[clamav-users] Solving heuristics by DKIM

Alessandro Vesely vesely at tana.it
Mon Oct 20 06:58:54 EDT 2014


Hi,

I happened to whitelist social sites, by creating a local.wdb which
allows Banca Sella (a legitimate bank) to link to them in the footer
of their newsletter:

   M:www.facebook.com:www.sella.it
   M:plus.google.com:www.sella.it
   M:www.youtube.com:www.sella.it

Thinking twice, those newsletter are DKIM signed by the bank, so it
would have been much safer to rely on their signature.  I could do
that by holding Heuristics.* viruses, and quarantine only if the
signature fails to verify.  However, I still have to whitelist the
possibly spoofed domain (sella.it) as a signer.  Consider:

   DKIM-Signature: d=econofimmo-f.fr ...
   ...
   <a href="http://econofimmo-f.fr/X">www.sella.it</a>

In the latter case, the signer is not whitelisted and I'd quarantine
the message even if the signature verifies.[1]

An alternative to whitelisting could be just checking that the signer
is the looks-spoofed-domain.  I can add a header field like so:

   Authentication-Results: me; dkim=pass header.d=sella.it

Then, I'd put whitelisting like (ehm, let me swell up the syntax just
to express what I mean):

   M:*:/^Authentication-Results: me;.* header.d=([\-\.a-z]+)/

That would mean "match anything as long as the possibly spoofed domain
is the captured string".  Is anything like that possible?

Thanks
Ale

[1] An Authorized Third-Party Signature [RFC6541], could validate an
affiliation just like it validates From:.  That's definitely science
fiction at this time.  (BTW, who is econofimmo?)



More information about the clamav-users mailing list