Re: [calsify] Calendar spam - it is speeding up - security issue / warning
Doug Royer <douglasroyer@gmail.com> Tue, 18 June 2019 17:39 UTC
Return-Path: <douglasroyer@gmail.com>
X-Original-To: calsify@ietfa.amsl.com
Delivered-To: calsify@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B17F212006F for <calsify@ietfa.amsl.com>; Tue, 18 Jun 2019 10:39:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1jCcYHP5RcH for <calsify@ietfa.amsl.com>; Tue, 18 Jun 2019 10:39:43 -0700 (PDT)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE8E312001E for <calsify@ietf.org>; Tue, 18 Jun 2019 10:39:43 -0700 (PDT)
Received: by mail-pf1-x432.google.com with SMTP id c85so8082583pfc.1 for <calsify@ietf.org>; Tue, 18 Jun 2019 10:39:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:references:organization:message-id:date:user-agent :mime-version:in-reply-to; bh=JGUnWJMcBeKYIWpPRAT4GrX8kccpFQW1aaMNSdBYG5c=; b=dIAn6zz4t5zmkRyMsHAD9x/n38pzjHpc0CU4XM3aa0e9niSu7zQKj+/aAtLDfJu7IM tGxQUAzrRSiTgDONrCV6HmQvgIHoFNLG8EO62lJJjrGRmJ559Jhrxxw5GUwnP0u2GZ7s 9EECx1c47Jk802wGZqXtX5U7wR57FoxJgiBITM7pL6Y6apHr+EqidL6zvD/LRFqBkJRW zcueB8MBiwTz/5l8rnSMJjxoJUjkrz7HjbcrfW5Jsfq+cYZDQ/H9/LcXfvUUIODMui02 i/vmzgZxoB+GhLdfEjpXtTyruuWt3glYyFjg80A9BoHbKECG3E59VMn6SXmuXJuKf5Ne Wm6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:organization :message-id:date:user-agent:mime-version:in-reply-to; bh=JGUnWJMcBeKYIWpPRAT4GrX8kccpFQW1aaMNSdBYG5c=; b=iylVKjkRBFJQ1DeYRdg7Be8hEO/3IyAkna4mco67dDJBAwiEQFfJ5cK0syIZgQbXIe b0fpOKO2K+baik4uokY6zLVj5tGJ7SRPtkHM62/mImpGLN+hFtfLjf08h7lNbJo11L0q 20Pq4lgZxboqBcnIAyoep7bbGnizijwuzfIOFBrYYlX43oeaUQJ6qQiBsksrI17VXyfW oARd1wUjCAQXeCULShYeJYQsv+OHMVBPoKpI507ymYuU0zTggBmwvHUWYYZayYy8oqNb X5VxAKJarqzXGd9D6mRpH93k3CnEMhCUquo7Yn9s66lKZLKDND5LSdwpQtFqMyz+X2w6 C1fw==
X-Gm-Message-State: APjAAAWNAuAn+MtignaAyttxVe/0oFPNMcO4wkhXRrwsvh1MmDkGkCEJ vug96JfkxLnZdu/gX5OMMSKPrmRsUE/w
X-Google-Smtp-Source: APXvYqz1dRrZP/6cww1z1o7nrQpcpdsKLucSD6AdG+oPhqQ6DE0DcH5A7zXrF2su9Euo/GIPePJV+w==
X-Received: by 2002:a62:6344:: with SMTP id x65mr16491914pfb.111.1560879582643; Tue, 18 Jun 2019 10:39:42 -0700 (PDT)
Received: from [192.168.1.7] ([174.27.172.40]) by smtp.googlemail.com with ESMTPSA id z2sm15147525pgg.58.2019.06.18.10.39.40 for <calsify@ietf.org> (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jun 2019 10:39:40 -0700 (PDT)
From: Doug Royer <douglasroyer@gmail.com>
X-Google-Original-From: Doug Royer <DouglasRoyer@gmail.com>
To: calsify@ietf.org
References: <f7d8336f-edd2-7d26-1589-87e58dd8672b@gmail.com> <25453529-BE41-4A4E-B6BD-5EB662C73DEC@calconnect.org> <a30c7d25-ae1f-43c4-4153-a423d97da827@gmail.com> <trinity-a024771a-f08f-423d-92b1-2db3c370970d-1560874984587@3c-app-webde-bap44>
Organization: http://SoftwareAndServices.NET
Message-ID: <d760c6c5-8853-edb8-5655-a7ade5bdd80d@gmail.com>
Date: Tue, 18 Jun 2019 11:39:39 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <trinity-a024771a-f08f-423d-92b1-2db3c370970d-1560874984587@3c-app-webde-bap44>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060802050506090209000602"
Archived-At: <https://mailarchive.ietf.org/arch/msg/calsify/oYv3Eqv3daAlivlg0NQ4F8mn1PE>
Subject: Re: [calsify] Calendar spam - it is speeding up - security issue / warning
X-BeenThere: calsify@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <calsify.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/calsify>, <mailto:calsify-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/calsify/>
List-Post: <mailto:calsify@ietf.org>
List-Help: <mailto:calsify-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/calsify>, <mailto:calsify-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2019 17:39:46 -0000
On 6/18/19 10:23 AM, "Thomas Schäfer" wrote: > Hi Doug, > > Thanks for pointing to the mentioned article. > > Members of CalConnect started thinking about this as soon as the big wave of calendar spam hit Apple users in November 2016 (https://www.bbc.com/news/technology-38144377). We soon started working on it by issuing article describing what happened (https://www.calconnect.org/news/2017/01/30/calendar-spam) and also started reaching out for E-Mail people at Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG, https://www.m3aawg.org/) to work together on the topic. > > ... > Regarding some of your points: > >> Virus checking and malicious site checking is the second (and not mentioned) half. > > It is mentioned in https://standards.calconnect.org/csd/cc-18003.html#toc15 and https://standards.calconnect.org/csd/cc-18003.html#toc18, but as said, it does not contain a deep section about expected calendar client behaviour, as it aims for not inserting malicious events in your calendar at all and therefor preventing them to appear in your calendar client. That is great, however these are IETF documents. And I am NOT talking about SMTP or EMAIL (the references you pointed to). I am talking about URLs to external documents that could have been transferred with a MAILTO URL. However, the examples in the drafts are using an HTTP url (not covered under SMTP or EMAIL and not transferred with SMTP). Email virus checking might find that related document URL contains malicious content if it were a multipart/mime with a CID, or as a related and inline included content. However it is often the case that the calendar embedded URL point to external documents. Not all calendar objects are transferred with IMIP. Enterprise internal hacking, WebCal, or just a link someone puts on some public sporting event would not be transferred with iMIP. All of which could have related document URL links that point to malicious items. And related: can an RFC refer to a calconnect document as a NORMATIVE reference? -- Doug Royer - (http://DougRoyer.US) Douglas.Royer@gmail.com 714-989-6135
- [calsify] Calendar spam - it is speeding up - sec… Doug Royer
- Re: [calsify] Calendar spam - it is speeding up -… David Thewlis
- Re: [calsify] Calendar spam - it is speeding up -… Doug Royer
- Re: [calsify] Calendar spam - it is speeding up -… Thomas Schäfer
- Re: [calsify] Calendar spam - it is speeding up -… Doug Royer