[clamav-users] Solving heuristics by DKIM
Alessandro Vesely
vesely at tana.it
Mon Oct 20 10:58:54 UTC 2014
Hi,
I happened to whitelist social sites, by creating a local.wdb which
allows Banca Sella (a legitimate bank) to link to them in the footer
of their newsletter:
M:www.facebook.com:www.sella.it
M:plus.google.com:www.sella.it
M:www.youtube.com:www.sella.it
Thinking twice, those newsletter are DKIM signed by the bank, so it
would have been much safer to rely on their signature. I could do
that by holding Heuristics.* viruses, and quarantine only if the
signature fails to verify. However, I still have to whitelist the
possibly spoofed domain (sella.it) as a signer. Consider:
DKIM-Signature: d=econofimmo-f.fr ...
...
<a href="http://econofimmo-f.fr/X">www.sella.it</a>
In the latter case, the signer is not whitelisted and I'd quarantine
the message even if the signature verifies.[1]
An alternative to whitelisting could be just checking that the signer
is the looks-spoofed-domain. I can add a header field like so:
Authentication-Results: me; dkim=pass header.d=sella.it
Then, I'd put whitelisting like (ehm, let me swell up the syntax just
to express what I mean):
M:*:/^Authentication-Results: me;.* header.d=([\-\.a-z]+)/
That would mean "match anything as long as the possibly spoofed domain
is the captured string". Is anything like that possible?
Thanks
Ale
[1] An Authorized Third-Party Signature [RFC6541], could validate an
affiliation just like it validates From:. That's definitely science
fiction at this time. (BTW, who is econofimmo?)
More information about the clamav-users
mailing list