Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

DKIM verification and envelope-from

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


robert.wysocki at contium

Apr 26, 2012, 4:07 AM

Post #1 of 11 (510 views)
Permalink
DKIM verification and envelope-from
Hi there,

I'm trying to achieve configuration that would verify DKIM signatures
for known signers.
Everything works fine until envelope-from address is one of known
signers. But many spams have envelope-from set differently than From:
header, eg. injectingy472 [at] wonderware in envelope-from and
something [at] gmail in From: header.
This enables them to bypass DKIM signature checks and therefor to bypass
one of the anti-spam mechanisms.

How can I instruct exim to include From: headers' content in known
signers checks?

Regards,
--
Robert Wysocki
administrator systemów linuksowych
CONTIUM S.A., http://www.contium.pl



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbreyha at gmx

Apr 27, 2012, 5:50 AM

Post #2 of 11 (504 views)
Permalink
Re: DKIM verification and envelope-from [In reply to]
Robert Wysocki wrote, on 26.04.2012 13:07:
> Hi there,
>
> I'm trying to achieve configuration that would verify DKIM signatures
> for known signers.
> Everything works fine until envelope-from address is one of known
> signers. But many spams have envelope-from set differently than From:
> header, eg. injectingy472 [at] wonderware in envelope-from and
> something [at] gmail in From: header.
> This enables them to bypass DKIM signature checks and therefor to bypass
> one of the anti-spam mechanisms.

DKIM has no relation to envelope from. DKIM signs and protects the From:
header (and others). Using envelope from for anything related to DKIM can only
produce false positives, eg. common forwards.

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha [at] gmx> | http://www.blafasel.at/
Vienna University Computer Center | Austria


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


robert.wysocki at contium

Apr 27, 2012, 6:09 AM

Post #3 of 11 (506 views)
Permalink
Re: DKIM verification and envelope-from [In reply to]
Dnia 2012-04-27, pią o godzinie 14:50 +0200, Wolfgang Breyha pisze:
> Robert Wysocki wrote, on 26.04.2012 13:07:
> > Hi there,
> >
> > I'm trying to achieve configuration that would verify DKIM signatures
> > for known signers.
> > Everything works fine until envelope-from address is one of known
> > signers. But many spams have envelope-from set differently than From:
> > header, eg. injectingy472 [at] wonderware in envelope-from and
> > something [at] gmail in From: header.
> > This enables them to bypass DKIM signature checks and therefor to bypass
> > one of the anti-spam mechanisms.
>
> DKIM has no relation to envelope from. DKIM signs and protects the From:
> header (and others). Using envelope from for anything related to DKIM can only
> produce false positives, eg. common forwards.

Thanks, but I know that.
I believe my question was about something else.

Regards,
--
Robert Wysocki
administrator systemów linuksowych
CONTIUM S.A., http://www.contium.pl



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


mike.tubby at thorcom

Apr 27, 2012, 6:41 AM

Post #4 of 11 (505 views)
Permalink
Re: DKIM verification and envelope-from [In reply to]
On 27/04/2012 14:09, Robert Wysocki wrote:
> Dnia 2012-04-27, pią o godzinie 14:50 +0200, Wolfgang Breyha pisze:
>> Robert Wysocki wrote, on 26.04.2012 13:07:
>>> Hi there,
>>>
>>> I'm trying to achieve configuration that would verify DKIM signatures
>>> for known signers.
>>> Everything works fine until envelope-from address is one of known
>>> signers. But many spams have envelope-from set differently than From:
>>> header, eg. injectingy472 [at] wonderware in envelope-from and
>>> something [at] gmail in From: header.
>>> This enables them to bypass DKIM signature checks and therefor to bypass
>>> one of the anti-spam mechanisms.
>> DKIM has no relation to envelope from. DKIM signs and protects the From:
>> header (and others). Using envelope from for anything related to DKIM can only
>> produce false positives, eg. common forwards.
> Thanks, but I know that.
> I believe my question was about something else.
>
> Regards,


In my acl_check_dkim I have these tests first:

#
# strict checking on known signers...
#
deny sender_domains = +dkim_known_signers
dkim_status = none:invalid:fail
message = Message from $sender_address_domain (known
signer) with invalid or missing signature
logwrite = DKIM DENY: Rejected $sender_address_domain
is known signer (in database) but has invalid/missing signature

accept sender_domains = +dkim_known_signers
dkim_status = pass
logwrite = DKIM PASS: Accepted $sender_address_domain
is known signer and has good signature
add_header = :after_received:X-DKIM-Result:
Domain=$sender_address_domain Result=Good (Known Signer)

#
# rest of DKIM checking ...
#

accept




... the domainlist dkim_known_signers is populated from a mysql database
query like this:

SELECT_DKIM_KNOWN_SIGNERS = select domain from dkim_known_signers
where active=1;
domainlist dkim_known_signers = ${lookup
mysql{SELECT_DKIM_KNOWN_SIGNERS}{${sg{$value}{\\n}{ : }} }}

... and my database table has three columns id (int), active(tiny int),
domain (varchar 128).

Entries in the database include "ebay.com", "paypal.com", "gmail.com"
and many variants thereof.



Mike


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


msk at cloudmark

Apr 27, 2012, 11:05 AM

Post #5 of 11 (503 views)
Permalink
Re: DKIM verification and envelope-from [In reply to]
> -----Original Message-----
> From: exim-users-bounces+msk=cloudmark.com [at] exim [mailto:exim-users-bounces+msk=cloudmark.com [at] exim] On Behalf Of Robert Wysocki
> Sent: Thursday, April 26, 2012 4:08 AM
> To: exim-users [at] exim
> Subject: [exim] DKIM verification and envelope-from
>
> I'm trying to achieve configuration that would verify DKIM signatures
> for known signers.
> Everything works fine until envelope-from address is one of known
> signers. But many spams have envelope-from set differently than From:
> header, eg. injectingy472 [at] wonderware in envelope-from and
> something [at] gmail in From: header.
> This enables them to bypass DKIM signature checks and therefor to
> bypass one of the anti-spam mechanisms.
>
> How can I instruct exim to include From: headers' content in known
> signers checks?

Why wouldn't you base the "known-signer" test on From: instead of the envelope sender?

-MSK
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


robert.wysocki at contium

Apr 27, 2012, 11:29 AM

Post #6 of 11 (505 views)
Permalink
Re: DKIM verification and envelope-from [In reply to]
Dnia 2012-04-27, pią o godzinie 14:41 +0100, Michael J. Tubby B.Sc G8TIC
pisze:
> In my acl_check_dkim I have these tests first:
>
> #
> # strict checking on known signers...
> #
> deny sender_domains = +dkim_known_signers

And that's my point - as far as I know sender_domains is taken from
envelope not from From: header. Hence when From: headers' content is
spoofed but envelope-sender is not, signature won't be checked even if
From: is in dkim_known_signers list.

Regards,
--
Robert Wysocki
administrator systemów linuksowych
CONTIUM S.A., http://www.contium.pl



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbreyha at gmx

Apr 27, 2012, 12:20 PM

Post #7 of 11 (502 views)
Permalink
Re: DKIM verification and envelope-from [In reply to]
On 2012-04-27 20:29, Robert Wysocki wrote:
> Dnia 2012-04-27, pią o godzinie 14:41 +0100, Michael J. Tubby B.Sc G8TIC
> pisze:
>> deny sender_domains = +dkim_known_signers
>
> And that's my point - as far as I know sender_domains is taken from
> envelope not from From: header. Hence when From: headers' content is
> spoofed but envelope-sender is not, signature won't be checked even if
> From: is in dkim_known_signers list.

Then use something like
condition = ${if match_domain{${domain:$h_from:}}{+dkim_known_signers}\
{yes}{no}}
instead?

Greetings, Wolfgang

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


robert.wysocki at contium

Apr 30, 2012, 12:03 AM

Post #8 of 11 (493 views)
Permalink
Re: DKIM verification and envelope-from [In reply to]
Dnia 2012-04-27, pią o godzinie 18:05 +0000, Murray S. Kucherawy pisze:
> > -----Original Message-----
> > From: exim-users-bounces+msk=cloudmark.com [at] exim [mailto:exim-users-bounces+msk=cloudmark.com [at] exim] On Behalf Of Robert Wysocki
> > Sent: Thursday, April 26, 2012 4:08 AM
> > To: exim-users [at] exim
> > Subject: [exim] DKIM verification and envelope-from
> >
> > I'm trying to achieve configuration that would verify DKIM signatures
> > for known signers.
> > Everything works fine until envelope-from address is one of known
> > signers. But many spams have envelope-from set differently than From:
> > header, eg. injectingy472 [at] wonderware in envelope-from and
> > something [at] gmail in From: header.
> > This enables them to bypass DKIM signature checks and therefor to
> > bypass one of the anti-spam mechanisms.
> >
> > How can I instruct exim to include From: headers' content in known
> > signers checks?
>
> Why wouldn't you base the "known-signer" test on From: instead of the envelope sender?

I would like to, but can I?
Isn't the decision to evaluate acl_smtp_dkim based on envelope sender?

Regards,
--
Robert Wysocki
administrator systemów linuksowych
CONTIUM S.A., http://www.contium.pl



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


robert.wysocki at contium

Apr 30, 2012, 12:18 AM

Post #9 of 11 (493 views)
Permalink
Re: DKIM verification and envelope-from [In reply to]
Dnia 2012-04-27, pią o godzinie 21:20 +0200, Wolfgang Breyha pisze:
> On 2012-04-27 20:29, Robert Wysocki wrote:
> > Dnia 2012-04-27, pią o godzinie 14:41 +0100, Michael J. Tubby B.Sc G8TIC
> > pisze:
> >> deny sender_domains = +dkim_known_signers
> >
> > And that's my point - as far as I know sender_domains is taken from
> > envelope not from From: header. Hence when From: headers' content is
> > spoofed but envelope-sender is not, signature won't be checked even if
> > From: is in dkim_known_signers list.
>
> Then use something like
> condition = ${if match_domain{${domain:$h_from:}}{+dkim_known_signers}\
> {yes}{no}}
> instead?

Thanks for the conditions, but if I read the documentation right,
acl_smtp_dkim is evaluated based on envelope-from, so including this
condition won't do me any good.

For example when I have a mail:

From somebogusaddress [at] spammydomain
.
.
.
From: <somename [at] mydomain>

and I have:

dkim_verify_signers = mydomain.tld:$dkim_signer

acl_smtp_dkim won't be called for this message (since spammydomain.tld
isn't included in dkim_verify_signers) and the condition you provided
won't be checked.

I'm looking for a way to check dkim signatures also for this kind of
spam.

Regards,
--
Robert Wysocki
administrator systemów linuksowych
CONTIUM S.A., http://www.contium.pl



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbreyha at gmx

Apr 30, 2012, 3:37 PM

Post #10 of 11 (483 views)
Permalink
Re: DKIM verification and envelope-from [In reply to]
On 2012-04-30 09:18, Robert Wysocki wrote:
> Thanks for the conditions, but if I read the documentation right,
> acl_smtp_dkim is evaluated based on envelope-from, so including this
> condition won't do me any good.

Which part of the documentation are you referring to?

Reading
http://www.exim.org/exim-html-current/doc/html/spec_html/ch54.html
2. Verifying DKIM signatures in incoming mail
clearly says:
"The global option dkim_verify_signers can be set to a colon-separated list
of DKIM domains or identities for which the ACL acl_smtp_dkim is called."

So...
> For example when I have a mail:
>
> From somebogusaddress [at] spammydomain
> .
> .
> .
> From: <somename [at] mydomain>
>
> and I have:
>
> dkim_verify_signers = mydomain.tld:$dkim_signer

... acl_smtp_dkim will be called for every domain you include in
dkim_verify_signers. mydomain.tld, too. And if you include spammydomain.tld
it will be checked, too.

Neither From: nor the envelope_from are automatically included in
dkim_verify_signers. It defaults to:
dkim_verify_signers = $dkim_signers

$dkim_signers is the list of domains found in DKIM signatures.

> acl_smtp_dkim won't be called for this message (since spammydomain.tld
> isn't included in dkim_verify_signers) and the condition you provided
> won't be checked.

acl_smtp_dkim is called for each domain in dkim_verify_signers. My
condition checks for the From:. Since mydomain.tld, the From: domain, is
included, it will trigger.

Wolfgang
--
Wolfgang Breyha <wbreyha [at] gmx> | http://www.blafasel.at/
Vienna University Computer Center | Austria

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


mike.tubby at thorcom

May 1, 2012, 12:01 AM

Post #11 of 11 (476 views)
Permalink
Re: DKIM verification and envelope-from [In reply to]
On 30/04/2012 23:37, Wolfgang Breyha wrote:
> On 2012-04-30 09:18, Robert Wysocki wrote:
>> Thanks for the conditions, but if I read the documentation right,
>> acl_smtp_dkim is evaluated based on envelope-from, so including this
>> condition won't do me any good.
> Which part of the documentation are you referring to?
>
> Reading
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch54.html
> 2. Verifying DKIM signatures in incoming mail
> clearly says:
> "The global option dkim_verify_signers can be set to a colon-separated list
> of DKIM domains or identities for which the ACL acl_smtp_dkim is called."
>
> So...
>> For example when I have a mail:
>>
>> From somebogusaddress [at] spammydomain
>> .
>> .
>> .
>> From:<somename [at] mydomain>
>>
>> and I have:
>>
>> dkim_verify_signers = mydomain.tld:$dkim_signer
> ... acl_smtp_dkim will be called for every domain you include in
> dkim_verify_signers. mydomain.tld, too. And if you include spammydomain.tld
> it will be checked, too.
>
> Neither From: nor the envelope_from are automatically included in
> dkim_verify_signers. It defaults to:
> dkim_verify_signers = $dkim_signers
>
> $dkim_signers is the list of domains found in DKIM signatures.
>
>> acl_smtp_dkim won't be called for this message (since spammydomain.tld
>> isn't included in dkim_verify_signers) and the condition you provided
>> won't be checked.
> acl_smtp_dkim is called for each domain in dkim_verify_signers. My
> condition checks for the From:. Since mydomain.tld, the From: domain, is
> included, it will trigger.
>
> Wolfgang

Which is why I have a database of "known signers" that I check first
(strict checking) and then I apply a looser set of heuristics to the rest.

For me the real problem is DKIM signed messages lists that may re-sign
the message and cause confusion.


Mike









--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.