subject:"Re\: \[exim\] EBL\: blacklist for email addresses in Reply\-To and message bodies"

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

2017-07-02 Thread Richard James Salts via Exim-users


On 29/06/17 21:59, Lena--- via Exim-users wrote:

The Reply-To: header takes an address-list and is interpreted as such,
and IIRC used in that way by some mail-clients when subscribed to
mailing-lists but wanting personal copies of replies too.  So the `rt:`
ACL is going to calculate something which will emit bogus queries to an
external service.

I tested with `exim -be`. If Reply-To contains more than one address
then  ${address  expands into empty string, the  ${if def
causes the code to not query anything:

rt:
   warn set acl_m_rt = ${sg{${lc:${address:$header_Reply-To:}}}{\\+.*@}{@}}
condition = ${if match{$acl_m_rt}{@gmail.com}}
set acl_m_rt = ${sg{${local_part:$acl_m_rt}}{\\.}{}}@gmail.com

   deny condition = ${if def:acl_m_rt}
condition = ${lookup{${domain:$acl_m_rt}}nwildlsearch\
  {MLDOMAINS}{0}{1}}
dnslists = ebl.msbl.org/${sha1:$acl_m_rt}
log_message = Reply-To: $header_Reply-To: in EBL: $dnslist_text \
From: $header_From:, envelope-from $sender_address, \
recipients=$recipients, Subject: $header_Subject:
message = spam detected
  # 419 (Nigerian) scams often sent by humans, do not tell them
  # that the spam was detected with EBL http://msbl.org

   accept


Wouldn't you want to check all the addresses, do something like 
${map{${addresses:$h_reply-to:}}...?


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

2017-06-29 Thread Jan Ingvoldstad via Exim-users

On Fri, Jun 30, 2017 at 3:16 AM, Phil Pennock  wrote:
> Doing predictable lookups based upon the full email address, not just
> the domain, is drastically different from a privacy perspective.  This
> is the sort of thing which is sensitive metadata with reasonable privacy
> expectations.  Folks who go around sending cleartext queries to sites
> across the open Internet which are long-term 1:1 tied to email addresses
> are hindering their legal defense against future wiretap orders.

While I agree with you in principle, the problem is that this is just
about one link in the email delivery chain.

It would be ideal that everybody understood and took care about this.

However, we can't expect that they do, even if we do.

People who are concerned about privacy about who they communicat with
*cannot use email*. Seriously. They need to use more secure means of
guarding their communication.

-- 
Jan

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

2017-06-29 Thread Phil Pennock

On 2017-06-29 at 11:00 +0200, Jan Ingvoldstad via Exim-users wrote:
> There are DNS lookups for the sender and recipient domains, and in the
> case of spam filtering, there are often additional DNS lookups in
> DNSBLs for URIs found in the message content.

URIs, is a fair point, but privacy-focused services don't do those
lookups anyway.

If Gmail's outbound hosts connect to your server, you do a lookup based
on IP, or upon "gmail.com", and you reveal nothing more than was
observable already: Gmail connected to you.  For a very few
organizations which host mail for many domains, you _might_ additionally
leak which domain was talked to, but since those will often be local
they can be queried on local network, or for a client's domain, it might
just be leaked anyway, but with a high probability of being cached.

Doing predictable lookups based upon the full email address, not just
the domain, is drastically different from a privacy perspective.  This
is the sort of thing which is sensitive metadata with reasonable privacy
expectations.  Folks who go around sending cleartext queries to sites
across the open Internet which are long-term 1:1 tied to email addresses
are hindering their legal defense against future wiretap orders.

I *STRONGLY* encourage any postmaster considering deploying this
technology to talk to their organization's legal counsel before doing
so, to be sure that the implications are understood and to protect you
from personal liability.

-Phil

signature.asc
Description: Digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

2017-06-29 Thread Phil Pennock

On 2017-06-29 at 10:20 +0200, Jan Ingvoldstad via Exim-users wrote:
> On Wed, Jun 28, 2017 at 9:27 PM, Phil Pennock  wrote:
> > There could stand to be some privacy implications discussion too --
> > you're sending out, over the wire in unencrypted DNS packets, a
> > predictable derivation of the Reply-To: header received for every email
> > from a given domain.  Using a cryptographic checksum protects against
> > casual snoopers knowing, but does not protect against those with a
> > dictionary of email addresses generating a reverse map and using that
> > for lookups, so undermines a chunk of the TLS-by-default work going on
> > by leaking metadata.  Usual RBLs only leak that there was communication
> > from an IP, which a network traffic sniffer could see anyway.
> 
> Although SHA-1 is known to be weak, it's still a bit of work to brute
> force it for a busy mailserver, but for a server that only sees
> occasional traffic, there is legitimate concern.

That's not how a reverse map dictionary works.

Instead, you take the email addresses you care about, hash them, and
just match those values.  The reverse map gives you back the email
address you care about, so you know who was talking.

Your favorite acronym agency builds a list of observed hashes, and any
time they get a new email address they care about, they can not only
add it to automated matching, they can go back and look at all past
recorded hashes, to see when email was sent out, to which domains.

-Phil

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

2017-06-29 Thread Lena--- via Exim-users

> The Reply-To: header takes an address-list and is interpreted as such,
> and IIRC used in that way by some mail-clients when subscribed to
> mailing-lists but wanting personal copies of replies too.  So the `rt:`
> ACL is going to calculate something which will emit bogus queries to an
> external service.

I tested with `exim -be`. If Reply-To contains more than one address
then  ${address  expands into empty string, the  ${if def
causes the code to not query anything:

rt:
  warn  set acl_m_rt = ${sg{${lc:${address:$header_Reply-To:}}}{\\+.*@}{@}}
condition = ${if match{$acl_m_rt}{@gmail.com}}
set acl_m_rt = ${sg{${local_part:$acl_m_rt}}{\\.}{}}@gmail.com

  deny  condition = ${if def:acl_m_rt}
condition = ${lookup{${domain:$acl_m_rt}}nwildlsearch\
 {MLDOMAINS}{0}{1}}
dnslists = ebl.msbl.org/${sha1:$acl_m_rt}
log_message = Reply-To: $header_Reply-To: in EBL: $dnslist_text \
From: $header_From:, envelope-from $sender_address, \
recipients=$recipients, Subject: $header_Subject:
message = spam detected
  # 419 (Nigerian) scams often sent by humans, do not tell them
  # that the spam was detected with EBL http://msbl.org

  accept


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

2017-06-29 Thread Jeremy Harris

On 29/06/17 10:00, Jan Ingvoldstad via Exim-users wrote:
> Just look at the DNSSEC uptake. DNS over TLS is not going to happen
> soon enough to make a difference here.

If we never provide the tools, that'll be self-fulfilling.
-- 
Cheers,
  Jeremy


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

2017-06-29 Thread Jan Ingvoldstad via Exim-users

On Thu, Jun 29, 2017 at 10:36 AM, Jeremy Harris  wrote:
> On 28/06/17 20:27, Phil Pennock wrote:
>> There could stand to be some privacy implications discussion too --
>> you're sending out, over the wire in unencrypted DNS packets, a
>> predictable derivation of the Reply-To: header received for every email
>> from a given domain.
>
> Perhaps we need DNS-over-TLS?

RFC 7858 (https://tools.ietf.org/html/rfc7858)

But that only solves the issue partially.

Additionally, there is already a lot of DNS information leakage
regarding incoming (and often outgoing) e-mail.

There are DNS lookups for the sender and recipient domains, and in the
case of spam filtering, there are often additional DNS lookups in
DNSBLs for URIs found in the message content.

Ensuring that both the sending clients, outgoing MTA, the relay(s),
the MXes, and the recipient spam plugins and antivirus and receiving
clients all do DNS via TLS, seems like a very long way in coming.

Just look at the DNSSEC uptake. DNS over TLS is not going to happen
soon enough to make a difference here. :(
-- 
Jan

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

2017-06-29 Thread Jeremy Harris

On 28/06/17 20:27, Phil Pennock wrote:
> There could stand to be some privacy implications discussion too --
> you're sending out, over the wire in unencrypted DNS packets, a
> predictable derivation of the Reply-To: header received for every email
> from a given domain.

Perhaps we need DNS-over-TLS?
-- 
Cheers,
  Jeremy


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

2017-06-29 Thread Jan Ingvoldstad via Exim-users

On Wed, Jun 28, 2017 at 9:27 PM, Phil Pennock  wrote:
> There could stand to be some privacy implications discussion too --
> you're sending out, over the wire in unencrypted DNS packets, a
> predictable derivation of the Reply-To: header received for every email
> from a given domain.  Using a cryptographic checksum protects against
> casual snoopers knowing, but does not protect against those with a
> dictionary of email addresses generating a reverse map and using that
> for lookups, so undermines a chunk of the TLS-by-default work going on
> by leaking metadata.  Usual RBLs only leak that there was communication
> from an IP, which a network traffic sniffer could see anyway.

Although SHA-1 is known to be weak, it's still a bit of work to brute
force it for a busy mailserver, but for a server that only sees
occasional traffic, there is legitimate concern.

SHA-256 would be nice.

Perhaps we (FSVO "we") should draft a proposal to the MSBL about using
SHA-256 instead?

-- 
Jan

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

2017-06-28 Thread Phil Pennock

On 2017-06-28 at 18:19 +0300, Lena--- via Exim-users wrote:
> How to use EBL in Exim config (requires Exim version 4.87 or higher):
> https://github.com/Exim/exim/wiki/EBL

Looks potentially useful.

The Reply-To: header takes an address-list and is interpreted as such,
and IIRC used in that way by some mail-clients when subscribed to
mailing-lists but wanting personal copies of replies too.  So the `rt:`
ACL is going to calculate something which will emit bogus queries to an
external service.

There could stand to be some privacy implications discussion too --
you're sending out, over the wire in unencrypted DNS packets, a
predictable derivation of the Reply-To: header received for every email
from a given domain.  Using a cryptographic checksum protects against
casual snoopers knowing, but does not protect against those with a
dictionary of email addresses generating a reverse map and using that
for lookups, so undermines a chunk of the TLS-by-default work going on
by leaking metadata.  Usual RBLs only leak that there was communication
from an IP, which a network traffic sniffer could see anyway.

-Phil

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

10 matches

Site Navigation

Mail list logo

Footer information