aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2019-05-13 11:36:20 +0100
committerVsevolod Stakhov <vsevolod@highsecure.ru>2019-05-13 11:40:37 +0100
commit23a41dae4ddb3c5ae48f90e03b67653881f93018 (patch)
tree899f2a67f88bfb360234ec264248460057915ba7 /src
parent2510567e0bcdca9ded2f9138d46adf5d976892c5 (diff)
downloadrspamd-23a41dae4ddb3c5ae48f90e03b67653881f93018.tar.gz
rspamd-23a41dae4ddb3c5ae48f90e03b67653881f93018.zip
[Minor] Change the default list of oversigned headers
Trivia: `Subject` header needs to be oversigned as an attacker could add some 'bad' subject to DKIM signed emails with no subject (rare but possible case). This header is clearly displayed to a user hence, its presence as well as absence MUST be oversigned explicitly. `Reply-To` header is widely used to designate a special address used for replies only but not for authentication checks. It is thus possible to add a malicious `Reply-To` header to force users to reply to a DKIM signed email to some attacker's controlled email address. It clearly opens surface for social engineering like attacks and this header must thus be unconditionally oversigned even if not presented in an original message. Issue: #2887
Diffstat (limited to 'src')
-rw-r--r--src/plugins/dkim_check.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/plugins/dkim_check.c b/src/plugins/dkim_check.c
index 6ad748454..0cfea3f92 100644
--- a/src/plugins/dkim_check.c
+++ b/src/plugins/dkim_check.c
@@ -54,13 +54,13 @@
static const gchar *M = "rspamd dkim plugin";
static const gchar default_sign_headers[] = ""
- "(o)from:(x)sender:(x)reply-to:(x)subject:(x)date:(x)message-id:"
+ "(o)from:(x)sender:(o)reply-to:(o)subject:(x)date:(x)message-id:"
"(o)to:(o)cc:(x)mime-version:(x)content-type:(x)content-transfer-encoding:"
"resent-to:resent-cc:resent-from:resent-sender:resent-message-id:"
"(x)in-reply-to:(x)references:list-id:list-help:list-owner:list-unsubscribe:"
"list-subscribe:list-post:(x)openpgp:(x)autocrypt";
static const gchar default_arc_sign_headers[] = ""
- "(o)from:(x)sender:(x)reply-to:(x)subject:(x)date:(x)message-id:"
+ "(o)from:(x)sender:(o)reply-to:(o)subject:(x)date:(x)message-id:"
"(o)to:(o)cc:(x)mime-version:(x)content-type:(x)content-transfer-encoding:"
"resent-to:resent-cc:resent-from:resent-sender:resent-message-id:"
"(x)in-reply-to:(x)references:list-id:list-help:list-owner:list-unsubscribe:"