Hi, I happened to whitelist social sites, by creating a local.wdb which allows Banca Sella (a legitimate bank) to link to them in the footer of their newsletter:
M:www.facebook.com:www.sella.it M:plus.google.com:www.sella.it M:www.youtube.com:www.sella.it Thinking twice, those newsletter are DKIM signed by the bank, so it would have been much safer to rely on their signature. I could do that by holding Heuristics.* viruses, and quarantine only if the signature fails to verify. However, I still have to whitelist the possibly spoofed domain (sella.it) as a signer. Consider: DKIM-Signature: d=econofimmo-f.fr ... ... <a href="http://econofimmo-f.fr/X";>www.sella.it</a> In the latter case, the signer is not whitelisted and I'd quarantine the message even if the signature verifies.[1] An alternative to whitelisting could be just checking that the signer is the looks-spoofed-domain. I can add a header field like so: Authentication-Results: me; dkim=pass header.d=sella.it Then, I'd put whitelisting like (ehm, let me swell up the syntax just to express what I mean): M:*:/^Authentication-Results: me;.* header.d=([\-\.a-z]+)/ That would mean "match anything as long as the possibly spoofed domain is the captured string". Is anything like that possible? Thanks Ale [1] An Authorized Third-Party Signature [RFC6541], could validate an affiliation just like it validates From:. That's definitely science fiction at this time. (BTW, who is econofimmo?) _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
