procmail
[Top] [All Lists]

Re: detecting faked "From"

2001-07-20 11:39:23
At 03:26 2001-07-20 -0700, Andrew Edelstein wrote:
Yeah yeah, technically correct. I assumed that was a given. My point still
stands: you can't spoof the auto-responder into replying to an address other
than the  address to which it thinks it's replying; ie: you can't forge the
headers in such a way that, if it thinks it's sending mail to
address(_at_)geol(_dot_)ucsb(_dot_)edu, the mail is actually going to somewhere 
else.

Wrong. Although anti-relaying rules in most MTAs should probably block this (and many of the clumsy MTAs out there probably never grasped it to begin with), it is valid syntax as per RFC 821, Section 3.6:

        @geol.ucsb.edu:user(_at_)someplaceelse(_dot_)com

The message would be delivered to the geol.ucsb.edu MX which (if it supported the syntax) would parse the address and realize that it needed to be passed along to another server, and would pass it along to someplaceelse.com. A regexp such as:

        ^From:(_dot_)*(_at_)geol(_dot_)ucsb(_dot_)edu

Which is a fairly common regexp form, would fail to catch this relay syntax, having satisfied itself that the host in question was specified.

This is totally separate from which header the reply address is gleaned from - it applies equally to the Reply-To, etc.

Of course, this encoding is largely unsupported these days (DNS MX records obliviate the need for it), but it is still supported by some MTAs here and there. Perhaps the one in this case...

I just checked, and my own mail servers appear to support the syntax (in fact, the message was sent from another domain entirely, and arrived at my SMTP to be declined there). Fortunatley (because this technique used to be in favour amongst spammers), my server properly declines to relay:

(reason: 550 5.7.1 <@somehost.myndomain.tld:validaddress(_at_)elsewhere(_dot_)tld>... Relaying denied)


Want to not rely on an old feature in the mail specification? Okay, simply create a host on your own net:

        geol.ucsb.edu.mydomain.tld

(which doesn't have to have an A record, just an MX, which would point to a server configured to accept mail for this host). The above regexp would fail to notice that this is a host on a different domain, and would happily send it's reply to it.

How's them apples?

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>