You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Scheidell <sc...@secnap.net> on 2007/07/29 14:10:45 UTC

SA will segv on forged DomainKeys sig

Heads up to amavisd-new users:  lots of emails in mailq, stuck at
127.0.0.1:

B18A1524C2D   27169 Sat Jul 28 15:50:18  dngrdpnsfbu@yahoo.com.tw
(lost connection with 127.0.0.1[127.0.0.1] while sending end of data --
message may be sent more than once)
                                         sandipan@domain.com

SpamAssassin users, maybe same thing, not sure if spamd would segv.

Not sure where to start on this, if SA should not even pass the key to
DKIM plugin (or mark it trashed and drop it) or maybe have clamav mark I
as a virus first? Or if this is a bug in Mail-DKIM?

I found several systems, running SA 3.2.1, and Mail-DKIM.pm .26 that
will SEGV on a forged DomainKeys signature.
(sample email available upon request)

Run email through spamassassin -t, get this:

 spamassassin -t < sample.eml
[54400] warn: Premature end of base64 data at
/usr/local/lib/perl5/site_perl/5.8.8/Mail/DKIM/Algorithm/dk_rsa_sha1.pm
line 86.
[54400] warn: Premature padding of base64 data at
/usr/local/lib/perl5/site_perl/5.8.8/Mail/DKIM/Algorithm/dk_rsa_sha1.pm
line 86.

Spamassassin -tL file (because it only does local tests)

Forged DomainKeys:

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
 
h=Received:X-YMail-OSG:Message-ID:Reply-To:From:To:References:Subject:Da
te:MIM
E-Version:Content-Type:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE;
 
b=7e82t8HLAQ0qfIC5km5S508y4E7i95SO0lvW9PSA1Z15PuY223b5fHH1W4P9whTcIcS2S6
K7ZM34
Uc96rMowPL81M64g1wdmNPF4w47UC6l0S4A93rI13Ma8JK6Gw62ItYBgr6O5lr2WRrw6M6V9
XqMvXdw4
5uxAKTERTph61=  ;

(note the \s\s; gap at end?

I don't think DomainKey signatures have a \s\s; at end (not real ones)

And, no, it didn't come from yahoo, but is forged to look like it did.

Received: from c.mx.mail.yahoo.com (unknown [116.217.231.217])
        by GSNJSPT01.galaxy.lan (Postfix) with ESMTP id 82BA9524C26

-- 
Michael Scheidell, CTO
http://www.secnap.com/events for free and discounted seminar tickets 
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________