diff options
author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2019-05-13 11:36:20 +0100 |
---|---|---|
committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2019-05-13 11:40:37 +0100 |
commit | 23a41dae4ddb3c5ae48f90e03b67653881f93018 (patch) | |
tree | 899f2a67f88bfb360234ec264248460057915ba7 /src | |
parent | 2510567e0bcdca9ded2f9138d46adf5d976892c5 (diff) | |
download | rspamd-23a41dae4ddb3c5ae48f90e03b67653881f93018.tar.gz rspamd-23a41dae4ddb3c5ae48f90e03b67653881f93018.zip |
[Minor] Change the default list of oversigned headers
Trivia:
`Subject` header needs to be oversigned as an attacker could add some
'bad' subject to DKIM signed emails with no subject (rare but possible
case). This header is clearly displayed to a user hence, its presence as
well as absence MUST be oversigned explicitly.
`Reply-To` header is widely used to designate a special address used for
replies only but not for authentication checks. It is thus possible to
add a malicious `Reply-To` header to force users to reply to a DKIM
signed email to some attacker's controlled email address. It clearly
opens surface for social engineering like attacks and this header must
thus be unconditionally oversigned even if not presented in an original
message.
Issue: #2887
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/dkim_check.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/plugins/dkim_check.c b/src/plugins/dkim_check.c index 6ad748454..0cfea3f92 100644 --- a/src/plugins/dkim_check.c +++ b/src/plugins/dkim_check.c @@ -54,13 +54,13 @@ static const gchar *M = "rspamd dkim plugin"; static const gchar default_sign_headers[] = "" - "(o)from:(x)sender:(x)reply-to:(x)subject:(x)date:(x)message-id:" + "(o)from:(x)sender:(o)reply-to:(o)subject:(x)date:(x)message-id:" "(o)to:(o)cc:(x)mime-version:(x)content-type:(x)content-transfer-encoding:" "resent-to:resent-cc:resent-from:resent-sender:resent-message-id:" "(x)in-reply-to:(x)references:list-id:list-help:list-owner:list-unsubscribe:" "list-subscribe:list-post:(x)openpgp:(x)autocrypt"; static const gchar default_arc_sign_headers[] = "" - "(o)from:(x)sender:(x)reply-to:(x)subject:(x)date:(x)message-id:" + "(o)from:(x)sender:(o)reply-to:(o)subject:(x)date:(x)message-id:" "(o)to:(o)cc:(x)mime-version:(x)content-type:(x)content-transfer-encoding:" "resent-to:resent-cc:resent-from:resent-sender:resent-message-id:" "(x)in-reply-to:(x)references:list-id:list-help:list-owner:list-unsubscribe:" |