'[clamav-users] Re-2: confirm fc348079837XXXXXXXXXXXXXXXXXXXXXXXXb8a2a7'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       clamav-users
Subject:    [clamav-users] Re-2: confirm fc348079837XXXXXXXXXXXXXXXXXXXXXXXXb8a2a7
From:       "Steve Scotter" <clamav-users () spectrumcs ! net>
Date:       2012-11-20 21:20:06
Message-ID: DIIE.0000011200005506 () rainbow ! spectrumcs ! net
[Download RAW message or body]



Hi Jan,

Thanks for your comments... 

I realised this is going OT but...

> It looks like you are rejecting mail based on an invalid DKIM signature. 
> You shouldn't do that, sourcefire.com doesn't even list an ADSP policy.

I see what you mean, _adsp._domainkey.sourcefire.com doesn't exist.

> But even if it did, you should still whitelist mails coming from known 
> mailinglists, because mailinglists tend to always break DKIM signatures of 
> the original sender, because of modifications to subject and body of the e-
> mail.

I've love to but opendkim doesn't appear (on first glance) to have the ability to do \
that. Will look into that.

> But rejecting on a bad DKIM signature alone is simply not someone should 
> ever do. (If you're really keen to delete mails based on DKIM signatures, 
> look at DMARC instead: www.dmarc.org. That still doesn't deal with 
> mailinglist mails though, DMARC is aimed at large phishing-sensitive 
> senders like paypal or BoA)

Just to clarifiy, are you suggesting that rejecting a DKIM signed email from a domain \
with a ADSP record of "dkim=discardable" still shoulnd't be rejected?

Steve

-------- Original Message --------
Subject: Re: [clamav-users] confirm fc348079837XXXXXXXXXXXXXXXXXXXXXXXXb8a2a7 \
                (20-Nov-2012 10:57)
From:    Jan-Pieter Cornet <johnpc@xs4all.net>
To:      clamav-users@spectrumcs.net

> On 2012-11-16 10:23 , Steve Scotter wrote:
> > I've had four of these in the last couple of months but hadn't had much 
> > time to look into it until today. Having checked my mail logs for 'clamav.
> > net' I found an entry.
> > 
> > 2012-11-15 21:57:26 mail info	postfix/cleanup[63281]	4BBB21ABD25: milter-
> > reject: END-OF-MESSAGE from ds049.xs4all.nl[194.109.142.194]: 5.7.0 bad 
> > DKIM signature data; from=<clamav-users-bounces@lists.clamav.net> to=<
> > XXXXXXXXXXXXXXXXXXXXXXXXXXX> proto=ESMTP helo=<tad.clamav.net>
> > 
> > Searching for 4BBB21ABD25 revealved ...
> > 
> > 2012-11-15T21:57:26.000+00:00 crimson opendkim[90753]: 4BBB21ABD25: ds049.
> > xs4all.nl [194.109.142.194] not internal
> > 2012-11-15T21:57:26.000+00:00 crimson opendkim[90753]: 4BBB21ABD25: not 
> > authenticated
> > 2012-11-15T21:57:26.000+00:00 crimson opendkim[90753]: 4BBB21ABD25: s=
> > google d=sourcefire.com SSL error:04077068:rsa routines:RSA_verify:bad 
> > signature
> > 2012-11-15T21:57:26.000+00:00 crimson opendkim[90753]: 4BBB21ABD25: bad 
> > signature data
> > 
> > Any ideas?
> 
> It looks like you are rejecting mail based on an invalid DKIM signature. 
> You shouldn't do that, sourcefire.com doesn't even list an ADSP policy.
> 
> But even if it did, you should still whitelist mails coming from known 
> mailinglists, because mailinglists tend to always break DKIM signatures of 
> the original sender, because of modifications to subject and body of the e-
> mail.
> 
> But rejecting on a bad DKIM signature alone is simply not someone should 
> ever do. (If you're really keen to delete mails based on DKIM signatures, 
> look at DMARC instead: www.dmarc.org. That still doesn't deal with 
> mailinglist mails though, DMARC is aimed at large phishing-sensitive 
> senders like paypal or BoA)
> 
> -- 
> Jan-Pieter Cornet <johnpc@xs4all.net>
> Systeembeheer XS4ALL Internet bv
> Internet: www.xs4all.nl
> Contact: www.xs4all.nl/contact
> 


To: johnpc@xs4all.net
    clamav-users@lists.clamav.net
Cc: clamav-users-request@lists.clamav.net


DISCLAIMER
This email is for the use of the intended recipient(s) only. If you have received \
this email in error, please notify the sender immediately and then delete it.  If you \
are not the intended recipient, you must not keep, use, disclose, copy or distribute \
this email without the author’s prior permission.  We have taken precautions to \
minimise the risk of transmitting software viruses, but we advise you to carry out \
your own virus checks on any attachment to this message. We cannot accept liability \
for any loss or damage caused by software viruses. The information contained in this \
communication may be confidential and may be subject to the attorney-client \
privilege.  If you are the intended recipient and you do not wish to receive similar \
electronic messages from us in future then please respond to the sender to this \
effect.


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic