Sender Spoofing

[stefaweb]

Hi folks!

An important information for mail user.

https://www.mailsploit.com/index

Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters.

Bugs were found in over 30 applications, including prominent ones like Apple Mail (macOS, iOS and watchOS), Mozilla Thunderbird, various Microsoft email clients, Yahoo! Mail, ProtonMail and others.

In addition to the spoofing vulnerability, some of the tested applications also proved to be vulnerable to XSS and code injection attacks.

[Skywalker-11]

I just noticed that outlook is also affected if someone uses multiple mailbox addresses in the From: header eg Some Name <some-address@known-good.example.com> <some-other-address@bad-domain.example.com> or Some Name <some-address@known-good.example.com> Some Bad name <some-other-address@bad-domain.example.com>
In that case Outlook only shows Some Name <some-address@known-good.example.com> as the sender and omits the <some-other-address@bad-domain.example.com>.
So users may see a sender that seems to be from their internal/trusted organisation but in reality the sender is from bad-domain.example.com.

Also this is not detected/flagged by Spamassassin and is actively exploited in a current large virus campain.

Does someone have an idea on how to prevent that?

[spec1re]

@Skywalker-11 update SpamAssassin to Version 3.4.2, it has now a new plugin:

Mail::SpamAssassin::Plugin::FromNameSpoof

https://lists.gt.net/spamassassin/announce/211404

But the actually running malware campaign doesn't get detected by it, you need a additional custom SA Rule like:

From =~ /^.*<.*@.*>.*<.*@.*>/

I know its a bit harsh, but no FP so far.

So the new SA Plugin and a few custom SA rules should catch it almost all.

[stefaweb]

For Debian Stretch, they uploaded SpamAssassin 3.4.2 this night.

[Skywalker-11]

From =~ /^.*<.*@.*>.*<.*@.*>/

That is so much simpler than From =~/^(?:(?:(?!<)(?:.))*<(?:(?!>)(?:.))*>){2,}$/ 🤣

[thctlo]

Hai, about that "From =~ …. " line, where do you place that if i may ask.
i've just updated my stretch server few days ago to SA 342 and updated mailscanner and mailwatch.
Its running great :-) very happy with it.

I suggest also to get the updated version of FromNameSpoof

wget https://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/FromNameSpoof.pm?revision=1842029&view=co&pathrev=1842029
mv FromNameSpoof.pm\?revision\=1842029 FromNameSpoof.pm
cp ~/FromNameSpoof.pm /usr/share/perl5/Mail/SpamAssassin/Plugin/FromNameSpoof.pm

then add :

echo "header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()

meta FROMNAME_SPOOF_EQUALS_TO (__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO)
describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
score FROMNAME_SPOOF_EQUALS_TO 1.2"  >> /etc/spamassassin/FromNameSpoof.cf

And now it should do its work.
( or wait until the next SA update for above. )

[Skywalker-11]

I put it in /etc/MailScanner/spamassasin.conf (symlink from /etc/spamassassin/MailScanner.cf)

header MULTI_FROM_ADDRESS From =~ /^.*<.*@.*>.*<.*@.*>/i
score MULTI_FROM_ADDRESS 5.0
describe MULTI_FROM_ADDRESS Multiple senders in From: header

[spec1re]

Here is a new variant with base64 encoded from:

From: =?UTF-8?B?QsO8cm8gc2NyaXB0cyBmb3Igc2FsZSA8dGVhbWhoQHNjcmlwdHNmb3JzYWxlLmRlPg==?= <spyridon@fiore.it>

=

From: Büro scripts for sale <teamhh@scriptsforsale.de> <spyridon@fiore.it>

But the regex is still matching. ;)

[hossmann234]

Hi,

i just tryed to update spamassassin for efa-project by using yum install spamassassin and efa told me that the newest version is installed (3.4.1) is there a way to use

header MULTI_FROM_ADDRESS From =~ /^.<.@.>.<.@.>/i
score MULTI_FROM_ADDRESS 5.0
describe MULTI_FROM_ADDRESS Multiple senders in From: header

with efa-project?

[shawniverson]

@hossmann234 eFa v4 is almost ready; otherwise you would need to compile 3.4.2 yourself on CentOS 6.

[hossmann234]

Hi,

thanks shawniverson. On the Homepage from eFa it told me eFa4 is coming soon, did anybody know when? It feels like it is almost ready since a year.
Do you have an link how i had to copile this? Iam more that windows guy...

[shawniverson]

@hossmann234 You can take a look here, but as far as doing it in a way that doesn't break something, I cannot speak to that.

https://svn.apache.org/repos/asf/spamassassin/branches/3.4/INSTALL

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.