Limiting the number of domains/signatures verifications

From: Alessandro Vesely <vesely_at_tana.it>
Date: Tue, 09 Oct 2012 09:50:51 +0200

Hi all,
I'm revising the use I make of libopendkim and have a couple of questions.

Opendkim is limiting the total number of verified signatures since
v2.3.0 (feature request #SF3109963). I'm adding a prescreen callback
now, in order to do something similar. However, my filter sorts
signatures using an O(n^2) algorithm (gnome sort) which is good for a
few signatures only. Dealing with thousands of signatures might cause
it to hiccup even if most of them are set to be ignored. One question
is: Does it make sense, in your opinion, to reject outright the
messages that have more than, say, 100 signatures?

The second point is about grouping signatures by domain. A domain may
sign the same message multiple times, e.g. if they are changing
selector, experimenting with different canonicalizations, or because
the message happened to pass through their MTAs multiple times. In
the latter case, I reason, the topmost signatures are the first ones
in the dkim_siglist array; that is, the ones added to the message more
recently, and thus having more chances to verify. Is it harsh to just
consider the topmost, say, four signatures of each signer?

BTW, it seems opendkim would accept any number of signatures by the
author domain. Either this kind of attack never shows up, or it
passes unnoticed, I'd say.
Received on Tue Oct 09 2012 - 07:51:04 PST