Re: WIRED: ‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs (fwd)

2017-12-06 Thread David Woodfall 

Hass mutt got this vulnerability?


--


-- Forwarded message --
Date: Tue, 5 Dec 2017 15:14:15
From: Jude610610 DaShiell513 
To: jdash...@panix.com
Subject: WIRED: ?Mailsploit? Lets Hackers Forge Perfect Email Spoofs


?Mailsploit? Lets Hackers Forge Perfect Email Spoofs
WIRED

The attack uncovers bugs in how more than a dozen programs implement email's 
creaky protocol. Read the full story


Shared from Apple News



Sent from my iPhone


I tried to spoof the from address with the example utf8 code, but mutt
printed it out verbatim.

You could try piping a message to less using another charset:

macro  pager,index O |"fmt -s|LESSCHARSET=iso8859 less"

That tends to get rid of utf8 glyphs in the headers and message. I'm
not saying that it will work for those exploits though.

D

Re: WIRED: ‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs (fwd)

2017-12-05 Thread Will Yardley 
On Tue, Dec 05, 2017 at 05:35:45PM -0800, Ian Zimmerman wrote:
> > The attack uncovers bugs in how more than a dozen programs implement
> > email's creaky protocol. Read the full story
> 
> With such a tendentious title, I'm not sure I should take anything in
> the article seriously.  SMTP is a cleaner and more foolproof protocol
> (when correctly implemented) than most that came after it.

Also, it almost makes it sound as if it's able to spoof the actual headers
(i.e., the Received lines). In reality, it targets bugs in rendering the
>From line. I would say that it does create an email that would fool most
people...

I tried a couple of the more generic test attacks against Mutt and (as
expected), they didn't seem to fool it. I didn't try all 14 though.

w

Re: WIRED: ‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs (fwd)

2017-12-05 Thread Ian Zimmerman 
> The attack uncovers bugs in how more than a dozen programs implement
> email's creaky protocol. Read the full story

With such a tendentious title, I'm not sure I should take anything in
the article seriously.  SMTP is a cleaner and more foolproof protocol
(when correctly implemented) than most that came after it.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet, fetch the TXT record for the domain.

WIRED: ‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs (fwd)

2017-12-05 Thread Jude DaShiell 

Hass mutt got this vulnerability?


--


-- Forwarded message --
Date: Tue, 5 Dec 2017 15:14:15
From: Jude610610 DaShiell513 
To: jdash...@panix.com
Subject: WIRED: ?Mailsploit? Lets Hackers Forge Perfect Email Spoofs


?Mailsploit? Lets Hackers Forge Perfect Email Spoofs
WIRED

The attack uncovers bugs in how more than a dozen programs implement email's 
creaky protocol. Read the full story


Shared from Apple News



Sent from my iPhone