On 12/6/2017 4:27 AM, Frido Otten wrote:
Yesterday I saw this message that a bug in mailclients allow sender
spoofing which bypasses SPF/DKIM/DMARC mechanisms. Maybe you've read
about it. More information about it here: https://www.mailsploit.com/index
I was thinking that there might be a possiblity to detect this in
spamassassin to protect our users against this. Something with the
newline character or null byte in the FROM header, but I'm not that
handy with it. Someone of you maybe already created a rule?
My understanding of it was from Jan-Pieter Cornet's post on the
MIMEDefang list. In short, it involves RFC2047 MIME encoding of headers
with control characters. The demo shows issues with Nul but that's not
the only control character.
Something like this:
header __KAM_MAILSPLOIT1 From =~ /[\0]/
describe __KAM_MAILSPLOIT1 RFC2047 Exploit
https://www.mailsploit.com/index
And a paired rules for \n looking for maxhits. Beyond that, what's a
good control character regex?
https://www.regular-expressions.info/nonprint.html tells me that it's
complicated so for now, we know null is a real world issue that causes
user visual issues.
Give me a few, I'm looking at this more.
Can anyone take a look if there are other mailsploit issues that should
have rules? I think it has good merit.
I can't seem to get their system to send me payloads. I'm Bcc'ing Sabri
Haddouche for his input.
Regards,
KAM
--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
