1 |
> On Fri, 30 May 2008 00:11:51 +0100 |
2 |
> Robert Bridge <robert@××××××××.com> wrote: |
3 |
> |
4 |
>> > On Fri, 30 May 2008 02:05:42 +0300 |
5 |
>> > Daniel Iliev <daniel.iliev@×××××.com> wrote: |
6 |
>> > |
7 |
>>> > > On Thu, 29 May 2008 08:38:27 +0000 (UTC) |
8 |
>>> > > daniel.iliev@×××××.com wrote: |
9 |
>>> > > |
10 |
>>>> > > > W. Canis wrote: |
11 |
>>>>> > > > > OK, I can't bring myself a "proof of concept". |
12 |
>>>> > > > |
13 |
>>>> > > > Allow me to help you with that part. |
14 |
>>>> > > > |
15 |
>>>> > > > Personally I still think signatures in public mailing lists are |
16 |
>>>> > > > overrated. |
17 |
>>>> > > > |
18 |
>>>> > > > NOT signed by |
19 |
>>>> > > > Some Gentoo user with a security job and 5 minutes of time |
20 |
>>>> > > > |
21 |
>>>> > > > P.S. Daniel - I really hope this is ok with you. I took your dare |
22 |
>>>> > > > literally for this one time. Your personality won't be abused by |
23 |
>>>> > > > me again. |
24 |
>>> > > |
25 |
>>> > > |
26 |
>>> > > No problem,..ehh..PSZ, I presume? :) |
27 |
>>> > > |
28 |
>>> > > It was I who gave the idea and the challenge. Don't worry, it's |
29 |
>>> > > really fine by me. |
30 |
>>> > > |
31 |
>>> > > I admit I looks very much as if the message was sent by me and could |
32 |
>>> > > be deceiving at first glance, but: |
33 |
>>> > > |
34 |
>>> > > |
35 |
>>> > > FAKE: |
36 |
>>> > > === |
37 |
>>> > > Received: from observed.de (observed.de [81.169.134.89]) |
38 |
>>> > > by pigeon.gentoo.org (Postfix) with ESMTP id AE151E05BC |
39 |
>>> > > for <gentoo-user@l.g.o>; Thu, 29 May 2008 |
40 |
>>> > > 08:38:27 +0000 (UTC) |
41 |
>>> > > === |
42 |
>>> > > |
43 |
>>> > > |
44 |
>>> > > NOT FAKE: |
45 |
>>> > > === |
46 |
>>> > > Received: from fg-out-1718.google.com (fg-out-1718.google.com |
47 |
>>> > > [72.14.220.153]) |
48 |
>>> > > by pigeon.gentoo.org (Postfix) with ESMTP id 3E5ACE0229 |
49 |
>>> > > for <gentoo-user@l.g.o>; Mon, 26 May 2008 00:30:07 |
50 |
>>> > > +0000 (UTC) |
51 |
>>> > > === |
52 |
>> > |
53 |
>> > Except that even that can be faked. |
54 |
>> > |
55 |
>> > The header is part of the payload, so can be whatever the user decides |
56 |
>> > to put in, simply fake some a set of relay lines, and how do you know? |
57 |
>> > |
58 |
>> > Rob. |
59 |
> |
60 |
> Yes, you can insert headers before you send the message, but the SMTP |
61 |
> server which receives the message for local delivery always has the |
62 |
> final word. In this case pigeon.gentoo.org has added its headers to the |
63 |
> "proof of concept" message and we can see that the mail "from me@Gmail" |
64 |
> was actually sent from elsewhere. |
65 |
|
66 |
Glad to hear you didn't mind, Daniel. |
67 |
Yes, you traced me correctly. And as Rob already noticed, that could be |
68 |
circumvented by spoofing the header a little more. Also you were correct to |
69 |
notice, that the receiving server has the last word - however many servers today |
70 |
do -not- perform reverse DNS lookups. You can basically put into the EHLO |
71 |
message whatever you want and the receiving server will buy it. |
72 |
|
73 |
So with some effort we could make it look as if the message was actually |
74 |
received from fg-out-1718.google.com. At least as long as pidgeon.gentoo.org |
75 |
doesn't do reverse DNS lookups, which frankly I didn't check. :) |
76 |
|
77 |
--Paul |
78 |
-- |
79 |
gentoo-user@l.g.o mailing list |