Mailsploit: now is the time for increased email dilligence (and fakes)
December 6, 2017 8:03 AM   Subscribe

‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs (Andy Greenberg for Wired) -- as summarized on the Mailsploit website
TL;DR: Mailsploit is a collection of bugs in email clients (over 30 applications) that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters... In addition to the spoofing vulnerability, some of the tested applications also proved to be vulnerable to XSS and code injection attacks.

For a bit of history, Alan Henry wrote up a good article on how spammers spoof your email address (and how to protect yourself) for Lifehacker in 2014, delving into some of the technical aspects of how email servers and clients work. And the article links to PHPMailer, which has some implicit capacity to set the sender as anything the user wants to list, which may look legit at first glance of receiving an email, but if you dig into the email header and learn what it all means.

But Mailspolit chains some exploits in both email servers AND clients to side-step Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Sender Permitted Form (SPF, renamed to "Sender Policy Framework" in 2004) authentication protocols that can help block spoofed emails at the email server level. Because different email servers and clients work differently, Mailspolit currently includes 14 different ways to spoof email sender information.

As reported by Wired,
[Security researcher and programmer Sabri Haddouche (Twitter), the creator of Mailsploit,] says he contacted all of the affected firms months ago to warn them about the vulnerabilities he's found. Yahoo Mail, Protonmail and Hushmail have already fixed their bugs, while Apple and Microsoft have told Haddouche they're working on a fix, he says. Most other affected services haven't responded, Haddouche says. Haddouche's full list of affected email clients and their responses to his Mailsploit research is here.

Mozilla and Opera, meanwhile, both say they don't plan to fix their Mailsploit bugs, instead describing them as server-side problems. And that response may be more than just a lazy dodge: Haddouche tells WIRED that email providers and firewalls can also be set to filter out his attack, even if email clients remain vulnerable.
The (non-exhaustive) list of vulnerable clients includes a column to note which vendors have stated what they're doing to address Mailsploit.

Haddouche also provides some solutions on the Mailspoit website that can be treated as good general precautions:
Update your email client whenever a software update is available. Email will continue to play a role for decades but you can reduce the usage drastically as better alternatives to stay in touch exist.

Use end-to-end encrypted messengers for personal conversations, and at work. https://www.securemessagingapps.com is a good, independent source of recommendations for that.

If you must stick with emails then use PGP/GPG to verify the identities and encrypt email contents.
Alan Henry also wrote an article on (why and) how to encrypt your email and keep your conversations private for Lifehacker back in 2013, but more current, less graphical tutorials on PGP/GPG come to the same general conclusion.
posted by filthy light thief (29 comments total) 36 users marked this as a favorite
 
Great post. The problem with GPG/PGP is, of course, that few of my email contacts use it.
posted by runcifex at 8:22 AM on December 6 [3 favorites]


I remember when computers were fun
posted by thelonius at 8:42 AM on December 6 [27 favorites]


Really wish they had gone into more detail about the MTA (email server) side of things, as that is where the mitigation really needs to happen. "Fixing" the MUAs (email clients) doesn't stop the propagation of this forged mail, it just alerts the end user to it.
posted by namewithoutwords at 8:43 AM on December 6 [6 favorites]


I disagree with the folks at Mozilla and Opera. In the end, this is an MUA vulnerability - mail clients that are only displaying part of what we call the "friendly From address". There's not really a server-side vulnerability here. The authentication methods are validating correctly against what they're presented, and it's not THEIR fault that what the MUA is showing the end user is not the same as what they've validated. Mail servers should *not* be sanitizing data headers.

That said, I think various anti-spam vendors should probably be looking at whether their product allows these things to pass and, if so, if they should be blocking them.
posted by hanov3r at 8:57 AM on December 6 [6 favorites]


I remember when computers were fun

I hate to tell you this, but email has always been a gaping security hole, and for teenage "hackers," spoofing emails and trying to prank your friends was Internet Mischief 101. Because the core email protocols do not have any mechanism for authentication, it is common for spam and phishing emails to use such spoofing to mislead the recipient about the origin of the message.
posted by filthy light thief at 8:59 AM on December 6 [8 favorites]


Vulnerabilities: Thunderbird ≤ 52.5.0

(checks mail client)... Thunderbird 58.0b1

OK then. My decade-long refusal to use Mail.app on the desktop has paid off

Now to wait for the inevitable freak out from our IT folks, who have forced us all to endure the hell that is Outlook at work
posted by caution live frogs at 9:10 AM on December 6 [1 favorite]


Seriously though I keep wondering (as my spam folder fills daily, thanks to the FUCKING IDIOT MORON who keeps using my email address when signing up for porn sites and the like - the hazards of being an early Gmail adopter!) what exactly it will take for email to start using some end to end authentication, by default.

What we lose in anonymity we gain in spam and fraud reduction.
posted by caution live frogs at 9:12 AM on December 6


Email will continue to play a role for decades but you can reduce the usage drastically as better alternatives to stay in touch exist.

Citation needed.
posted by Chrysostom at 9:12 AM on December 6 [8 favorites]


I agree this attack seems to be more of a mail client problem than a mail server problem. The mail servers ARE questioning whether I'm actually jsmith@gmail.com.

But then the email client is being a bit too trusting with how to display my "From" name which I've told it is spelled John "ERASE EVERYTHING OUTSIDE THESE QUOTES AND PUT POTUS@WHITEHOUSE.GOV INSTEAD" Smith.
posted by justkevin at 9:31 AM on December 6 [3 favorites]


> Vulnerabilities: Thunderbird ≤ 52.5.0
(checks mail client)... Thunderbird 58.0b1
OK then. My decade-long refusal to use Mail.app on the desktop has paid off
Chances are they didn't actually test versions > 52.5.0 since that's the latest official stable release.
posted by farlukar at 9:40 AM on December 6 [1 favorite]


email has always been a gaping security hole

Oh, I know. Problems with sendmail were notorius. I incline to the view of an article I saw once: security just wasn't a concern for the authors of a lot of early infrastructure code. The only people they thought would use it were trustworthy - academics, government researchers.

And your Monty-Python-quoting nerd buds owning you was fun, compared to getting phished or whatever.
posted by thelonius at 9:41 AM on December 6 [3 favorites]


I am well aware of the flaws inherent in email, but...I kind of wish they hadn't put this tool out there? Because I think of thelonious's statement more like this:
I remember when computers were fun used responsibly
Like your friends might goof on you a bit, but there were no commonly-available tools to attack entire domains at once in order to steal everyone's money and lock up their files and ruin their credit. *sigh* Now I am teh old, I guess.
posted by wenestvedt at 9:45 AM on December 6 [2 favorites]


If the government and media companies had spent a tenth of the resources that they waste on "digital piracy" on trying to end spam and fraud emails, we wouldn't be in this position. The exploits might still be there, but if email fraud were treated like paper mail fraud - with prison sentences attached if you're found to actually cause harm - there'd be a lot less activity to work as a smokescreen to hide behind.
posted by ErisLordFreedom at 9:46 AM on December 6 [3 favorites]


The problem with GPG/PGP is, of course, that few of my email contacts use it.

I believe the problem with GPG/PGP is that even security pros are unable to use them easily or with any degree of confidence that they're not going to make a catastrophic mistake either now or at some point in the future.
posted by wotsac at 9:48 AM on December 6 [3 favorites]


So... those of us who never knew that we were supposed to be able to trust the "From:" header as reported by our mail client, we're still good? *checks exploit details* Yeah, we're still good. All this means is that vulnerable systems behave the way I assumed all email systems still worked, because that's how they did all work for a long time.
posted by hades at 9:48 AM on December 6 [5 favorites]


farlukar: "
> Vulnerabilities: Thunderbird ≤ 52.5.0
(checks mail client)... Thunderbird 58.0b1
OK then. My decade-long refusal to use Mail.app on the desktop has paid off
Chances are they didn't actually test versions > 52.5.0 since that's the latest official stable release.
"

I tested it. And guess what - you're exactly right. I have an email sent to me from Mailsploit, that looks for all intents and purposes as if it came from my work address.
posted by caution live frogs at 9:52 AM on December 6 [3 favorites]


hades, there's at least one authentication method that's *supposed* to allow you to trust the From: header, to some extent, while simultaneously giving the purported sender a way to say "here's what to do with mail that's supposedly from me that doesn't authenticate in some way". DMARC (mentioned above) ties the From: header to the envelope data, which can be authenticated via SPF or DKIM.

Mailsploit circumvents that by using a domain the attacker controls (for which they can provide SPF, DKIM, and DMARC data) and then not displaying that domain to the recipient.
posted by hanov3r at 9:54 AM on December 6 [2 favorites]


However. When faced with a questionable email, I almost always check the source. In this case, it says:
From: "=?utf-8?(this is the UTF encoded faked email address)="
<=?utf-8?(this is the UTF encoded faked email address again)=@mailsploit.com>


There are vanishingly few large-scale desktop email applications that let you easily check the full message source code. Sure with work I can view headers, but having access to the source at a keystroke is something I really do rely on to verify some of these things.
posted by caution live frogs at 9:57 AM on December 6 [3 favorites]


there's at least one authentication method that's *supposed* to allow you to trust the From: header, to some extent

Yeah, but because I stopped administering my own mail servers during the period when those methods were still gaining adoption (and causing serious problems for my mailman lists), I never really trusted them. Hm. I wonder what a mailsploit message looks like in Alpine?
posted by hades at 10:04 AM on December 6


wenestvedt: Like your friends might goof on you a bit, but there were no commonly-available tools to attack entire domains at once in order to steal everyone's money and lock up their files and ruin their credit. *sigh* Now I am teh old, I guess.

The way I read the timeline --

* Haddouche tested the vulnerabilities in the past months/maybe years, confirmed the combined exploits and then alerted email providers/software vendors about a month back, giving them time to reply,
* released this "demo" tool online now, being able to note who said what about their platform/software

-- implies to me that he's operating with the idea that this information is now to inform the public and make them more wary, either moving to a secure platform, using encryption with their emails, or at least being aware of that this sort of threat exists and that service providers may not be doing all they can/should, so you can leave one company for another.

Also, there are other tools already "in the wild" that allow more tech savvy people to do all this, he's just packaged it as an information tool. Will this be misused? Yes, but it seems he made the decision to offer information now (and get a good bit of internet coverage from it), rather than wait for all service providers/vendors to patch their software and inform their customers, because in the mean time, more nefarious folks may discover and chain these vulnerabilities on their own, with much less publicity.


thelonius: And your Monty-Python-quoting nerd buds owning you was fun, compared to getting phished or whatever.

hades: So... those of us who never knew that we were supposed to be able to trust the "From:" header as reported by our mail client, we're still good? *checks exploit details* Yeah, we're still good. All this means is that vulnerable systems behave the way I assumed all email systems still worked, because that's how they did all work for a long time.

We can't roll back the clock, so might as well bring the masses up instead of shutting the internet down, right? That's how I see all this. I also long for the geekier, more trust-worthy past*, but I also see the huge benefit of internet for all. I just wish "technical literacy" was taught from elementary school on, at least to help inform everyone about 1) what they're using in the most basic of terms, and 2) help them be safer for themselves and those around them. Like driver's ed, but start earlier and get a bit more in-depth, given how much more nuanced "technology" is than "motor vehicles on the roads."

* Trolls, assholes, and griefers have also been online since the beginning, so maybe this dream of "the nice, geeky 'net" is looking back through rose-tinted VR goggles. Meet the Internet’s earliest cat lovers — and the trolls who terrorized them -- alt.cats was invaded by alt.tasteless assholes in 1993.
posted by filthy light thief at 10:17 AM on December 6 [5 favorites]


We can't roll back the clock, so might as well bring the masses up instead of shutting the internet down, right?

Except not only can't we roll back the clock, but I'm not convinced we can bring the masses up, either. Email is fundamentally untrustworthy, and so far nothing that's been bolted onto it has made it much better. We need something designed from the ground up to make phishing and spamming difficult (or at least phishing; spamming is probably a lost cause), while still allowing for decentralized operation. Something that solves the same problems email does, because WhatsApp, Signal, Mastadon, Facebook, etc, don't really fill that hole.

There are plenty of implementations of client-side encryption and authentication, but none of them are going to see widespread adoption until there's something forcing everyone to use them. I mean, IPv6 has been around for almost 20 years and it's only been implemented as much as it has because there's a hard limit to the number of IPv4 addresses, and we're very nearly out of them. Maybe in 5 years when none of the RIRs have any addresses to hand out, there'll be a real switch to IPv6 globally, but I wouldn't count on it. What's the natural limit on use of legacy email?

I just wish "technical literacy" was taught from elementary school on

Amen to that.
posted by hades at 10:43 AM on December 6 [4 favorites]


We're speaking at 34c3 about plan(s) by Riseup, GNUnet, Panoramix, and pEp to build a replacement for email with a messaging system based on mix networking. We only have vaporware at this point, but we'll be talking about all the design constraints, including explaining why the threat model of low-latency systems like Tor does not suffice.

We do not plan to speak about authorization, only the mix networking layer. In fact, we do not all have exactly the same views on the authorization problem anyway, but any scheme that resists traffic analysis necessarily reduces usable bandwidth, so SPAM must be eliminated.

As an example, Pond users can only receive about 288 messages per day since Pond only does network traffic on average every 5 min, so Pond handles anonymous authorization using a group signature scheme. Authorizing strangers like Email requires becomes harder of course, but introductions by mutual contacts helps. We can separately constrain the bandwidth from strangers too.
posted by jeffburdges at 12:09 PM on December 6 [3 favorites]


So mutt is OK?
posted by Obscure Reference at 5:22 PM on December 6


Hah! I was having a conversation with a colleague on the arms race that is hacking and identity theft in the near future and what it means to our business. Basically, my postulation of risks cloud computing eventually implies in the land of hacking is not just that your data is available, but more importantly (and scarily) that the algorithms and segmentations a company uses are generally available right along side it. (Here's looking at you Azure and AWS!)

In the old days, fraud detection has been 'wow! somebody spent $$$$ (lots of money) from my account shut it down!' then it translated to 'wow! this purchase habit of $$ isn't my purchase habit shut it down!' I think we're moving towards a great risk of fraud inherently co-opting our models, either altering them, the destination, or modeling our fraud detection and minimizing positive detection (possibly by either driving up false positives or, literally building training data for behavior to beat fraud checks).

The goal of a fraudster then becomes to make money off of grey transactions at the small scale or to hold hostage a compromised company dataset by flooding distrust between companies and their clients at the larger scale...
posted by Nanukthedog at 10:26 PM on December 6 [2 favorites]




as my spam folder fills daily, thanks to the FUCKING IDIOT MORON who keeps using my email address when signing up for porn sites and the like

oops. Sorry.
posted by petebest at 3:17 AM on December 7 [1 favorite]


as my spam folder fills daily, thanks to the FUCKING IDIOT MORON who keeps using my email address when signing up for porn sites and the like

Hey, don't be so hard on yourself.
posted by axiom at 7:13 PM on December 7 [2 favorites]


(I'm Dan Kaminsky, quoted in this article.)

Because the core email protocols do not have any mechanism for authentication, it is common for spam and phishing emails to use such spoofing to mislead the recipient about the origin of the message.

Yes, it's a very good sign of spam. Too much so; dropping to port 25 and tapping out someone's name just doesn't *do* anything anymore. The mail never arrives.

What's cute with this class of attack is you can be completely open and up front about who you are, to the mail server, while declaring a totally different identity to the user. Technically even PGP checks might work, or would if any significant number of people had MUA's with integrated crypto. The letters would absolutely be signed by badguy@badguy.com.

The SPAM fighters could take another crack at this but they didn't really try to deal with any of these attacks in the first place. It was just a convenient signal.

There are vanishingly few large-scale desktop email applications

You can drop that to there are vanishingly few desktop applications. If it wasn't for Electron I think the entire platform would be gone (at least off Mac).

that let you easily check the full message source code. Sure with work I can view headers, but having access to the source at a keystroke is something I really do rely on to verify some of these things.

I'm of both minds here. I both know people check the headers way less than they think they do, and also that when we need to check headers, we really, really need to check them.

We need something designed from the ground up to make phishing and spamming difficult (or at least phishing; spamming is probably a lost cause), while still allowing for decentralized operation.

We've only barely kept email a viable channel, and what we've done there is basically creating email cartels. I looks like you don't need *much* decentralization to avoid the centralization traps. More than 1 or 2. Less than 10.

7+-2 in all things.
posted by effugas at 9:34 AM on December 8 [3 favorites]


I have an email sent to me from Mailsploit, that looks for all intents and purposes as if it came from my work address.

I use Thunderbird, and I just tried all of Mailspoit's options. While nearly all of them showed the pretend address as the sender, dkim_verifier showed the tell-tale DKIM: Valid (Signed by mailsploit.com) for all of them. It's still a bloody awful weakness despite this.
posted by scruss at 9:53 AM on December 8 [1 favorite]


« Older People who live in glass villages...something...   |   The best restauraunt in London Newer »


You are not currently logged in. Log in or create a new account to post comments.