[prev in list] [next in list] [prev in thread] [next in thread]
List: clamav-users
Subject: [clamav-users] Re-2: confirm fc348079837XXXXXXXXXXXXXXXXXXXXXXXXb8a2a7
From: "Steve Scotter" <clamav-users () spectrumcs ! net>
Date: 2012-11-20 21:20:06
Message-ID: DIIE.0000011200005506 () rainbow ! spectrumcs ! net
[Download RAW message or body]
Hi Jan,
Thanks for your comments...
I realised this is going OT but...
> It looks like you are rejecting mail based on an invalid DKIM signature.
> You shouldn't do that, sourcefire.com doesn't even list an ADSP policy.
I see what you mean, _adsp._domainkey.sourcefire.com doesn't exist.
> But even if it did, you should still whitelist mails coming from known
> mailinglists, because mailinglists tend to always break DKIM signatures of
> the original sender, because of modifications to subject and body of the e-
> mail.
I've love to but opendkim doesn't appear (on first glance) to have the ability to do \
that. Will look into that.
> But rejecting on a bad DKIM signature alone is simply not someone should
> ever do. (If you're really keen to delete mails based on DKIM signatures,
> look at DMARC instead: www.dmarc.org. That still doesn't deal with
> mailinglist mails though, DMARC is aimed at large phishing-sensitive
> senders like paypal or BoA)
Just to clarifiy, are you suggesting that rejecting a DKIM signed email from a domain \
with a ADSP record of "dkim=discardable" still shoulnd't be rejected?
Steve
-------- Original Message --------
Subject: Re: [clamav-users] confirm fc348079837XXXXXXXXXXXXXXXXXXXXXXXXb8a2a7 \
(20-Nov-2012 10:57)
From: Jan-Pieter Cornet <johnpc@xs4all.net>
To: clamav-users@spectrumcs.net
> On 2012-11-16 10:23 , Steve Scotter wrote:
> > I've had four of these in the last couple of months but hadn't had much
> > time to look into it until today. Having checked my mail logs for 'clamav.
> > net' I found an entry.
> >
> > 2012-11-15 21:57:26 mail info postfix/cleanup[63281] 4BBB21ABD25: milter-
> > reject: END-OF-MESSAGE from ds049.xs4all.nl[194.109.142.194]: 5.7.0 bad
> > DKIM signature data; from=<clamav-users-bounces@lists.clamav.net> to=<
> > XXXXXXXXXXXXXXXXXXXXXXXXXXX> proto=ESMTP helo=<tad.clamav.net>
> >
> > Searching for 4BBB21ABD25 revealved ...
> >
> > 2012-11-15T21:57:26.000+00:00 crimson opendkim[90753]: 4BBB21ABD25: ds049.
> > xs4all.nl [194.109.142.194] not internal
> > 2012-11-15T21:57:26.000+00:00 crimson opendkim[90753]: 4BBB21ABD25: not
> > authenticated
> > 2012-11-15T21:57:26.000+00:00 crimson opendkim[90753]: 4BBB21ABD25: s=
> > google d=sourcefire.com SSL error:04077068:rsa routines:RSA_verify:bad
> > signature
> > 2012-11-15T21:57:26.000+00:00 crimson opendkim[90753]: 4BBB21ABD25: bad
> > signature data
> >
> > Any ideas?
>
> It looks like you are rejecting mail based on an invalid DKIM signature.
> You shouldn't do that, sourcefire.com doesn't even list an ADSP policy.
>
> But even if it did, you should still whitelist mails coming from known
> mailinglists, because mailinglists tend to always break DKIM signatures of
> the original sender, because of modifications to subject and body of the e-
> mail.
>
> But rejecting on a bad DKIM signature alone is simply not someone should
> ever do. (If you're really keen to delete mails based on DKIM signatures,
> look at DMARC instead: www.dmarc.org. That still doesn't deal with
> mailinglist mails though, DMARC is aimed at large phishing-sensitive
> senders like paypal or BoA)
>
> --
> Jan-Pieter Cornet <johnpc@xs4all.net>
> Systeembeheer XS4ALL Internet bv
> Internet: www.xs4all.nl
> Contact: www.xs4all.nl/contact
>
To: johnpc@xs4all.net
clamav-users@lists.clamav.net
Cc: clamav-users-request@lists.clamav.net
DISCLAIMER
This email is for the use of the intended recipient(s) only. If you have received \
this email in error, please notify the sender immediately and then delete it. If you \
are not the intended recipient, you must not keep, use, disclose, copy or distribute \
this email without the author’s prior permission. We have taken precautions to \
minimise the risk of transmitting software viruses, but we advise you to carry out \
your own virus checks on any attachment to this message. We cannot accept liability \
for any loss or damage caused by software viruses. The information contained in this \
communication may be confidential and may be subject to the attorney-client \
privilege. If you are the intended recipient and you do not wish to receive similar \
electronic messages from us in future then please respond to the sender to this \
effect.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic