On Fri, 30 May 2008 00:11:51 +0100
Robert Bridge <[EMAIL PROTECTED]> wrote:
> On Fri, 30 May 2008 02:05:42 +0300
> Daniel Iliev <[EMAIL PROTECTED]> wrote:
>
> > On Thu, 29 May 2008 08:38:27 +0000 (UTC)
> > [EMAIL PROTECTED] wrote:
> >
> > > W. Canis wrote:
> > > > OK, I can't bring myself a "proof of concept".
> > >
> > > Allow me to help you with that part.
> > >
> > > Personally I still think signatures in public mailing lists are
> > > overrated.
> > >
> > > NOT signed by
> > > Some Gentoo user with a security job and 5 minutes of time
> > >
> > > P.S. Daniel - I really hope this is ok with you. I took your dare
> > > literally for this one time. Your personality won't be abused by
> > > me again.
> >
> >
> > No problem,..ehh..PSZ, I presume? :)
> >
> > It was I who gave the idea and the challenge. Don't worry, it's
> > really fine by me.
> >
> > I admit I looks very much as if the message was sent by me and could
> > be deceiving at first glance, but:
> >
> >
> > FAKE:
> > ===
> > Received: from observed.de (observed.de [81.169.134.89])
> > by pigeon.gentoo.org (Postfix) with ESMTP id AE151E05BC
> > for <gentoo-user@lists.gentoo.org>; Thu, 29 May 2008
> > 08:38:27 +0000 (UTC)
> > ===
> >
> >
> > NOT FAKE:
> > ===
> > Received: from fg-out-1718.google.com (fg-out-1718.google.com
> > [72.14.220.153])
> > by pigeon.gentoo.org (Postfix) with ESMTP id 3E5ACE0229
> > for <gentoo-user@lists.gentoo.org>; Mon, 26 May 2008 00:30:07
> > +0000 (UTC)
> > ===
>
> Except that even that can be faked.
>
> The header is part of the payload, so can be whatever the user decides
> to put in, simply fake some a set of relay lines, and how do you know?
>
> Rob.
Yes, you can insert headers before you send the message, but the SMTP
server which receives the message for local delivery always has the
final word. In this case pigeon.gentoo.org has added its headers to the
"proof of concept" message and we can see that the mail "from [EMAIL PROTECTED]"
was actually sent from elsewhere.
Glad to hear you didn't mind, Daniel.
Yes, you traced me correctly. And as Rob already noticed, that could be
circumvented by spoofing the header a little more. Also you were correct to
notice, that the receiving server has the last word - however many servers today
do -not- perform reverse DNS lookups. You can basically put into the EHLO
message whatever you want and the receiving server will buy it.
So with some effort we could make it look as if the message was actually
received from fg-out-1718.google.com. At least as long as pidgeon.gentoo.org
doesn't do reverse DNS lookups, which frankly I didn't check. :)
--Paul
--
gentoo-user@lists.gentoo.org mailing list
