dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
12

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to Kylemaul

MVM

to Kylemaul

Re: Someone, please help the @dslr.net mail team with their security!

said by Kylemaul:

My largest concern at this point is if my dslr email address is being used to send this crap to anyone else. If it is/can be, I'll just scrap the account.

Anybody can use anybody else's email address in the SMTP "MAIL FROM:" argument. There are a couple of mechanisms to try to mitigate that: SPF, Domain Keys, and DMARC. Each has it proponents, and problems. DSLR has an SPF record:
;; ANSWER SECTION:
dslr.net.               300     IN      TXT     "v=spf1 mx a ptr include:dslrepo
rts.com ~all"
 

Here is an example forgery:
Return-Path: <k******i@dslr.net>
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mtaig-aan04.mx.aol.com (Internet Inbound) with ESMTPS id 4B631700000A8
    for <**********@aol.com>; Wed, 13 Aug 2014 07:32:08 -0400 (EDT)
Received: from Miyuki.aosake.net (reki.aosake.net [173.228.7.217])
    (authenticated bits=0)
    by c.mail.sonic.net (8.14.9/8.14.9) with ESMTP id s7DBW3wT016447
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT)
    for <**********@aol.com>; Wed, 13 Aug 2014 04:32:05 -0700
Message-ID: <53EB4CB0.4010008@Miyuki.aosake.net>
Date: Wed, 13 Aug 2014 04:32:00 -0700
From: Ben Sample <k******i@dslr.net>
Organization: DSLR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: **********@aol.com
Subject: [TEST] Forgery
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Sonic-CAuth: UmFuZG9tSVYoDxFGj5YUBMstD6fUtjr3Mn9tfF/RVnUezJ0vkmKM3zQ9P6t4i9vB9HI2QFZuh1zZRZtiPjgSZ9VaAscmsc5E
X-Sonic-ID: C;lMb2ct0i5BGH/d90oK8kYw== M;cmyVc90i5BGH/d90oK8kYw==
X-Spam-Flag: No
X-Sonic-Spam-Details: 0.0/5.0 by cerberusd
x-aol-global-disposition: G
Authentication-Results: mx.aol.com;
    spf=softfail (aol.com: the domain dslr.net reports 64.142.111.80 should not be sending mail using it's domain name, but is not forbidden from doing so.) smtp.mailfrom=dslr.net;
x-aol-sid: 3039ac1b134453eb4cb632a6
X-AOL-IP: 64.142.111.80
X-AOL-SPF: domain : dslr.net SPF : softfail
 

Notice, toward the end, the "Authentication-Results:". "Softfail".

I also have an SPF record:
;; ANSWER SECTION:
aosake.net.             6062    IN      TXT     "v=spf1 a ip4:173.228.7.217 incl
ude:mail.sonic.net -all"
 

But observe the results tag: The "~all" in the DSLR record, vs. the "-all" in mine. And the forged headers:
Return-Path: <**********@aosake.net>
Received: from nm18-vm4.bullet.mail.ne1.yahoo.com (nm18-vm4.bullet.mail.ne1.yahoo.com [98.138.91.178])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mtaiw-mac04.mx.aol.com (Internet Inbound) with ESMTPS id 5DF8F700000A8
    for <**********@aol.com>; Wed, 13 Aug 2014 07:44:33 -0400 (EDT)
DKIM-Signature: {Redacted.}
DomainKey-Signature: {Redacted.}
Received: from [98.138.84.46] by tm104.bullet.mail.ne1.yahoo.com with NNFMP; 13 Aug 2014 11:44:31 -0000
Received: from [127.0.0.1] by smtp114.mail.ne1.yahoo.com with NNFMP; 13 Aug 2014 11:44:31 -0000
X-Yahoo-Newman-Id: 914922.30279.bm@smtp114.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: {Key redacted.}
X-Yahoo-SMTP: tWofq1mswBAyG013CIZr52fvDyMUnfA-
Message-ID: <53EB4F9B.5040308@Miyuki.aosake.net>
Date: Wed, 13 Aug 2014 04:44:27 -0700
From: NormanS <**********@aosake.net>
Organization: DSLR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: **********@aol.com
Subject: [TEST] Forgery ...
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
x-aol-global-disposition: G
X-AOL-SCOLL-AUTHENTICATION: mtaiw-mac04.mx.aol.com ; domain : yahoo.com DKIM : pass
Authentication-Results: mx.aol.com;
    spf=fail (aol.com: the domain aosake.net reports that 98.138.91.178 is explicitly not authorized to send mail using it's domain name.) smtp.mailfrom=aosake.net;
    dkim=pass (aol.com: email passed verification from the domain yahoo.com.) header.d=yahoo.com;
x-aol-sid: 3039ac1adeca53eb4fa0267d
X-AOL-IP: 98.138.91.178
X-AOL-SPF: domain : aosake.net SPF : fail
 

Here we see a "hard" fail; this is the consequence of the difference between "~all" and "-all" in the SPF record. (I should also point out that Yahoo! gives this a DKIM pass; that is an artifact of my Yahoo! account configuration.) Either way, an email system which checks the SPF record can, theoretically, filter, and flag based on SPF results. Just for completeness, here is an example which is not a forgery:
Return-Path: <**********@aosake.net>
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mtaig-aag05.mx.aol.com (Internet Inbound) with ESMTPS id 2685D70000081
    for <**********@aol.com>; Wed, 13 Aug 2014 07:59:30 -0400 (EDT)
Received: from Miyuki.aosake.net (reki.aosake.net [173.228.7.217])
    (authenticated bits=0)
    by c.mail.sonic.net (8.14.9/8.14.9) with ESMTP id s7DBxQdc031962
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT)
    for <**********@aol.com>; Wed, 13 Aug 2014 04:59:27 -0700
Message-ID: <53EB531B.1090007@Miyuki.aosake.net>
Date: Wed, 13 Aug 2014 04:59:23 -0700
From: "NormanS" <**********@aosake.net>
Organization: DSLR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: **********@aol.com
Subject: [TEST] Not a forgery
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Sonic-CAuth: UmFuZG9tSVbR9661ZFC2U9ChVboyvvtpbXJMlS2WIVYOIFOgrQaxg4Deq8t0nZ76sCckWBBQW4ehfNlN6Z DIwhq8xTVgK8Yp
X-Sonic-ID: C;kH8GRuEi5BGa/990oK8kYw== M;aE5pRuEi5BGa/990oK8kYw==
X-Spam-Flag: No
X-Sonic-Spam-Details: 0.0/5.0 by cerberusd
x-aol-global-disposition: G
Authentication-Results: mx.aol.com;
    spf=pass (aol.com: the domain aosake.net reports 64.142.111.80 as a permitted sender.) smtp.mailfrom=aosake.net;
x-aol-sid: 3039ac1a7e4553eb532159ba
X-AOL-IP: 64.142.111.80
X-AOL-SPF: domain : aosake.net SPF : pass
 

The bad news is, you can't prevent any e-mail address from being forged. The good news is, if the receiving e-mail system checks SPF, they will tag a fail on a forged DSLR e-mail account, even if they accept delivery.

I'm assuming the garbage at the end is an image of some sort.
A member here at dslr explained that this is "alphabet" spam.

Actually, it is a "Base 64" encoded .zip file.

Kylemaul
Lovin' My Firefox
Premium Member
join:2001-03-30
Puyallup, WA

Kylemaul

Premium Member

Thank you--I wish I understood half of what you outlined. My take-away from this is that SPF used here wasn't adequate to shuffle this to a spam wastebucket. I'm guessing that maybe SPF is old-school, since I don't seem to have similar issues from other e-mail domains, or that the other domains are using SPF in conjuction with other filtering methods. Sadly, I'm clueless enough that this may be rampant with other email domains, and it is just dlsr's 'transparency' that is troubling me?

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

How an SPF result is handled is up to the receiver. All of my SPF "Fail" test messages went to my Inbox, despite being flagged. I have not tested this with Mozilla Thunderbird, but that client is capable of filtering on custom headers.

You would need to examine the raw e-mail source to see how any given system handles an anti-forgery protocol.

I am basically uncertain why you thought this was a security issue. It is well known that e-mail is an inherently insecure messaging medium.

Cartel See Profile does have a point. I redacted all of the user names (as, "*****@") in my examples. He points to a post you made 2 1/2 years ago, in which you exposed your e-mail address, as you did in the OP. As well, NetFixer See Profile provides a weakness, which is not security, but privacy related.

If I wanted to set up a DSLR e-mail account for myself, and accepted the default user name, it would be extremely easy to guess: "NormanS@...".

I did expose a 15-year-old "@yahoo.com" email address to the public in Usenet articles shortly after setting up the account. The spammers "scrape", or "harvest" such publicly exposed e-mail addresses for their own ends. I even had a spammer forge my "@yahoo.com" e-mail address, resulting in a flood of DFNs which nearly rendered that account useless. If you enter your email address in an Internet search, you will find all the places where a spammer's search 'bot can find it; and when they find it, they will "own" it, in the sense that they will add it to their database of, "confirmed opt-in e-mail addresses". To the spammer, if they send and don't get a bounce, that address has "consented to accept advertised offers."

If you consider that a breach of security, the breach is on your hands. I started running my own e-mail service when I realized that was the only way to truly "own" my e-mail address. My current NNTP-Posting (Usenet) email address is: <nospam@blackhole.aosake.net>. It will fail if you try to send an e-mail. It is not a, "munge". I control DNS for the domain, and have set no "A", or "MX" record for 'blackhole.aosake.net'.
C:\util\dig>nslookup blackhole.aosake.net
Server:  1000-0000-0000-0000-09d7-04ed-a420-2062.6rd.ip6.sonic.net
Address:  2602:24a:de40:7d90::1
 
*** 1000-0000-0000-0000-09d7-04ed-a420-2062.6rd.ip6.sonic.net can't find
 blackhole.aosake.net: Non-existent domain
 

Kylemaul
Lovin' My Firefox
Premium Member
join:2001-03-30
Puyallup, WA

Kylemaul

Premium Member

::facepalm:: oops
Kylemaul

Kylemaul

Premium Member

Any possibility of a mod deleting this thread and the one that Cartel pointed out?