Email Analysis Toolkit (EAST)
Artifacts for the USENIX paper "Why TLS is better without STARTTLS: A Security Analysis of STARTTLS in the Email Context" (Pre-Print) by Damian Poddebniak¹, Fabian Ising¹, Hanno Böck², and Sebastian Schinzel¹. The Fake Mail Server and the Command Injection Tester were peer-reviewed in the USENIX'21 Call for Artifacts.
¹ Münster University of Applied Sciences, ² Independent Researcher
More information about our STARTTLS research can be found here: https://nostarttls.secvuln.info/
Where is the Code?
This repository is a landing page. Head over to the "Email Analysis Toolkit" organization to find the EAST tooling:
- Fake Mail Server: a configurable SMTP, POP3, and IMAP testing server.
- Command Injection Tester: a simple Python tool to test SMTP, POP3, and IMAP servers for the command injection vulnerability in STARTTLS.
- Command Injection Scanner: zgrab2 modules to perform an IPv4-Internet scan for the command injection in STARTTLS.
Virtual Machine for Client Testing
In addition to the provided code, we provided a Ubuntu-based VirtualBox VM as a GitHub release to ease client testing. This Virtual Machine contains a nested QEMU Virtual Machine with the Thunderbird Version tested in the paper. For further information, see the GitHub releases.