffix/effective_tld_names.dat
> 
> keeping lists like this current is an onerous task.  I wouldn't want
> to (a) rely on that currency and (b) let my configuration be changed
> without my approval when the list is updated - perhaps in ways which I
> would not myself have chosen.

The public suffix list is trustworthy and is used by major browsers
to restrict cookie setting or to decide if a user wants to open a
website URL or submit that text to a search engine.

https://publicsuffix.org/learn/

By using such a browser you implicitly rely on that list and accept changes.

As most top level domains are there to stay, the list is helpful even
if there are minor changes or additions. Consider for example the changes
for scw.cloud as a "top level domain": this is related to scaleway cloud
servers and from an rspamd perspective, scoring for scw.cloud as a second
level domain is probably sufficient (if not better then scoring for
individual third level customer*.scw.cloud domains). This is from a
technical / dns point of view where .cloud is the top level domain,
scw.cloud the second level domain and customer.scw.cloud the third level
domain.

In short, occasional modifications don't seem to change the bigger picture:
https://github.com/publicsuffix/list/commits/master/public_suffix_list.dat

On a browser level this is of course more important in order to avoid
cross origin attacks.


> For example, looking at the .uk TLD, rspamd and Wikipedia disagree on
> second level domains.  Compared with

This is probably because of different definitions, see
https://www.icann.org/en/system/files/files/octo-011-18may20-en.pdf

"The volunteers who run the PSL define a public suffix as: a domain under
which multiple parties that are unaffiliated with the operator of the domain
may register subdomains. ICANN’s Security and Stability Advisory Committee
(SSAC) defines a public suffix slightly differently: a domain that is
controlled by a public registry, under which subdomains can be registered
by third parties."

[...]

>> ... if you add e.g. adidas.com to your whitelist, any spammer that
>> sends with @adidas.com is probably whitelisted due to score -20.
> 
> If you rely on the address in the 'From:' header, then unless you have
> some other way of knowing that it's not forged you're more or less
> obliged to check that it's vouched for by a DKIM signature.  This is
> unlike the envelope 'from' address, which (apart, obviously, from all
> the freemail domains) you can usually trust if SPF gives it the OK.
> You'll find legitimate senders who can't get SPF right, but thesedays
> their numbers are shrinking.

I agree. Rspamd also helps with that:


    "WHITELIST_SPF_DKIM" = {
      valid_spf = true;
      valid_dkim = true;
      domains = [
        "https://maps.rspamd.com/rspamd/spf_dkim_whitelist.inc.zst",
        ...
      score = -3.0;	

spf_dkim_whitelist.inc contains:

# Domains with valid SPF and DKIM
[...]
airbnb.com
airtel.in
alibaba.com
aliexpress.com 2.0
alipay.com 2.0
allrecipes.com
amazon.ca
amazon.cn
amazon.co.jp
amazon.com
amazon.co.uk
amazon.de
...

Best regards,
Gerald