SA will segv on forged DomainKeys sig

2007-07-29 Thread Michael Scheidell 
Heads up to amavisd-new users:  lots of emails in mailq, stuck at
127.0.0.1:

B18A1524C2D   27169 Sat Jul 28 15:50:18  [EMAIL PROTECTED]
(lost connection with 127.0.0.1[127.0.0.1] while sending end of data --
message may be sent more than once)
 [EMAIL PROTECTED]

SpamAssassin users, maybe same thing, not sure if spamd would segv.

Not sure where to start on this, if SA should not even pass the key to
DKIM plugin (or mark it trashed and drop it) or maybe have clamav mark I
as a virus first? Or if this is a bug in Mail-DKIM?

I found several systems, running SA 3.2.1, and Mail-DKIM.pm .26 that
will SEGV on a forged DomainKeys signature.
(sample email available upon request)

Run email through spamassassin -t, get this:

 spamassassin -t  sample.eml
[54400] warn: Premature end of base64 data at
/usr/local/lib/perl5/site_perl/5.8.8/Mail/DKIM/Algorithm/dk_rsa_sha1.pm
line 86.
[54400] warn: Premature padding of base64 data at
/usr/local/lib/perl5/site_perl/5.8.8/Mail/DKIM/Algorithm/dk_rsa_sha1.pm
line 86.

Spamassassin -tL file (because it only does local tests)

Forged DomainKeys:

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
 
h=Received:X-YMail-OSG:Message-ID:Reply-To:From:To:References:Subject:Da
te:MIM
E-Version:Content-Type:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE;
 
b=7e82t8HLAQ0qfIC5km5S508y4E7i95SO0lvW9PSA1Z15PuY223b5fHH1W4P9whTcIcS2S6
K7ZM34
Uc96rMowPL81M64g1wdmNPF4w47UC6l0S4A93rI13Ma8JK6Gw62ItYBgr6O5lr2WRrw6M6V9
XqMvXdw4
5uxAKTERTph61=  ;

(note the \s\s; gap at end?

I don't think DomainKey signatures have a \s\s; at end (not real ones)

And, no, it didn't come from yahoo, but is forged to look like it did.

Received: from c.mx.mail.yahoo.com (unknown [116.217.231.217])
by GSNJSPT01.galaxy.lan (Postfix) with ESMTP id 82BA9524C26

-- 
Michael Scheidell, CTO
http://www.secnap.com/events for free and discounted seminar tickets 
_
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_

RE: [AMaViS-user] SA will segv on forged DomainKeys sig

2007-07-29 Thread Michael Scheidell 
Followup to my post:

I upgraded all the dependencies and while it still complains, SA no
longer Segv's

drwxr-xr-x  2 root  wheel  512 Jul 29 09:13 p5-Digest-SHA-5.45
drwxr-xr-x  2 root  wheel  512 Jul 29 09:13
p5-Crypt-OpenSSL-RSA-0.25
drwxr-xr-x  2 root  wheel  512 Jul 29 09:13
p5-Crypt-OpenSSL-Bignum-0.04
drwxr-xr-x  2 root  wheel  512 Jul 29 09:13
p5-Crypt-OpenSSL-Random-0.04

I will try to see which one of these fixed it and submit it to jason
long as a dependency.
If anyone wants to try my sample email, let me know and I'll zip and
send it to you.

-- 
Michael Scheidell, CTO
SECNAP Network Security Corporation
Keep up to date with latest information on IT security: Real time
security alerts:
http://www.secnap.com/news
 
_
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_

Re: [AMaViS-user] SA will segv on forged DomainKeys sig

2007-07-29 Thread Matus UHLAR - fantomas 
On 29.07.07 09:29, Michael Scheidell wrote:
 Followup to my post:
 
 I upgraded all the dependencies and while it still complains, SA no
 longer Segv's

I'd say it should score, not complain about forged domainkeys signature :)

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.