On Mon, 2020-05-04 at 16:25 -0600, Grant Taylor wrote:
> I think $DatabaseTechnology's main benefit is keeping the password
> data outside of the configuration files.
> 
Agreed, in this sort of corner case.

>     select count(*) where log.key = md5(key);
> 
Neat.

> You can move the md5 generation into the SQL server.  Of course,
> you'd want to be mindful of the communications channel between
> SpamAssassin and the SQL server.
> 
I was thinking that the database/whatever would be populated by feeding
in lists of dsto=len passwords, since they seem to be more or less
freely and at least semi-legally available, but now I'm wondering if it
would be possible to use some sort of generic pattern matching to
trigger a rule associated with a more complex Perl module which would
extract the password string from a message, encrypt it and check it
against the database. It it hits, score the message as spam. If not,
either:

(a) lob its encrypted form into the DB and return a zero score

or

(b) write its plaintext form to a file for somebody to look at and
    decide whether its a false positive or to load it into the database.
    Either way the nonmatch should score zero.

Note: this depends on whether SA modules can adjust their triggering
rule's score  -I don't know if this is possible.

The sort of recognition rule I'm thinking of could be something as
simple as if its a Subject header with no spaces in the title and either
a known length or a prefix such as "password:" 

> I'm not sure how to have SpamAssassin iterate all the words in the 
> message through this routine.
> 
Presumably passwords in body text have some surrounding text you could
match on along the lines of money with menaces: 

"I know your bank password, which is xxxxxxxxx so pay me now".

However, since I've not seen any of these messages, this is probably the
point where somebody who is getting them will speak up and say that I'm
talking garbage. 

> If it requires a custom SpamAssassin module, then it might be better
> to do calculate the MD5 hash in SpamAssassin and avoid the security 
> implications between SpamAssassin and SQL server.
> 
That makes sense because the closer to source you can encrypt the
password the more secure the whole system becomes. Doing it at the
database end would require a fairly gung-ho database - one that supports
a built-in (usually proprietary) procedural language. 

PostgreSQL, SQLServer, Sybase, DB2 and other heavyweights have provide
procedural languages / stored procedures, but the likes of SQLite,
Derby, MariaDB probably do not.
 
Martin


Reply via email to