Skip to main content

Spamassassin new rule "-7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list"

imorandin

Hi,

We recently detected what appears to be a new SpamAssassin rule that has several well-known domains whitelisted (e.g., @google.com, PayPal, etc.), significantly lowering the spam score:

-7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list

As a result, even very basic phishing attempts impersonating these companies have started reaching our clients’ inboxes.

We would like to disable this rule. What is the correct procedure to do so?

Thank you.

Comments

5 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey hey!  I'm actually not seeing this rule on a version 134 test machine that I just checked, so I don't have a good answer for you.  Can you confirm your cPanel version for me and then I can do some additional digging?

    0
  • imorandin
    • Edited

    Hi Mr Dinosaur,

    I'm in v132.0.24.

    I can see the rules/scores here:

    # grep -r USER_IN_DEF_DKIM_WL /var/lib/spamassassin/
    /var/lib/spamassassin/3.004006/updates_spamassassin_org/50_scores.cf:score USER_IN_DEF_DKIM_WL -7.500
    /var/lib/spamassassin/3.004006/updates_spamassassin_org/60_welcomelist_dkim.cf:  header USER_IN_DEF_DKIM_WL     eval:check_for_def_dkim_welcomelist_from()
    /var/lib/spamassassin/3.004006/updates_spamassassin_org/60_welcomelist_dkim.cf:  describe USER_IN_DEF_DKIM_WL   From: address is in the default DKIM welcome-list
    /var/lib/spamassassin/3.004006/updates_spamassassin_org/60_welcomelist_dkim.cf:  tflags USER_IN_DEF_DKIM_WL     nice noautolearn net
    /var/lib/spamassassin/3.004006/updates_spamassassin_org/60_welcomelist_dkim.cf:  reuse USER_IN_DEF_DKIM_WL
    /var/lib/spamassassin/3.004006/updates_spamassassin_org/60_welcomelist_dkim.cf:  header USER_IN_DEF_DKIM_WL     eval:check_for_def_dkim_whitelist_from()
    /var/lib/spamassassin/3.004006/updates_spamassassin_org/60_welcomelist_dkim.cf:  describe USER_IN_DEF_DKIM_WL   From: address is in the default DKIM welcome-list
    /var/lib/spamassassin/3.004006/updates_spamassassin_org/60_welcomelist_dkim.cf:  tflags USER_IN_DEF_DKIM_WL     nice noautolearn net
    /var/lib/spamassassin/3.004006/updates_spamassassin_org/60_welcomelist_dkim.cf:  reuse USER_IN_DEF_DKIM_WL
    /var/lib/spamassassin/3.004006/updates_spamassassin_org/72_active.cf:  meta      HTML_TEXT_INVISIBLE_FONT      __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID
    grep: /var/lib/spamassassin/3.004006/updates_spamassassin_org/30_text_pt_br.cf: binary file matches
    grep: /var/lib/spamassassin/4.000001/updates_spamassassin_org/30_text_pt_br.cf: binary file matches
    /var/lib/spamassassin/4.000001/updates_spamassassin_org/50_scores.cf:score USER_IN_DEF_DKIM_WL -7.500
    /var/lib/spamassassin/4.000001/updates_spamassassin_org/60_welcomelist_dkim.cf:  header USER_IN_DEF_DKIM_WL     eval:check_for_def_dkim_welcomelist_from()
    /var/lib/spamassassin/4.000001/updates_spamassassin_org/60_welcomelist_dkim.cf:  describe USER_IN_DEF_DKIM_WL   From: address is in the default DKIM welcome-list
    /var/lib/spamassassin/4.000001/updates_spamassassin_org/60_welcomelist_dkim.cf:  tflags USER_IN_DEF_DKIM_WL     nice noautolearn net
    /var/lib/spamassassin/4.000001/updates_spamassassin_org/60_welcomelist_dkim.cf:  reuse USER_IN_DEF_DKIM_WL
    /var/lib/spamassassin/4.000001/updates_spamassassin_org/60_welcomelist_dkim.cf:  header USER_IN_DEF_DKIM_WL     eval:check_for_def_dkim_whitelist_from()
    /var/lib/spamassassin/4.000001/updates_spamassassin_org/60_welcomelist_dkim.cf:  describe USER_IN_DEF_DKIM_WL   From: address is in the default DKIM welcome-list
    /var/lib/spamassassin/4.000001/updates_spamassassin_org/60_welcomelist_dkim.cf:  tflags USER_IN_DEF_DKIM_WL     nice noautolearn net
    /var/lib/spamassassin/4.000001/updates_spamassassin_org/60_welcomelist_dkim.cf:  reuse USER_IN_DEF_DKIM_WL
    /var/lib/spamassassin/4.000001/updates_spamassassin_org/72_active.cf:  meta      HTML_TEXT_INVISIBLE_FONT      __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID

    Thanks

    0
  • cPRex Jurassic Moderator

    I did find that file inside /var/lib/spamassassin after some more digging.  It doesn't seem that this is a new rule as this was released 11 years ago:

    https://users.spamassassin.apache.narkive.com/sjs2JKIq/user-in-def-dkim-wl-7-5#

    The best option to fix this would be to adjust the score using the following guide:

    https://support.cpanel.net/hc/en-us/articles/360053467273-How-to-adjust-SpamAssassin-rule-scoring-serverwide

    and then restart the spamd service so it gets applied.  USER_IN_DEF_DKIM_WL would be the rule ID in this case.  Your entire line of code would look like this:

    SCORE USER_IN_DEF_DKIM_WL 0

    Let me know if that helps!

    0
  • imorandin

    Thanks!

    Seems that the names has been updated in /etc/mail/spamassassin/init.pre because of this BS, oh my....

     

    0
  • cPRex Jurassic Moderator

    If the workaround doesn't work out, let me know and I'll see if we can come up with a Plan B.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post