commit 23a41da: [Minor] Change the default list of oversigned headers
Vsevolod Stakhov
vsevolod at highsecure.ru
Mon May 13 10:42:03 UTC 2019
Author: Vsevolod Stakhov
Date: 2019-05-13 11:36:20 +0100
URL: https://github.com/rspamd/rspamd/commit/23a41dae4ddb3c5ae48f90e03b67653881f93018 (HEAD -> master)
[Minor] Change the default list of oversigned headers
Trivia:
`Subject` header needs to be oversigned as an attacker could add some
'bad' subject to DKIM signed emails with no subject (rare but possible
case). This header is clearly displayed to a user hence, its presence as
well as absence MUST be oversigned explicitly.
`Reply-To` header is widely used to designate a special address used for
replies only but not for authentication checks. It is thus possible to
add a malicious `Reply-To` header to force users to reply to a DKIM
signed email to some attacker's controlled email address. It clearly
opens surface for social engineering like attacks and this header must
thus be unconditionally oversigned even if not presented in an original
message.
Issue: #2887
---
src/plugins/dkim_check.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/plugins/dkim_check.c b/src/plugins/dkim_check.c
index 6ad748454..0cfea3f92 100644
--- a/src/plugins/dkim_check.c
+++ b/src/plugins/dkim_check.c
@@ -54,13 +54,13 @@
static const gchar *M = "rspamd dkim plugin";
static const gchar default_sign_headers[] = ""
- "(o)from:(x)sender:(x)reply-to:(x)subject:(x)date:(x)message-id:"
+ "(o)from:(x)sender:(o)reply-to:(o)subject:(x)date:(x)message-id:"
"(o)to:(o)cc:(x)mime-version:(x)content-type:(x)content-transfer-encoding:"
"resent-to:resent-cc:resent-from:resent-sender:resent-message-id:"
"(x)in-reply-to:(x)references:list-id:list-help:list-owner:list-unsubscribe:"
"list-subscribe:list-post:(x)openpgp:(x)autocrypt";
static const gchar default_arc_sign_headers[] = ""
- "(o)from:(x)sender:(x)reply-to:(x)subject:(x)date:(x)message-id:"
+ "(o)from:(x)sender:(o)reply-to:(o)subject:(x)date:(x)message-id:"
"(o)to:(o)cc:(x)mime-version:(x)content-type:(x)content-transfer-encoding:"
"resent-to:resent-cc:resent-from:resent-sender:resent-message-id:"
"(x)in-reply-to:(x)references:list-id:list-help:list-owner:list-unsubscribe:"
More information about the Commits
mailing list