Bugtraq mailing list archives

Re: Is predictable spam filtering a vulnerability?

From: PSE-L () mail professional org (Sean Straw / PSE)
Date: Fri, 18 Jun 2004 11:52:01 -0700

At 19:27 2004-06-17 +0200, Joel Eriksson wrote:

On Wed, Jun 16, 2004 at 01:26:28PM +0200, R Armiento wrote:
[snip]
> For example: attacker 'A' sends 'B' a social engineering request
> for "the secret plans" and says "if you are unsure, forward my
> request to your boss and ask if this is okay". 'B' forwards the
> email to his boss 'C' and asks "Is this okay?". However, 'C':s
> spam filter silently drops the email. 'A' forges a reply from
> 'C' saying: "Sure, no problem, go ahead."

Many will probably discard the above as farfetched or ignore it
since it's not a "real" vulnerability that gives remote root to
the attacker, I think it's beautiful though. :)

A far more plausible vulnerability would be for the attacker, if they hadexploited the mail and/or DNS hosts used by user B to intercept or redirectmail. This would significantly increase the workability of furthersocially engineered exploits.

FTR, the proposed failing wouldn't be possible if such decisions weredigitally signed (PGP/GNUPG, etc) - the "forged" email would fail to beverified.

The success of the supposed mail vulnerability relies upon the gullibilityof user B, not upon an automated system. There are other factors toconsider in there as well, such as SPF filtering at the mailhost of user B(which could reject the forged mail because the originating mailserverisn't correct for the sending address), or of user B sending a response tothe forged authorization, and THAT message going unresponded to, or atleast of user A (attacker) not RECEIVING that message to know to respond toit. For that matter, it relies upon the message from user B to user C notincluding other details which user A would fail to address when sending theforged reply, and that user B doesn't simply pick up the phone and calluser C, which renders the whole matter moot.


---
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.

 Sean B. Straw / Professional Software Engineering
 Post Box 2395 / San Rafael, CA  94912-2395

Current thread:

Is predictable spam filtering a vulnerability? R Armiento (Jun 16)
- Re: Is predictable spam filtering a vulnerability? Joel Eriksson (Jun 18)
  - Re: Is predictable spam filtering a vulnerability? Jason Coombs (Jun 19)
  - Re: Is predictable spam filtering a vulnerability? Bill Burge (Jun 19)
  - Re: Is predictable spam filtering a vulnerability? Sean Straw / PSE (Jun 19)
- RE: Is predictable spam filtering a vulnerability? Aaron Cake (Jun 18)
  - Re: Is predictable spam filtering a vulnerability? Chris Brown (Jun 21)
- RE: Is predictable spam filtering a vulnerability? Hamlesh Motah (Jun 18)
- Re: Is predictable spam filtering a vulnerability? David F. Skoll (Jun 18)
  - Re: Is predictable spam filtering a vulnerability? Jon Fiedler (Jun 19)
    - Re: Is predictable spam filtering a vulnerability? David F. Skoll (Jun 19)
  - Re: Is predictable spam filtering a vulnerability? Kyle Wheeler (Jun 21)
  - Re: Is predictable spam filtering a vulnerability? (silently dropping messages) Martin Mačok (Jun 22)
    - Re: Is predictable spam filtering a vulnerability? (silently dropping messages) David F. Skoll (Jun 23)
    - Re: Is predictable spam filtering a vulnerability? (silently dropping messages) der Mouse (Jun 24)

(Thread continues...)