On 21 Jun 2016, at 11:21, Alex wrote:
Hi,
On Tue, Jun 21, 2016 at 4:04 AM, Merijn van den Kroonenberg
<mer...@web2all.nl> wrote:
Hi,
We've been having a problem with phishing attacks by spoofing the
MAILFROM and From address. [snip]
The message passes DKIM:
-0.1 DKIM_VALID Message has at least one valid DKIM or
DK
signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
DKIM-Signature: [snip]
but running the message through spamassassin again with the
whitelist
entry doesn't actually whitelist the message.
I notice it doesn't hit DKIM_VALID_AU. Which basically is the thing
you
want to check, since it means the message is not just signed by a
random
domain, but by the domain of the author.
It didn't hit DKIM_VALID_AU, but I know the message is legitimate.
Analogy: Imagine if you used "password" as a password somewhere and as a
result various random miscreants use your account regularly, would they
become you when logged in? If they change the name on the account, are
you still Alex and would that depend on whether you are logged in or
not? If 99% of logins on your account are by other people, are your
logins still "legitimate?"
DKIM_VALID_AU is SA's confirmation that the message is authenticated as
having been written by the purported author to the degree that DKIM can
provide such authentication. SA has minimum standards for that
confirmation. Anyone can DKIM-sign any message with any key they can put
into DNS for a "d=" domain, so SA reserves DKIM_VALID_AU for messages
signed by a signer in control of a private key which coincides with a
public key published for the purported author's domain and that the key
be reasonably strong.
What could that mean?
1. The signature "d=" field does not match the domain of the address in
the From: header. This is impossible for us to know because it is
unclear whether your use of "example.com" in munging the message
information indicates one domain or many.
2. The signing key was <1024 bits and you have not changed
dkim_minimum_key_bits to accommodate shorter keys.
So I assume the dkim whitelists check this too (against From and
mailfrom?).
DKIM does not authenticate SMTP envelope sender addresses, only "author"
addresses, usually the From headers but sometimes optionally the Sender
header. I don't think the implementation SA uses ever looks at Sender,
but ICBW.
Then it's fair to say that USER_IN_DKIM_WHITELIST only considers
DKIM_VALID_AU?
Yes, because anyone can sign any message. If the domain of the signature
isn't the same as the domain of the purported message author, the
signature does not carry much significance (unless you put some special
trust in the signing entity, i.e. the 'i=' address, of which the domain
part matches the "d=" value or a subdomain)
If someone could explain how this all goes together, I'd sure
appreciate it.
'perldoc Mail::SpamAssassin::Plugin::DKIM' on a sanely-configured system
with SpamAssassin installed provides ~15k of relevant information and
citations of RFCs. Consider it and the RFCs cited in it included here by
reference...
