Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies
On 29/06/17 21:59, Lena--- via Exim-users wrote: The Reply-To: header takes an address-list and is interpreted as such, and IIRC used in that way by some mail-clients when subscribed to mailing-lists but wanting personal copies of replies too. So the `rt:` ACL is going to calculate something which will emit bogus queries to an external service. I tested with `exim -be`. If Reply-To contains more than one address then ${address expands into empty string, the ${if def causes the code to not query anything: rt: warn set acl_m_rt = ${sg{${lc:${address:$header_Reply-To:}}}{\\+.*@}{@}} condition = ${if match{$acl_m_rt}{@gmail.com}} set acl_m_rt = ${sg{${local_part:$acl_m_rt}}{\\.}{}}@gmail.com deny condition = ${if def:acl_m_rt} condition = ${lookup{${domain:$acl_m_rt}}nwildlsearch\ {MLDOMAINS}{0}{1}} dnslists = ebl.msbl.org/${sha1:$acl_m_rt} log_message = Reply-To: $header_Reply-To: in EBL: $dnslist_text \ From: $header_From:, envelope-from $sender_address, \ recipients=$recipients, Subject: $header_Subject: message = spam detected # 419 (Nigerian) scams often sent by humans, do not tell them # that the spam was detected with EBL http://msbl.org accept Wouldn't you want to check all the addresses, do something like ${map{${addresses:$h_reply-to:}}...? -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies
On Fri, Jun 30, 2017 at 3:16 AM, Phil Pennockwrote: > Doing predictable lookups based upon the full email address, not just > the domain, is drastically different from a privacy perspective. This > is the sort of thing which is sensitive metadata with reasonable privacy > expectations. Folks who go around sending cleartext queries to sites > across the open Internet which are long-term 1:1 tied to email addresses > are hindering their legal defense against future wiretap orders. While I agree with you in principle, the problem is that this is just about one link in the email delivery chain. It would be ideal that everybody understood and took care about this. However, we can't expect that they do, even if we do. People who are concerned about privacy about who they communicat with *cannot use email*. Seriously. They need to use more secure means of guarding their communication. -- Jan -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies
On 2017-06-29 at 11:00 +0200, Jan Ingvoldstad via Exim-users wrote: > There are DNS lookups for the sender and recipient domains, and in the > case of spam filtering, there are often additional DNS lookups in > DNSBLs for URIs found in the message content. URIs, is a fair point, but privacy-focused services don't do those lookups anyway. If Gmail's outbound hosts connect to your server, you do a lookup based on IP, or upon "gmail.com", and you reveal nothing more than was observable already: Gmail connected to you. For a very few organizations which host mail for many domains, you _might_ additionally leak which domain was talked to, but since those will often be local they can be queried on local network, or for a client's domain, it might just be leaked anyway, but with a high probability of being cached. Doing predictable lookups based upon the full email address, not just the domain, is drastically different from a privacy perspective. This is the sort of thing which is sensitive metadata with reasonable privacy expectations. Folks who go around sending cleartext queries to sites across the open Internet which are long-term 1:1 tied to email addresses are hindering their legal defense against future wiretap orders. I *STRONGLY* encourage any postmaster considering deploying this technology to talk to their organization's legal counsel before doing so, to be sure that the implications are understood and to protect you from personal liability. -Phil signature.asc Description: Digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies
On 2017-06-29 at 10:20 +0200, Jan Ingvoldstad via Exim-users wrote: > On Wed, Jun 28, 2017 at 9:27 PM, Phil Pennockwrote: > > There could stand to be some privacy implications discussion too -- > > you're sending out, over the wire in unencrypted DNS packets, a > > predictable derivation of the Reply-To: header received for every email > > from a given domain. Using a cryptographic checksum protects against > > casual snoopers knowing, but does not protect against those with a > > dictionary of email addresses generating a reverse map and using that > > for lookups, so undermines a chunk of the TLS-by-default work going on > > by leaking metadata. Usual RBLs only leak that there was communication > > from an IP, which a network traffic sniffer could see anyway. > > Although SHA-1 is known to be weak, it's still a bit of work to brute > force it for a busy mailserver, but for a server that only sees > occasional traffic, there is legitimate concern. That's not how a reverse map dictionary works. Instead, you take the email addresses you care about, hash them, and just match those values. The reverse map gives you back the email address you care about, so you know who was talking. Your favorite acronym agency builds a list of observed hashes, and any time they get a new email address they care about, they can not only add it to automated matching, they can go back and look at all past recorded hashes, to see when email was sent out, to which domains. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies
> The Reply-To: header takes an address-list and is interpreted as such, > and IIRC used in that way by some mail-clients when subscribed to > mailing-lists but wanting personal copies of replies too. So the `rt:` > ACL is going to calculate something which will emit bogus queries to an > external service. I tested with `exim -be`. If Reply-To contains more than one address then ${address expands into empty string, the ${if def causes the code to not query anything: rt: warn set acl_m_rt = ${sg{${lc:${address:$header_Reply-To:}}}{\\+.*@}{@}} condition = ${if match{$acl_m_rt}{@gmail.com}} set acl_m_rt = ${sg{${local_part:$acl_m_rt}}{\\.}{}}@gmail.com deny condition = ${if def:acl_m_rt} condition = ${lookup{${domain:$acl_m_rt}}nwildlsearch\ {MLDOMAINS}{0}{1}} dnslists = ebl.msbl.org/${sha1:$acl_m_rt} log_message = Reply-To: $header_Reply-To: in EBL: $dnslist_text \ From: $header_From:, envelope-from $sender_address, \ recipients=$recipients, Subject: $header_Subject: message = spam detected # 419 (Nigerian) scams often sent by humans, do not tell them # that the spam was detected with EBL http://msbl.org accept -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies
On 29/06/17 10:00, Jan Ingvoldstad via Exim-users wrote: > Just look at the DNSSEC uptake. DNS over TLS is not going to happen > soon enough to make a difference here. If we never provide the tools, that'll be self-fulfilling. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies
On Thu, Jun 29, 2017 at 10:36 AM, Jeremy Harriswrote: > On 28/06/17 20:27, Phil Pennock wrote: >> There could stand to be some privacy implications discussion too -- >> you're sending out, over the wire in unencrypted DNS packets, a >> predictable derivation of the Reply-To: header received for every email >> from a given domain. > > Perhaps we need DNS-over-TLS? RFC 7858 (https://tools.ietf.org/html/rfc7858) But that only solves the issue partially. Additionally, there is already a lot of DNS information leakage regarding incoming (and often outgoing) e-mail. There are DNS lookups for the sender and recipient domains, and in the case of spam filtering, there are often additional DNS lookups in DNSBLs for URIs found in the message content. Ensuring that both the sending clients, outgoing MTA, the relay(s), the MXes, and the recipient spam plugins and antivirus and receiving clients all do DNS via TLS, seems like a very long way in coming. Just look at the DNSSEC uptake. DNS over TLS is not going to happen soon enough to make a difference here. :( -- Jan -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies
On 28/06/17 20:27, Phil Pennock wrote: > There could stand to be some privacy implications discussion too -- > you're sending out, over the wire in unencrypted DNS packets, a > predictable derivation of the Reply-To: header received for every email > from a given domain. Perhaps we need DNS-over-TLS? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies
On Wed, Jun 28, 2017 at 9:27 PM, Phil Pennockwrote: > There could stand to be some privacy implications discussion too -- > you're sending out, over the wire in unencrypted DNS packets, a > predictable derivation of the Reply-To: header received for every email > from a given domain. Using a cryptographic checksum protects against > casual snoopers knowing, but does not protect against those with a > dictionary of email addresses generating a reverse map and using that > for lookups, so undermines a chunk of the TLS-by-default work going on > by leaking metadata. Usual RBLs only leak that there was communication > from an IP, which a network traffic sniffer could see anyway. Although SHA-1 is known to be weak, it's still a bit of work to brute force it for a busy mailserver, but for a server that only sees occasional traffic, there is legitimate concern. SHA-256 would be nice. Perhaps we (FSVO "we") should draft a proposal to the MSBL about using SHA-256 instead? -- Jan -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies
On 2017-06-28 at 18:19 +0300, Lena--- via Exim-users wrote: > How to use EBL in Exim config (requires Exim version 4.87 or higher): > https://github.com/Exim/exim/wiki/EBL Looks potentially useful. The Reply-To: header takes an address-list and is interpreted as such, and IIRC used in that way by some mail-clients when subscribed to mailing-lists but wanting personal copies of replies too. So the `rt:` ACL is going to calculate something which will emit bogus queries to an external service. There could stand to be some privacy implications discussion too -- you're sending out, over the wire in unencrypted DNS packets, a predictable derivation of the Reply-To: header received for every email from a given domain. Using a cryptographic checksum protects against casual snoopers knowing, but does not protect against those with a dictionary of email addresses generating a reverse map and using that for lookups, so undermines a chunk of the TLS-by-default work going on by leaking metadata. Usual RBLs only leak that there was communication from an IP, which a network traffic sniffer could see anyway. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/