Damian via Postfix-users: > If I remember correctly, on the wire there was \r\n\r\n.\r\r\n
That is not a viable spoofing attack pattern. To understand why, recall that an authenticated attacker sends an email message to email service A, that contains a non-standard End-of-DATA in the middle followed by attempted spoofed SMTP commands and message content shown as indented text. mail from:<attacker><CR><LF> rcpt to:<someone><CR><LF> data<CR><LF> message content non-standard End-of-DATA mail from:<spoofed><CR><LF> rcpt to:<victim><CR><LF> data<CR><LF> <<== or BDAT if available message content real End-of-DATA The attacker's goal is that email service A delivers the message to someone at email service B. That service confuses the non-standard End-of-DATA with a real End-of-DATA, and delivers a message from <spoofed> to <victim>. When the attack is successful, the attacker can impersonate any sender in any email domain that is hosted at email service A, and still pass SPF-based the sender domain's DMARC policy at email service B. Coming back to the attack pattern <CR><LF>.<CR><CR><LF>, or more generally, <CR><LF>.whatever. Note that this has '.' at the start of a line. Mail service A, as required by RFC 5321, prepends a '.' to each line that starts with '.'. What it sends to email service B is (attempted spoofed commands and message shown indented): mail from:<attacker><CR><LF> rcpt to:<someone><CR><LF> data<CR><LF> message content <CR><LF>..whatever <<== note the '..' here mail from:<spoofed><CR><LF> rcpt to:<victim><CR><LF> data<CR><LF> <<== or BDAT if available message content real End-of-DATA When email service B receives the <CR><LF>..whatever, there is no confusion whether this is End-of-DATA. No message is delivered from <spoofed> to <victim>, instead someone received one email message with SMTP commands in the middle. In summary, this attack does not work. I'll update the stable releases to pacify test tools, but that is a lower piority. Meanwhile I'd request that tool developers avoid vulnerability claims based on patterns that are not viable for spoofing attacks. Wietse _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org