| 1 |
> On Fri, 30 May 2008 00:11:51 +0100 |
| 2 |
> Robert Bridge <robert@××××××××.com> wrote: |
| 3 |
> |
| 4 |
>> > On Fri, 30 May 2008 02:05:42 +0300 |
| 5 |
>> > Daniel Iliev <daniel.iliev@×××××.com> wrote: |
| 6 |
>> > |
| 7 |
>>> > > On Thu, 29 May 2008 08:38:27 +0000 (UTC) |
| 8 |
>>> > > daniel.iliev@×××××.com wrote: |
| 9 |
>>> > > |
| 10 |
>>>> > > > W. Canis wrote: |
| 11 |
>>>>> > > > > OK, I can't bring myself a "proof of concept". |
| 12 |
>>>> > > > |
| 13 |
>>>> > > > Allow me to help you with that part. |
| 14 |
>>>> > > > |
| 15 |
>>>> > > > Personally I still think signatures in public mailing lists are |
| 16 |
>>>> > > > overrated. |
| 17 |
>>>> > > > |
| 18 |
>>>> > > > NOT signed by |
| 19 |
>>>> > > > Some Gentoo user with a security job and 5 minutes of time |
| 20 |
>>>> > > > |
| 21 |
>>>> > > > P.S. Daniel - I really hope this is ok with you. I took your dare |
| 22 |
>>>> > > > literally for this one time. Your personality won't be abused by |
| 23 |
>>>> > > > me again. |
| 24 |
>>> > > |
| 25 |
>>> > > |
| 26 |
>>> > > No problem,..ehh..PSZ, I presume? :) |
| 27 |
>>> > > |
| 28 |
>>> > > It was I who gave the idea and the challenge. Don't worry, it's |
| 29 |
>>> > > really fine by me. |
| 30 |
>>> > > |
| 31 |
>>> > > I admit I looks very much as if the message was sent by me and could |
| 32 |
>>> > > be deceiving at first glance, but: |
| 33 |
>>> > > |
| 34 |
>>> > > |
| 35 |
>>> > > FAKE: |
| 36 |
>>> > > === |
| 37 |
>>> > > Received: from observed.de (observed.de [81.169.134.89]) |
| 38 |
>>> > > by pigeon.gentoo.org (Postfix) with ESMTP id AE151E05BC |
| 39 |
>>> > > for <gentoo-user@l.g.o>; Thu, 29 May 2008 |
| 40 |
>>> > > 08:38:27 +0000 (UTC) |
| 41 |
>>> > > === |
| 42 |
>>> > > |
| 43 |
>>> > > |
| 44 |
>>> > > NOT FAKE: |
| 45 |
>>> > > === |
| 46 |
>>> > > Received: from fg-out-1718.google.com (fg-out-1718.google.com |
| 47 |
>>> > > [72.14.220.153]) |
| 48 |
>>> > > by pigeon.gentoo.org (Postfix) with ESMTP id 3E5ACE0229 |
| 49 |
>>> > > for <gentoo-user@l.g.o>; Mon, 26 May 2008 00:30:07 |
| 50 |
>>> > > +0000 (UTC) |
| 51 |
>>> > > === |
| 52 |
>> > |
| 53 |
>> > Except that even that can be faked. |
| 54 |
>> > |
| 55 |
>> > The header is part of the payload, so can be whatever the user decides |
| 56 |
>> > to put in, simply fake some a set of relay lines, and how do you know? |
| 57 |
>> > |
| 58 |
>> > Rob. |
| 59 |
> |
| 60 |
> Yes, you can insert headers before you send the message, but the SMTP |
| 61 |
> server which receives the message for local delivery always has the |
| 62 |
> final word. In this case pigeon.gentoo.org has added its headers to the |
| 63 |
> "proof of concept" message and we can see that the mail "from me@Gmail" |
| 64 |
> was actually sent from elsewhere. |
| 65 |
|
| 66 |
Glad to hear you didn't mind, Daniel. |
| 67 |
Yes, you traced me correctly. And as Rob already noticed, that could be |
| 68 |
circumvented by spoofing the header a little more. Also you were correct to |
| 69 |
notice, that the receiving server has the last word - however many servers today |
| 70 |
do -not- perform reverse DNS lookups. You can basically put into the EHLO |
| 71 |
message whatever you want and the receiving server will buy it. |
| 72 |
|
| 73 |
So with some effort we could make it look as if the message was actually |
| 74 |
received from fg-out-1718.google.com. At least as long as pidgeon.gentoo.org |
| 75 |
doesn't do reverse DNS lookups, which frankly I didn't check. :) |
| 76 |
|
| 77 |
--Paul |
| 78 |
-- |
| 79 |
gentoo-user@l.g.o mailing list |
Archives