Re: Email::Address easily spoofed
Hans Dieter Pearcey wrote: I mean what the OP said he was using it for: running various commands when messages are received. But that can be something as soft as (as it turned out), a mailing list response. Which was actually *my* first thought (unsurprisingly). I'm not talking about whether or not this is a bug in E::A; I'm addressing the design (flaws) of using E::A specifically and From header parsing generally to do this kind of authentication. I figure using it for authentication is just fine. It's how much authorization you credit to that sort of authorization that matters. I had, to be honest, figured by the time we got this grossly into the future (thank you, SpamAssassin), we'd be seeing spambots smart enough to recognize mailing lists, and to match up incoming "From" addresses with the mailing list address to successfully forge from-a-subscriber mails. But we haven't, which probably says more about the decline of mailing lists than about the sophistication of spammers, so it's still fairly safe to trust a From line that you recognize. At least, given some other basic spam filtering has taken place.
Re: Email::Address easily spoofed
Excerpts from Karen Cravens's message of Wed Jan 06 11:29:15 -0500 2010: > Depends on what you mean by access control. I mean what the OP said he was using it for: running various commands when messages are received. > You'd still want E::A to parse it properly, if only so you can test for > "If the comment is a valid email address, but doesn't match the > bracketed email address, it's spam." I'm not talking about whether or not this is a bug in E::A; I'm addressing the design (flaws) of using E::A specifically and From header parsing generally to do this kind of authentication. (It probably is a bug, but I have no good suggestions for resolution.) hdp.
Re: Email::Address easily spoofed
On Jan 6, 2010, at 6:14 AM, Hans Dieter Pearcey wrote: > If you are relying on From (or Sender) headers for access control, you have > already lost. Almost every part of the email header and SMTP transaction can > be faked by a malicious user. OK - my apologies for such foolish questions, but what then does a typical discussion list system use to stop such abuse? I'm guessing, perhaps the answer is, "nothing much else" - there was a story about even Google Groups having this problem: http://ejohn.org/blog/google-groups-is-dead/ As far as, "access control" - this is basically just for a different mailing list manager (my thingy, not google groups), so the most malicious thing that happens is that a spam gets posted to a discussion list. I can deal with that from time to time (and there's a moderation system to help that out, as well) What I've done is just have an option to not allow multiple addresses cited in the From: headers (and not allowing multiple From: headers as well). It's not perfect, but it'll help perhaps: #!/usr/bin/perl use strict; use Email::Address; my $from = q...@example.com }; if(scalar(Email::Address->parse($from)) > 1){ print "yikes! no support for that!"; } On Jan 6, 2010, at 6:14 AM, Hans Dieter Pearcey wrote: > Excerpts from Justin Skazat's message of Tue Jan 05 17:32:25 -0500 2010: >>> But that can already easily be done, I can just put >>> >>> From: You >>> >>> in my email headers. >> >> OK - what should I do about that? What's the general wisdom to help thwart >> that? Use the Sender: header? Both? Something more fancy? > > If you are relying on From (or Sender) headers for access control, you have > already lost. Almost every part of the email header and SMTP transaction can > be faked by a malicious user. > > If you want authentication, you'll need to either write your own layer on top > of it (e.g. PGP signing, secure per-user recipient addresses) or use a gateway > in front of your mail processor that does it (e.g. IP-based filtering in your > MTA, SASL auth). > > hdp. >
Re: Email::Address easily spoofed
Hans Dieter Pearcey wrote: If you are relying on From (or Sender) headers for access control, you have already lost. Almost every part of the email header and SMTP transaction can be faked by a malicious user. Depends on what you mean by access control. I can easily see where you'd want to use it as part of your spam filtering, which might be considered a soft authentication. For example, I've seen spam with a pattern like this: From: phishsch...@somebankorother I'm guessing the use of the infected user's real address (or at least one that's not likely to be blacklisted) gets the thing through the infected user's ISP, and then (so the phisher hopes) the recipient only sees the "comment" and assumes it's the actual source. You'd still want E::A to parse it properly, if only so you can test for "If the comment is a valid email address, but doesn't match the bracketed email address, it's spam."
Re: Email::Address easily spoofed
Excerpts from Justin Skazat's message of Tue Jan 05 17:32:25 -0500 2010: > > But that can already easily be done, I can just put > > > > From: You > > > > in my email headers. > > OK - what should I do about that? What's the general wisdom to help thwart > that? Use the Sender: header? Both? Something more fancy? If you are relying on From (or Sender) headers for access control, you have already lost. Almost every part of the email header and SMTP transaction can be faked by a malicious user. If you want authentication, you'll need to either write your own layer on top of it (e.g. PGP signing, secure per-user recipient addresses) or use a gateway in front of your mail processor that does it (e.g. IP-based filtering in your MTA, SASL auth). hdp.
Re: Email::Address easily spoofed
On Jan 5, 2010, at 12:17 AM, Matijs van Zuijlen wrote: > What is the actual spoofing problem that occurs? The spoofing occurs, since the system receives mail with a From: header like this: From: m...@example.com Which looks like a From: line with a comment, and then the email address (in brackets) If I use the code I posted: my $address = ( Email::Address->parse($from) )[0]->address; print $address . "\n"; The address that gets returned is, $address - what's in the comment field, not the actual address. Certain actions are taken, depending on what address gets mailed to, so the spoofing address (spoofer.addr...@malicious-site.com) is gaining access to privileges that the other address has (m...@example.com). > Is the problem that it seems to > come from m...@example.com? Yes. > But that can already easily be done, I can just put > > From: You > > in my email headers. OK - what should I do about that? What's the general wisdom to help thwart that? Use the Sender: header? Both? Something more fancy? >> $address = ( Email::Address->parse($from) )[1]->address; print $address . >> "\n"; # prints: spoofer.addr...@malicious-site.com > > That's a bug. The email addresses should be separated by commas. > I agree - but it's what I'm receiving from someone sending messages to the system - I can't control it, I'm just trying to catch it. Justin On Jan 5, 2010, at 12:17 AM, Matijs van Zuijlen wrote: > Hi Justin, > > Justin Skazat wrote: >> I'm starting to get reports from users who are saying my code that relies on >> Email::Address is getting spoofed. Here's a small example: >> >> [...] >> >> my $from = q...@example.com }; >> >> [...] >> >> As you can see, it just takes the phrase unquoted to trip this up. The first >> example is most likely incorrect formatting, but still works when it comes to >> sending the messages out for my system to receive it. Ugh. > > What is the actual spoofing problem that occurs? Is the problem that it seems > to > come from m...@example.com? But that can already easily be done, I can just > put > > From: You > > in my email headers. > >> Any tried and true way to catch this spoofing? I think what's happening is >> that Email::Address is parsing the line as if there's two valid addresses, >> since I can also do this: >> >> $address = ( Email::Address->parse($from) )[1]->address; print $address . >> "\n"; # prints: spoofer.addr...@malicious-site.com > > That's a bug. The email addresses should be separated by commas. > >> As far as I can grok, having multiple From: addresses doesn't really make >> much sense (is it legal?) > > Yes, according to RFC 2822, but they must be separated by commas. > > -- > Matijs >
Re: Email::Address easily spoofed
On Tue, Jan 5, 2010 at 2:17 AM, Matijs van Zuijlen wrote: > > As far as I can grok, having multiple From: addresses doesn't really make > > much sense (is it legal?) > > Yes, according to RFC 2822, but they must be separated by commas. Consider a letter which is written by multiple people. One person does the actual delivery. When multiple addresses are in the From: field, the Sender: field must have an address in it. The person who did the sending, probably the assistant. :-) Cheers, Casey
Re: Email::Address easily spoofed
Hi Justin, Justin Skazat wrote: > I'm starting to get reports from users who are saying my code that relies on > Email::Address is getting spoofed. Here's a small example: > > [...] > > my $from = q...@example.com }; > > [...] > > As you can see, it just takes the phrase unquoted to trip this up. The first > example is most likely incorrect formatting, but still works when it comes to > sending the messages out for my system to receive it. Ugh. What is the actual spoofing problem that occurs? Is the problem that it seems to come from m...@example.com? But that can already easily be done, I can just put From: You in my email headers. > Any tried and true way to catch this spoofing? I think what's happening is > that Email::Address is parsing the line as if there's two valid addresses, > since I can also do this: > > $address = ( Email::Address->parse($from) )[1]->address; print $address . > "\n"; # prints: spoofer.addr...@malicious-site.com That's a bug. The email addresses should be separated by commas. > As far as I can grok, having multiple From: addresses doesn't really make > much sense (is it legal?) Yes, according to RFC 2822, but they must be separated by commas. -- Matijs signature.asc Description: OpenPGP digital signature