John Levine via Postfix-users:
> This paper describes a clever hack that uses defective line endings to embed
> a second SMTP session inside a first one, which has the practical effect
> of letting you send fake authenticated mail from anyone else who uses the
> same mail system you do. If that system is MS Outlook, that's a lot of
> people.
>
> The hack depends on embedding strings like <LF>.<CR><LF> in a message which
> a sending system doesn't recognize as needing dot stuffing, and a recipient
> system treats as end of data.
>
> The paper claims that Postfix falls for this trick. We might want to tighten
> up bare LF handling. These days does anything that's not a botnet send bare
> LFs without using BDAT?
>
> https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
See thread "Postfix authenticated sender and From...".
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
