Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"All these black people are screwing up my democracy." - Ian Smith

computers / comp.mail.sendmail / SMTP email smuggling

SubjectAuthor
* SMTP email smugglingAlex H
`* Re: SMTP email smugglingAlex H
 `- Re: SMTP email smugglingClaus Aßmann

1
SMTP email smuggling

<5820a798-984d-413c-89e3-40173a0615acn@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=887&group=comp.mail.sendmail#887

  copy link   Newsgroups: comp.mail.sendmail
X-Received: by 2002:a0c:c582:0:b0:67a:8d3c:22a1 with SMTP id a2-20020a0cc582000000b0067a8d3c22a1mr552158qvj.2.1702954110285; Mon, 18 Dec 2023 18:48:30 -0800 (PST)
X-Received: by 2002:a05:6214:238d:b0:67e:c801:4481 with SMTP id fw13-20020a056214238d00b0067ec8014481mr590990qvb.5.1702954109980; Mon, 18 Dec 2023 18:48:29 -0800 (PST)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!feeder.usenetexpress.com!tr1.iad1.usenetexpress.com!69.80.99.14.MISMATCH!border-1.nntp.ord.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.sendmail
Date: Mon, 18 Dec 2023 18:48:29 -0800 (PST)
Injection-Info: google-groups.googlegroups.com; posting-host=74.103.45.242; posting-account=Ql-QGQoAAAAKArkTQ9b8iVcz0j7SpopW
NNTP-Posting-Host: 74.103.45.242
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <5820a798-984d-413c-89e3-40173a0615acn@googlegroups.com>
Subject: SMTP email smuggling
From: hqu...@gmail.com (Alex H)
Injection-Date: Tue, 19 Dec 2023 02:48:30 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 6
 by: Alex H - Tue, 19 Dec 2023 02:48 UTC

Curious if Sendmail is vulnerable to the "modified" end of data command as presented on the link below. I see no references to mailer daemons, just to a very limited set of providers/gateways on their timeline details. Hopefully this had been disclosed with Proofpoint already.

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

Re: SMTP email smuggling

<fe9350e5-ea57-40da-aac7-37c41063c7ben@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=888&group=comp.mail.sendmail#888

  copy link   Newsgroups: comp.mail.sendmail
X-Received: by 2002:a05:6214:3004:b0:67a:a8a5:aec1 with SMTP id ke4-20020a056214300400b0067aa8a5aec1mr152609qvb.12.1702954700663;
Mon, 18 Dec 2023 18:58:20 -0800 (PST)
X-Received: by 2002:ad4:4eae:0:b0:67f:2cd6:85d0 with SMTP id
ed14-20020ad44eae000000b0067f2cd685d0mr43023qvb.11.1702954700386; Mon, 18 Dec
2023 18:58:20 -0800 (PST)
Path: i2pn2.org!i2pn.org!news.neodome.net!weretis.net!feeder8.news.weretis.net!newsreader4.netcologne.de!news.netcologne.de!peer03.ams1!peer.ams1.xlned.com!news.xlned.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.sendmail
Date: Mon, 18 Dec 2023 18:58:20 -0800 (PST)
In-Reply-To: <5820a798-984d-413c-89e3-40173a0615acn@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=74.103.45.242; posting-account=Ql-QGQoAAAAKArkTQ9b8iVcz0j7SpopW
NNTP-Posting-Host: 74.103.45.242
References: <5820a798-984d-413c-89e3-40173a0615acn@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <fe9350e5-ea57-40da-aac7-37c41063c7ben@googlegroups.com>
Subject: Re: SMTP email smuggling
From: hqu...@gmail.com (Alex H)
Injection-Date: Tue, 19 Dec 2023 02:58:20 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 1780
 by: Alex H - Tue, 19 Dec 2023 02:58 UTC

I take the above back. I just glanced over parts of the blog, and there is a specific section stating most well-known mailer daemons, including Sendmail, are currently vulnerable: "After testing some popular e-mail software in their default configuration, it turned out that Postfix and Sendmail fulfil the requirements, are affected and can be smuggled to."

I guess the catch may be the sentence "in their default configuration". Perhaps there is a mitigation already there that just need to be turned on by default?

Re: SMTP email smuggling

<um3an0$sn1$1@news.misty.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=899&group=comp.mail.sendmail#899

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!.POSTED.veps.esmtp.org!not-for-mail
From: ca+sendm...@mine.informatik.uni-kiel.de (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: SMTP email smuggling
Date: Fri, 22 Dec 2023 01:35:12 -0500 (EST)
Organization: MGT Consulting
Sender: <ca+sendmail(-no-copies-please)@mine.informatik.uni-kiel.de>
Message-ID: <um3an0$sn1$1@news.misty.com>
References: <5820a798-984d-413c-89e3-40173a0615acn@googlegroups.com> <fe9350e5-ea57-40da-aac7-37c41063c7ben@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 22 Dec 2023 06:35:12 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="veps.esmtp.org:155.138.203.148";
logging-data="29409"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Fri, 22 Dec 2023 06:35 UTC

Alex H wrote:

> Perhaps there is a mitigation already there that just need to be turned
> on by default?

8.18.0.2
Accept only CR LF . CR LF as end of an SMTP message as
required by the RFCs when the new srv_features
option 'o' is used.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor