Mailsploit: Popular Email Apps Allow Spoofing, Code Injection

Discussion in 'other security issues & news' started by ronjor, Dec 6, 2017.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    61,565
    Location:
    Texas
    By Eduard Kovacs on December 06, 2017
     
  2. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    432
    Thanks for the info, ronjor. Good to know that my email client (OE Classic) is not affected.:)
     
  3. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,933
    See also:
    https://www.wired.com/story/mailsploit-lets-hackers-forge-perfect-email-spoofs/

    Just one quote:
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
    It seems that it is not/no longer true that this will not be fixed in Thunderbird: There is a corresponding tracking bug.
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
    If I'm not mistaken this type of spoofed mails should be relatively easy to filter: I've tried the demo from https://www.mailsploit.com/index#demo and saw that the From: header was:

    Code:
    From: "=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=0A=00?="
     <=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=0A=00?=@mailsploit.com>
    Since this comment suggests as a possible mitigation:
    ... an obvious solution, IMHO, is to create a filter like this:

    If the From: header contains ? OR < OR > OR = THEN move the mail to Junk

    The Thunderbird filter (which works for me) looks like this:
    Code:
    name="Email Spoofing"
    enabled="yes"
    type="17"
    action="Move to folder"
    actionValue="mailbox://nobody@nowhere.net/Junk"
    condition="OR (\"from\",contains,?) OR (\"from\",contains,>) OR (\"from\",contains,<) OR (\"from\",contains,=)"
    What do you think? This might not be a complete solution but, at least, a good start.
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,933
    Thank you!

    I wonder whether this shouldn't be fixed at the email providers side. But that could take ages before it gets done ....
    Maybe some balancing act, where and how to fix it in both a secure and privacy concerned way, and all of those questions.
    I admit, I'm not sure myself at the moment.
     
    Last edited: Dec 6, 2017
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
    Unfortuntely, this filter does work for some but not for all variants (payloads) on https://www.mailsploit.com/index#demo. I have to investigate this further. Any suggestions?
     
Loading...