On 12/05/2017 02:24 PM, Pawel Lesnikowski wrote:
I'm not sure if you noticed but it seems many client are affected by
'mailsploit':
https://www.mailsploit.com/index
$ReadingList++
Basically the attacker uses special characters inside encoded words to
spoof the sender:
From:
=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com
<http://mailsploit.com>
Such header naively decoded incorrectly is:
potus(_at_)whitehouse(_dot_)gov<null>potus(_at_)whitehouse(_dot_)gov@mailsploit.com
I'll show my ignorance. (In the hopes to learn.)
What is "naive" or "incorrect" about the following decoding?
potus(_at_)whitehouse(_dot_)gov<null>potus(_at_)whitehouse(_dot_)gov@mailsploit.com
"=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=" quite literally does decode
to "potus(_at_)whitehouse(_dot_)gov"
Or are you indicating that the naivety is the fact that MUAs may
incorrectly handle the null containing string? Possibly believing that
the MUA will use null termination and incorrectly believe that the From:
address is just "potus(_at_)whitehouse(_dot_)gov"?
Although it's not a direct attack on DKIM, if DKIM is implemented
properly and email address decoding and displaying isn't, users might be
fooled.
That is an MUA issue. Perhaps DKIM helps re-enforce an incorrect
assumption based on a bad MUA trait. But I don't see that as a DKIM issue.
Of course encoded words are not allowed inside email addresses (address,
not names), but is seems many clients try to decode them.
Again, an MUA issue. IMHO not a DKIM (or DMARC) issue.
What are your thoughts?
I feel like this is a play on / adaptation of source routing (which is
deprecated) in an attempt to make the MUA display a subset of the actual
address in the from header. (DMARC would also care about SPF's stance
on the RFC821.From address.)
I feel like DKIM should 1) dutifully sign what comes in from the MSA. I
suspect that DKIM would use a domain (d=) of "mailsploit.com". I
further suspect that the RFC821.From address would also reflect
"mailsploit.com". Thus the message, seeming to be from "mailsploit.com"
would pass SPF, DKIM, and likely DMARC. This is because the message
would really be from "mailsploit.com".
IMHO this really does boil down to MUAs behaving badly, thus enabling a
bad belief that the message is from potus(_at_)whitehouse(_dot_)gov, with SPF,
DKIM, and DMARC supporting this bad supposition.
I really feel like this is an MUA issue.
What's worse, no security, or bad / false security?
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html