On Dec 5, 2017, at 1:24 PM, Pawel Lesnikowski
<lesnikowski(_at_)limilabs(_dot_)com> wrote:
Hi All,
I'm not sure if you noticed but it seems many client are affected by
'mailsploit':
https://www.mailsploit.com/index
Basically the attacker uses special characters inside encoded words to spoof
the sender:
From:
=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com
Such header naively decoded incorrectly is:
potus(_at_)whitehouse(_dot_)gov\0potus(_at_)whitehouse(_dot_)gov@mailsploit.com
Although it's not a direct attack on DKIM, if DKIM is implemented properly
and email address decoding and displaying isn't, users might be fooled.
Of course encoded words are not allowed inside email addresses (address, not
names),
but is seems many clients try to decode them.
What are your thoughts?
It's a DMARC issue rather than a DKIM one.
Most mobile clients and many desktop clients don't display the senders email
address anyway, just the "friendly from" / human readable comment, so "From:
POTUS potus(_at_)whitehouse(_dot_)gov <bob(_at_)mail(_dot_)ru>" is much simpler
and nearly as effective.
This[1] is a rendering bug the MUA authors really should fix, but not a
terrible concern unless maybe you're looking at sneaky targeted phishing mail.
Cheers,
Steve
[1] mailsploit, I mean. Maybe that other thing too.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html