IETF Logo Mail Archive

[ietf-dkim] Mailsploit

Pawel Lesnikowski <lesnikowski@limilabs.com> Tue, 05 December 2017 21:30 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F257E128792 for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Tue, 5 Dec 2017 13:30:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.788
X-Spam-Level:
X-Spam-Status: No, score=-1.788 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=limilabs.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fu0sHlPzY3Tc for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Tue, 5 Dec 2017 13:30:40 -0800 (PST)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29CDF12711A for <ietf-dkim-archive@ietf.org>; Tue, 5 Dec 2017 13:30:40 -0800 (PST)
Received: from simon.songbird.com (simon.songbird.com [127.0.0.1]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id vB5LPVUJ008495; Tue, 5 Dec 2017 13:25:32 -0800
Authentication-Results: simon.songbird.com; dkim=fail reason="verification failed; unprotected key" header.d=limilabs.com header.i=@limilabs.com header.b=SL8i1SZJ; dkim-adsp=none (unprotected policy); dkim-atps=neutral
Received: from mail-qt0-f172.google.com (mail-qt0-f172.google.com [209.85.216.172]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id vB5LPRh3008452 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <ietf-dkim@mipassoc.org>; Tue, 5 Dec 2017 13:25:29 -0800
Received: by mail-qt0-f172.google.com with SMTP id u10so4308659qtg.2 for <ietf-dkim@mipassoc.org>; Tue, 05 Dec 2017 13:25:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=limilabs.com; s=alpha; h=mime-version:from:date:message-id:subject:to; bh=N8ApSIF9dNM7IwrNirmi8MBAfPNVrPATx8PIN1CN9KY=; b=SL8i1SZJCWrHz7nPzMxiDwZ82eNXYbzqN3AAtz+4vMcEg3BvcedDJ9vy/pgpsrPQUo mCqQkCTXywZe5E5xOiQsknLROdZpyWOsK9a5WazxL3O4cr6EKdT4oxlAUr85bB1SEx7s zr1x9IVErzQLC23dFi90kelGHI06dHf9vzWE4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=N8ApSIF9dNM7IwrNirmi8MBAfPNVrPATx8PIN1CN9KY=; b=E7BsRP6I90a7o9k6A5LYjoB+sT9uelbXHhmUEExXHMMk410mRsjYm1zfLBi5t7F5JD sDCzffYbCTzWn0Etcv3CzEwzgTB6X8uao3mehmX03UKUQ5WKayp2VBFYIO/LdbcXbnti AqRcSoeJtJbHwDINod6lTvJ/Tox254S1EP7sB9pJHeQbyERwZCKzwfpLPcE3go013HpH qonRu2Y3TWkqz4ob7F67tBMF+sp6342OcbXsZxxF2lenOEJQ2fTtD7xh5TJWOwyiBFpk zbwalxtQNWRScnusJnsMMGf8bocT2kIJP6OXHxg18x6gF+brKHYH64hMebakp2leZUnf nY3g==
X-Gm-Message-State: AKGB3mJtQbTJkMOHfABp5RVLYJDuAYpHVGUnp5DoP7iajZaSnsOHK8iz BzzXQUdh2GWuiSxKWWgutwQcBQar6Zz480c/xOiPWLk=
X-Google-Smtp-Source: AGs4zMax9rFb8tO0J5thij0HisS3sKLqC7AoNdt8IaQnlYxgA7g4L9jB36yJJW3AQm7ttWow7M727z3w9o5WjKnoyi0=
X-Received: by 10.55.123.135 with SMTP id w129mr21879656qkc.273.1512509103426; Tue, 05 Dec 2017 13:25:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.237.41.68 with HTTP; Tue, 5 Dec 2017 13:24:32 -0800 (PST)
X-Originating-IP: [89.73.253.223]
From: Pawel Lesnikowski <lesnikowski@limilabs.com>
Date: Tue, 05 Dec 2017 22:24:32 +0100
Message-ID: <CAHNGrjEzrmdbjhxf_W2qkX8eiSoSaoYoiMDma3yuM2brS6KVmw@mail.gmail.com>
To: ietf-dkim@mipassoc.org
Subject: [ietf-dkim] Mailsploit
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim/>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============5222390978101317282=="
Errors-To: ietf-dkim-bounces@mipassoc.org
Sender: ietf-dkim <ietf-dkim-bounces@mipassoc.org>

Hi All,

I'm not sure if you noticed but it seems many client are affected by
'mailsploit':
https://www.mailsploit.com/index

Basically the attacker uses special characters inside encoded words to
spoof the sender:

From:
=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@
mailsploit.com

Such header naively decoded incorrectly is:
potus@whitehouse.gov*\0*potus@whitehouse.gov@mailsploit.com

Although it's not a direct attack on DKIM, if DKIM is implemented properly
and email address decoding and displaying isn't, users might be fooled.

Of course encoded words are not allowed inside email addresses (address,
not names),
but is seems many clients try to decode them.

What are your thoughts?

-- 
Best regards,
Pawel Lesnikowski
https://www.limilabs.com

_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email