Re: Email::Address easily spoofed

2010-01-07 Thread Karen Cravens

Hans Dieter Pearcey wrote:


I mean what the OP said he was using it for: running various commands when
messages are received.


But that can be something as soft as (as it turned out), a mailing list 
response. Which was actually *my* first thought (unsurprisingly).



I'm not talking about whether or not this is a bug in E::A; I'm addressing the
design (flaws) of using E::A specifically and From header parsing generally to
do this kind of authentication.


I figure using it for authentication is just fine. It's how much 
authorization you credit to that sort of authorization that matters.


I had, to be honest, figured by the time we got this grossly into the 
future (thank you, SpamAssassin), we'd be seeing spambots smart enough 
to recognize mailing lists, and to match up incoming From addresses 
with the mailing list address to successfully forge from-a-subscriber 
mails. But we haven't, which probably says more about the decline of 
mailing lists than about the sophistication of spammers, so it's still 
fairly safe to trust a From line that you recognize. At least, given 
some other basic spam filtering has taken place.





Re: Email::Address easily spoofed

2010-01-06 Thread Hans Dieter Pearcey
Excerpts from Justin Skazat's message of Tue Jan 05 17:32:25 -0500 2010:
  But that can already easily be done, I can just put
  
   From: You m...@example.com
  
  in my email headers.
 
 OK - what should I do about that? What's the general wisdom to help thwart
 that? Use the Sender: header? Both? Something more fancy? 

If you are relying on From (or Sender) headers for access control, you have
already lost.  Almost every part of the email header and SMTP transaction can
be faked by a malicious user.

If you want authentication, you'll need to either write your own layer on top
of it (e.g. PGP signing, secure per-user recipient addresses) or use a gateway
in front of your mail processor that does it (e.g. IP-based filtering in your
MTA, SASL auth).

hdp.


Re: Email::Address easily spoofed

2010-01-06 Thread Karen Cravens

Hans Dieter Pearcey wrote:


If you are relying on From (or Sender) headers for access control, you have
already lost.  Almost every part of the email header and SMTP transaction can
be faked by a malicious user.


Depends on what you mean by access control. I can easily see where you'd 
want to use it as part of your spam filtering, which might be considered 
a soft authentication. For example, I've seen spam with a pattern like this:


From: phishsch...@somebankorother botinfec...@legitisp

I'm guessing the use of the infected user's real address (or at least 
one that's not likely to be blacklisted) gets the thing through the 
infected user's ISP, and then (so the phisher hopes) the recipient only 
sees the comment and assumes it's the actual source.


You'd still want E::A to parse it properly, if only so you can test for 
If the comment is a valid email address, but doesn't match the 
bracketed email address, it's spam.




Re: Email::Address easily spoofed

2010-01-06 Thread Justin Skazat

On Jan 6, 2010, at 6:14 AM, Hans Dieter Pearcey wrote:

 If you are relying on From (or Sender) headers for access control, you have
 already lost.  Almost every part of the email header and SMTP transaction can
 be faked by a malicious user.

OK - my apologies for such foolish questions, but what then does a typical 
discussion list system use to stop such abuse? I'm guessing, perhaps the answer 
is, nothing much else - there was a story about even Google Groups having 
this problem: 

http://ejohn.org/blog/google-groups-is-dead/

As far as, access control - this is basically just for a different mailing 
list manager (my thingy, not google groups), so the most malicious thing that 
happens is that a spam gets posted to a discussion list. I can deal with that 
from time to time (and there's a moderation system to help that out, as well) 

What I've done is just have an option to not allow multiple addresses cited in 
the From: headers (and not allowing multiple From: headers as well). It's not 
perfect, but it'll help perhaps: 


#!/usr/bin/perl 
use strict; 
use Email::Address; 

my $from  = q...@example.com spoofer.addr...@malicious-site.com}; 

if(scalar(Email::Address-parse($from))  1){ 
print yikes! no support for that!; 
}


  

On Jan 6, 2010, at 6:14 AM, Hans Dieter Pearcey wrote:

 Excerpts from Justin Skazat's message of Tue Jan 05 17:32:25 -0500 2010:
 But that can already easily be done, I can just put
 
 From: You m...@example.com
 
 in my email headers.
 
 OK - what should I do about that? What's the general wisdom to help thwart
 that? Use the Sender: header? Both? Something more fancy? 
 
 If you are relying on From (or Sender) headers for access control, you have
 already lost.  Almost every part of the email header and SMTP transaction can
 be faked by a malicious user.
 
 If you want authentication, you'll need to either write your own layer on top
 of it (e.g. PGP signing, secure per-user recipient addresses) or use a gateway
 in front of your mail processor that does it (e.g. IP-based filtering in your
 MTA, SASL auth).
 
 hdp.
 



Re: Email::Address easily spoofed

2010-01-06 Thread Hans Dieter Pearcey
Excerpts from Karen Cravens's message of Wed Jan 06 11:29:15 -0500 2010:
 Depends on what you mean by access control.

I mean what the OP said he was using it for: running various commands when
messages are received.

 You'd still want E::A to parse it properly, if only so you can test for 
 If the comment is a valid email address, but doesn't match the 
 bracketed email address, it's spam.

I'm not talking about whether or not this is a bug in E::A; I'm addressing the
design (flaws) of using E::A specifically and From header parsing generally to
do this kind of authentication.

(It probably is a bug, but I have no good suggestions for resolution.)

hdp.


Re: Email::Address easily spoofed

2010-01-05 Thread Casey West
On Tue, Jan 5, 2010 at 2:17 AM, Matijs van Zuijlen mat...@matijs.netwrote:

  As far as I can grok, having multiple From: addresses doesn't really make
  much sense (is it legal?)

 Yes, according to RFC 2822, but they must be separated by commas.


Consider a letter which is written by multiple people. One person does the
actual delivery. When multiple addresses are in the From: field, the Sender:
field must have an address in it. The person who did the sending, probably
the assistant. :-)

Cheers,

Casey


Re: Email::Address easily spoofed

2010-01-05 Thread Justin Skazat
On Jan 5, 2010, at 12:17 AM, Matijs van Zuijlen wrote:
 What is the actual spoofing problem that occurs? 

The spoofing occurs, since the system receives mail with a From: header like 
this: 

From: m...@example.com spoofer.addr...@malicious-site.com

Which looks like a From: line with a comment, and then the email address (in 
brackets)

If I use the code I posted: 

my $address = ( Email::Address-parse($from) )[0]-address;
print $address . \n;

The address that gets returned is, $address - what's in the comment field, not 
the actual address. Certain actions are taken, depending on what address gets 
mailed to, so the spoofing address (spoofer.addr...@malicious-site.com) is 
gaining access to privileges that the other address has (m...@example.com). 

 Is the problem that it seems to
 come from m...@example.com? 

Yes. 

 But that can already easily be done, I can just put
 
  From: You m...@example.com
 
 in my email headers.

OK - what should I do about that? What's the general wisdom to help thwart 
that? Use the Sender: header? Both? Something more fancy? 

 $address = ( Email::Address-parse($from) )[1]-address; print $address .
 \n; # prints: spoofer.addr...@malicious-site.com
 
 That's a bug. The email addresses should be separated by commas.
 
I agree - but it's what I'm receiving from someone sending messages to the 
system - I can't control it, I'm just trying to catch it. 

Justin 



On Jan 5, 2010, at 12:17 AM, Matijs van Zuijlen wrote:

 Hi Justin,
 
 Justin Skazat wrote:
 I'm starting to get reports from users who are saying my code that relies on
 Email::Address is getting spoofed. Here's a small example:
 
 [...]
 
 my $from  = q...@example.com spoofer.addr...@malicious-site.com};
 
 [...]
 
 As you can see, it just takes the phrase unquoted to trip this up. The first
 example is most likely incorrect formatting, but still works when it comes to
 sending the messages out for my system to receive it. Ugh.
 
 What is the actual spoofing problem that occurs? Is the problem that it seems 
 to
 come from m...@example.com? But that can already easily be done, I can just 
 put
 
  From: You m...@example.com
 
 in my email headers.
 
 Any tried and true way to catch this spoofing? I think what's happening is
 that Email::Address is parsing the line as if there's two valid addresses,
 since I can also do this:
 
 $address = ( Email::Address-parse($from) )[1]-address; print $address .
 \n; # prints: spoofer.addr...@malicious-site.com
 
 That's a bug. The email addresses should be separated by commas.
 
 As far as I can grok, having multiple From: addresses doesn't really make
 much sense (is it legal?)
 
 Yes, according to RFC 2822, but they must be separated by commas.
 
 -- 
 Matijs