this being some sort of existential threat. Can someone come
up with a scenario where this really could be evil and isn't
trivially fixed by... making spam filters insist that they're
really receiving valid 5322 as one of their rules?
If one does real whitelisting based on valid signature from senders known
to be well behaved, it would be a pain if we had to run everything through
spamassassin anyway.
Mike, I only have vague recollection of the h= trick anymore...
You list all the headers you sign in h= list, and you can include headers
that don't exist, which means that they can't exist when verified either.
So for a header that occurs N times, you can list it N+1 times in h= to
ensure that more aren't added. The original motivation was usually N=0 to
avoid games played by adding MIME headers to messages that don't have
them, but it's generally applicable.
Having the signer put the extra junk in h= should make existing verifiers
do the right thing, although I doubt the bit of verification code that
checks for the non-existence of the N+1st header for N>0 is well tested in
DKIM implementations.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html