Full Disclosure mailing list archives
gmail pipe character inconsistencies and fun
From: "com|com pipecharacter" <pipecharacter () gmail com>
Date: Sun, 4 Oct 2009 10:53:08 -0400
Gmail will not let you send email to an email address with a | in it. It just goes directly to /dev/null. For good reason - it doesn't belong in an email address. It will not let you create an email address that uses it, and if you use google apps, you can't create a "group" or mailing list with it in it. For some reason google's smtp servers are more than willing to accept an email from (or to) an email address with the pipe character in it. So if you start sending someone annoying emails to someone from an email address like "com|buggingyou () example com", they might try to send your emails straight to the trash. So they click on the downward arrow in the top right, click on "filter messages like this", see "com|buggingyou () example com" in the "From:" field, click on "Next Step >>", delete it, and create filter. Now a huge chunk of their email will go into the trash. If they clicked "Also apply this filter to ...", they even delete a huge chunk of the email they already had. If course there is a search in the last step, but if you have it filled up with your junk email they might never even notice what they are doing. Is this a huge security flaw? Of course not. It still shouldn't exist. The truth is it doesn't concern me at all. What really bothers me is what I said above, that you can also send TO an email address with a pipe character in it. I use a catchall on my google apps domain, and I control spam by taking all of the fake email addresses spammers have generated and create an empty mailing list with those names. Now their spam gets rejected by the smtp servers, and they know they aren't getting anywhere. My spam box tends to stay empty. That is, until a spammer started sending email to an email address with | in it. I can't do anything to stop them. Google is impossible to talk to, so I had to create a fake vulnerability to get people outside google interested in it. The original "vulnerability" I talked about does exist, and I'm sure people could have some fun with it. Which reminds me, here is another "vulnerability". If you want to spam someone with a google apps domain and a catchall, they can't block you if you send email to an email address with a | in it!
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- gmail pipe character inconsistencies and fun com|com pipecharacter (Oct 04)