You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2016/06/20 18:18:29 UTC

DKIM and spoofing

Hi,

We've been having a problem with phishing attacks by spoofing the
MAILFROM and From address. We've implemented SPF which takes care of
the MAILFROM problem, and have built a number of rules that block From
address spoofing.

We haven't implemented DKIM for our own domain yet, and it's not
something we can do right now.

There's still a legitimate requirement to have internal users use
external services (createsend, constantcontact, etc) to distribute
newsletters, etc, to internal users using users in our own domain.

In other words, we want to block the unauthorized use of our internal
users addresses, but permit the legitimate authorized users to be able
to use these external services.

Many of these services use DKIM to sign the messages. I just wanted to
make sure I wasn't missing something important by whitelisting our own
domain using the DKIM sigs that arrive?

whitelist_from_dkim *@example.com
whitelist_auth *@example.com

Should I be able to test a message that was already received but
quarantined for DKIM_VALID or has the message been changed in some way
after receiving it that prevents it from passing DKIM?

X-Envelope-From: <Se...@cmail20.com>
From: "Sender" <se...@example.com>
To: "Recip" <re...@example.com>

The message passes DKIM:

-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not
necessarily valid

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=cm; d=example.com;
 h=Subject:From:To:Reply-To:Date:MIME-Version:Content-Type:List-Unsubscribe:Message-ID;
i=sender@example.com;
 bh=+As5afWxvhSaKbwlO/EZvX1OZrs=;
 b=o8CcMc3vzBUyeJVQ/27v75R/QZDPU8vB+AMr1Dg5TGyyEvwZYhTjlm9lTxteGVGzaZPAhtlVM
   2nNUItbgRjnEvpbRA7Hdsh7QHAso8Mf4i1z3KfUqAFV3V1PMnO65

but running the message through spamassassin again with the whitelist
entry doesn't actually whitelist the message.

Ideas greatly appreciated.
Thanks,
Alex

Re: DKIM and spoofing

Posted by Bill Cole <sa...@billmail.scconsult.com>.

On 21 Jun 2016, at 11:21, Alex wrote:

> Hi,
>
> On Tue, Jun 21, 2016 at 4:04 AM, Merijn van den Kroonenberg
> <me...@web2all.nl> wrote:
>>> Hi,
>>>
>>> We've been having a problem with phishing attacks by spoofing the
>>> MAILFROM and From address. [snip]
>>
>>> The message passes DKIM:
>>>
>>> -0.1 DKIM_VALID             Message has at least one valid DKIM or 
>>> DK
>>> signature
>>>  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not
>>> necessarily valid
>>>
>>> DKIM-Signature: [snip]
>>
>>> but running the message through spamassassin again with the 
>>> whitelist
>>> entry doesn't actually whitelist the message.
>>
>> I notice it doesn't hit DKIM_VALID_AU. Which basically is the thing 
>> you
>> want to check, since it means the message is not just signed by a 
>> random
>> domain, but by the domain of the author.
>
> It didn't hit DKIM_VALID_AU, but I know the message is legitimate.

Analogy: Imagine if you used "password" as a password somewhere and as a 
result various random miscreants use your account regularly, would they 
become you when logged in? If they change the name on the account, are 
you still Alex and would that depend on whether you are logged in or 
not? If 99% of logins on your account are by other people, are your 
logins still "legitimate?"

DKIM_VALID_AU is SA's confirmation that the message is authenticated as 
having been written by the purported author to the degree that DKIM can 
provide such authentication. SA has minimum standards for that 
confirmation. Anyone can DKIM-sign any message with any key they can put 
into DNS for a "d=" domain, so SA reserves DKIM_VALID_AU for messages 
signed by a signer in control of a private key which coincides with a 
public key published for the purported author's domain and that the key 
be reasonably strong.

> What could that mean?

1. The signature "d=" field does not match the domain of the address in 
the From: header. This is impossible for us to know because it is 
unclear whether your use of "example.com" in munging the message 
information indicates one domain or many.

2. The signing key was <1024 bits and you have not changed 
dkim_minimum_key_bits to accommodate shorter keys.

>> So I assume the dkim whitelists check this too (against From and 
>> mailfrom?).

DKIM does not authenticate SMTP envelope sender addresses, only "author" 
addresses, usually the From headers but sometimes optionally the Sender 
header. I don't think the implementation SA uses ever looks at Sender, 
but ICBW.

> Then it's fair to say that USER_IN_DKIM_WHITELIST only considers 
> DKIM_VALID_AU?

Yes, because anyone can sign any message. If the domain of the signature 
isn't the same as the domain of the purported message author, the 
signature does not carry much significance (unless you put some special 
trust in the signing entity, i.e. the 'i=' address, of which the domain 
part matches the "d=" value or a subdomain)

> If someone could explain how this all goes together, I'd sure 
> appreciate it.

'perldoc Mail::SpamAssassin::Plugin::DKIM' on a sanely-configured system 
with SpamAssassin installed provides ~15k of relevant information and 
citations of RFCs. Consider it and the RFCs cited in it included here by 
reference...

Re: DKIM and spoofing

Posted by Alex <my...@gmail.com>.

Hi,

On Tue, Jun 21, 2016 at 4:04 AM, Merijn van den Kroonenberg
<me...@web2all.nl> wrote:
>> Hi,
>>
>> We've been having a problem with phishing attacks by spoofing the
>> MAILFROM and From address. [snip]
>
>> The message passes DKIM:
>>
>> -0.1 DKIM_VALID             Message has at least one valid DKIM or DK
>> signature
>>  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not
>> necessarily valid
>>
>> DKIM-Signature: [snip]
>
>> but running the message through spamassassin again with the whitelist
>> entry doesn't actually whitelist the message.
>
> I notice it doesn't hit DKIM_VALID_AU. Which basically is the thing you
> want to check, since it means the message is not just signed by a random
> domain, but by the domain of the author.

It didn't hit DKIM_VALID_AU, but I know the message is legitimate.
What could that mean?

> So I assume the dkim whitelists check this too (against From and mailfrom?).

Then it's fair to say that USER_IN_DKIM_WHITELIST only considers DKIM_VALID_AU?

If someone could explain how this all goes together, I'd sure appreciate it.