Re: New hijacking - Done via via good old-fashioned Identity Theft

[Robert Bonomi <bonomi () mail r-bonomi com>]

> From nanog-bounces+bonomi=mail.r-bonomi.com () nanog org  Thu Oct  7 23:37:29 2010
> Date: Fri, 08 Oct 2010 15:38:12 +1100
> From: Ben McGinnes <ben () adversary org>
> To: Leen Besselink <leen () consolejunkie net>
> Subject: Re: New hijacking - Done via via good old-fashioned Identity Theft
> Cc: nanog () nanog org
>
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --------------enigE085D76E6AF9BB6CCE824E1F
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> On 8/10/10 10:00 AM, Leen Besselink wrote:
> > =20
> > key () domain tld for when you have a personal domain
> > key-user () domain tld for when you have a server which understand address=
>
> > extensions
>
> Actually I think it's user+key () domain tld for the second one.  At least
> that's what I've seen for Postfix.  Not so sure about other MTAs.


SendmMail 'invented' the 'plussed' extenstion to an address.
Other MTAs mimic SendMail's behavior
The '+key' is ignored for purposes of selecting the delivery mailbox
username+anything gets handed to the LDA for final delivery to mailbox
'username',, _with_ the 'plus part' (i.e. 'anything, from above) available
as an extra parameter.

To selectively accept/discard on the plussed portion of the address, 
you either do it in th LDA (procmail, for example, makes this really
easy), or you have to run a 'milter' that knows which plussed parts 
are valid for which users.

For a mailserver that does -not- understand 'plussed' addresses, you
can usually fake it out by putting the key as an extra elemnt of the
host-name.  e.g. user () key some dom ain tld.  AFAIK eveery MTA accepts
mail with a more-specific name than a name it has been explicitly told
to accept (either for local delivry, or for forwarding) mail for.