Rule to detect mailsploit

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Rule to detect mailsploit

Frido Otten
Hi all,

Yesterday I saw this message that a bug in mailclients allow sender
spoofing which bypasses SPF/DKIM/DMARC mechanisms. Maybe you've read
about it. More information about it here: https://www.mailsploit.com/index

I was thinking that there might be a possiblity to detect this in
spamassassin to protect our users against this. Something with the
newline character or null byte in the FROM header, but I'm not that
handy with it. Someone of you maybe already created a rule?

--
Frido


Reply | Threaded
Open this post in threaded view
|

Re: Rule to detect mailsploit

Kevin A. McGrail-5
On 12/6/2017 4:27 AM, Frido Otten wrote:
> Yesterday I saw this message that a bug in mailclients allow sender
> spoofing which bypasses SPF/DKIM/DMARC mechanisms. Maybe you've read
> about it. More information about it here: https://www.mailsploit.com/index
>
> I was thinking that there might be a possiblity to detect this in
> spamassassin to protect our users against this. Something with the
> newline character or null byte in the FROM header, but I'm not that
> handy with it. Someone of you maybe already created a rule?
My understanding of it was from Jan-Pieter Cornet's post on the
MIMEDefang list.  In short, it involves RFC2047 MIME encoding of headers
with control characters.  The demo shows issues with Nul but that's not
the only control character.

Something like this:

header    __KAM_MAILSPLOIT1   From =~ /[\0]/
describe    __KAM_MAILSPLOIT1    RFC2047 Exploit
https://www.mailsploit.com/index

And a paired rules for \n looking for maxhits.  Beyond that, what's a
good control character regex?
https://www.regular-expressions.info/nonprint.html tells me that it's
complicated so for now, we know null is a real world issue that causes
user visual issues.

Give me a few, I'm looking at this more.

Can anyone take a look if there are other mailsploit issues that should
have rules?  I think it has good merit.

I can't seem to get their system to send me payloads.  I'm Bcc'ing Sabri
Haddouche for his input.

Regards,
KAM

--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project

Reply | Threaded
Open this post in threaded view
|

Re: Rule to detect mailsploit

Kevin A. McGrail-5
I've added these rules to KAM.cf and would appreciate feedback.

#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
  #NUL
header   __KAM_MAILSPLOIT1   From =~ /[\0]/
describe __KAM_MAILSPLOIT1   RFC2047 Exploit
https://www.mailsploit.com/index

  #\n Multiple inthe From Header
header   __KAM_MAILSPLOIT2    From =~ /[\n]/
describe __KAM_MAILSPLOIT2    RFC2047 Exploit
https://www.mailsploit.com/index
tflags   __KAM_MAILSPLOIT2    multiple maxhits=2

meta            KAM_MAILSPLOIT  (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2
 >= 2))
describe        KAM_MAILSPLOIT  Mail triggers known exploits per
mailsploit.com
score           KAM_MAILSPLOIT  10.0

Regards,
KAM
Reply | Threaded
Open this post in threaded view
|

Re: Rule to detect mailsploit

Ian-63
On 06/12/2017 11:29, Kevin A. McGrail wrote:
> I've added these rules to KAM.cf and would appreciate feedback.
>
<snip>

Hi,

All 14 variations from the MailSploit website apart from #5 triggered
the rule.  This is expected as the From: in #5 is simply:

        From: "[hidden email]" <[hidden email]>

I.e. there doesn't seem to be an exploit in it ;)

Regards

Ian
--

Reply | Threaded
Open this post in threaded view
|

Re: Rule to detect mailsploit

Kevin A. McGrail-2
On 12/6/2017 8:06 AM, Ian wrote:
> All 14 variations from the MailSploit website apart from #5 triggered
> the rule.  This is expected as the From: in #5 is simply:
>
>     From: "[hidden email]" <[hidden email]>
>
> I.e. there doesn't seem to be an exploit in it ;)
Thanks Ian.  I appreciate the testing.

He's apparently over his AWS sending limit so I had to craft my test
emails from the exploit info.  Good to know I did it correctly.

With a 10.0 rule, I'll consider the issue closed and that the SA rule
will hammer the emails. So it should really be a non-issue if you use
KAM.cf.

Re: #5.  There is an exploit in that From: Where an Email Address is
used in the Name Field.  There's been a lot of discussion about that
type of email on list that it likely wouldn't apply to this group of rules.

Regards,
KAM
Reply | Threaded
Open this post in threaded view
|

Re: Rule to detect mailsploit

Benny Pedersen-2
Kevin A. McGrail skrev den 2017-12-06 14:24:

> Re: #5.  There is an exploit in that From: Where an Email Address is
> used in the Name Field.  There's been a lot of discussion about that
> type of email on list that it likely wouldn't apply to this group of
> rules.

http://www.postfix.org/postconf.5.html#message_strip_characters

needed or not needed :=)
Reply | Threaded
Open this post in threaded view
|

Re: Rule to detect mailsploit

Dianne Skoll
On Wed, 06 Dec 2017 14:37:28 +0100
Benny Pedersen <[hidden email]> wrote:

> http://www.postfix.org/postconf.5.html#message_strip_characters

That won't work because the doc says:

    Note 1: this feature does not recognize text that requires MIME
    decoding. It inspects raw message content, just like header_checks and
    body_checks.

and the exploit uses MIME-encoding to hide the NULs.

Regards,

Dianne.
ader_checks and
    body_checks.

and the exploit uses MIME-encoding to hide the NULs.

Regards,

Dianne.
Reply | Threaded
Open this post in threaded view
|

Re: Rule to detect mailsploit

RW-15
In reply to this post by Kevin A. McGrail-5
On Wed, 6 Dec 2017 06:29:01 -0500
Kevin A. McGrail wrote:

> I've added these rules to KAM.cf and would appreciate feedback.
>
> #MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the
> idea #NUL
> header   __KAM_MAILSPLOIT1   From =~ /[\0]/
> describe __KAM_MAILSPLOIT1   RFC2047 Exploit

Note that this may be a bit dangerous without "normalize_charset 1"
which causes text to be transcoded to UTF-8. In UTF-16 in particular
all ASCII characters encode with a zero byte. Even with normalization
there may be some headers that don't transcode properly.  

I've never seen a from header encoded in UTF-16, but then I don't get
much mail in Asian languages.

Reply | Threaded
Open this post in threaded view
|

Re: Rule to detect mailsploit

John Hardin
In reply to this post by Kevin A. McGrail-5
On Wed, 6 Dec 2017, Kevin A. McGrail wrote:

> On 12/6/2017 4:27 AM, Frido Otten wrote:
>>  Yesterday I saw this message that a bug in mailclients allow sender
>>  spoofing which bypasses SPF/DKIM/DMARC mechanisms. Maybe you've read
>>  about it. More information about it here: https://www.mailsploit.com/index
>>
>>  I was thinking that there might be a possiblity to detect this in
>>  spamassassin to protect our users against this. Something with the
>>  newline character or null byte in the FROM header, but I'm not that
>>  handy with it. Someone of you maybe already created a rule?
>
> My understanding of it was from Jan-Pieter Cornet's post on the MIMEDefang
> list.  In short, it involves RFC2047 MIME encoding of headers with control
> characters.  The demo shows issues with Nul but that's not the only control
> character.
>
> Something like this:
>
> header    __KAM_MAILSPLOIT1   From =~ /[\0]/
> describe    __KAM_MAILSPLOIT1    RFC2047 Exploit
> https://www.mailsploit.com/index
>
> And a paired rules for \n looking for maxhits.  Beyond that, what's a good
> control character regex?
From memory (sorry, in a meeting):  [\x00-\x19]


--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Tomorrow: The 76th anniversary of Pearl Harbor
Reply | Threaded
Open this post in threaded view
|

Re: Rule to detect mailsploit

Antony Stone
On Wednesday 06 December 2017 at 18:15:55, John Hardin wrote:

> On Wed, 6 Dec 2017, Kevin A. McGrail wrote:
> >
> > Something like this:
> >
> > header    __KAM_MAILSPLOIT1   From =~ /[\0]/
> > describe    __KAM_MAILSPLOIT1    RFC2047 Exploit
> > https://www.mailsploit.com/index
> >
> > And a paired rules for \n looking for maxhits.  Beyond that, what's a
> > good control character regex?
>
> From memory (sorry, in a meeting):  [\x00-\x19]

Why not up to 0x1F?


Antony.

--
Don't procrastinate - put it off until tomorrow.

                                                   Please reply to the list;
                                                         please *don't* CC me.
Reply | Threaded
Open this post in threaded view
|

Re: Rule to detect mailsploit

John Hardin
On Wed, 6 Dec 2017, Antony Stone wrote:

> On Wednesday 06 December 2017 at 18:15:55, John Hardin wrote:
>
>> On Wed, 6 Dec 2017, Kevin A. McGrail wrote:
>>>
>>> Something like this:
>>>
>>> header    __KAM_MAILSPLOIT1   From =~ /[\0]/
>>> describe    __KAM_MAILSPLOIT1    RFC2047 Exploit
>>> https://www.mailsploit.com/index
>>>
>>> And a paired rules for \n looking for maxhits.  Beyond that, what's a
>>> good control character regex?
>>
> From memory (sorry, in a meeting):  [\x00-\x19]
>
> Why not up to 0x1F?

...because I was distracted by the meeting? :)

[\x00-\x1f]

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Tomorrow: The 76th anniversary of Pearl Harbor
Reply | Threaded
Open this post in threaded view
|

Re: Rule to detect mailsploit

Micah Anderson-2
In reply to this post by RW-15
RW <[hidden email]> writes:

> On Wed, 6 Dec 2017 06:29:01 -0500
> Kevin A. McGrail wrote:
>
>> I've added these rules to KAM.cf and would appreciate feedback.
>>
>> #MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the
>> idea #NUL
>> header   __KAM_MAILSPLOIT1   From =~ /[\0]/
>> describe __KAM_MAILSPLOIT1   RFC2047 Exploit
>
> Note that this may be a bit dangerous without "normalize_charset 1"
> which causes text to be transcoded to UTF-8. In UTF-16 in particular
> all ASCII characters encode with a zero byte. Even with normalization
> there may be some headers that don't transcode properly.  
>
> I've never seen a from header encoded in UTF-16, but then I don't get
> much mail in Asian languages.

Do most people have 'normalize_charset 1' set? I noticed I do not have
it set, and I'm wondering if I should turn it on, and if I do, how it
will affect things.

micah

ps. also there is this: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7022
Reply | Threaded
Open this post in threaded view
|

Re: Rule to detect mailsploit

Kevin A. McGrail-2
In reply to this post by RW-15
On 12/6/2017 10:00 AM, RW wrote:

> On Wed, 6 Dec 2017 06:29:01 -0500
> Kevin A. McGrail wrote:
>
>> I've added these rules to KAM.cf and would appreciate feedback.
>>
>> #MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the
>> idea #NUL
>> header   __KAM_MAILSPLOIT1   From =~ /[\0]/
>> describe __KAM_MAILSPLOIT1   RFC2047 Exploit
> Note that this may be a bit dangerous without "normalize_charset 1"
> which causes text to be transcoded to UTF-8. In UTF-16 in particular
> all ASCII characters encode with a zero byte. Even with normalization
> there may be some headers that don't transcode properly.
>
> I've never seen a from header encoded in UTF-16, but then I don't get
> much mail in Asian languages.
Agreed. Same here. I believe it adds some overhead and a perl module
requirement but likely a good point to document for now.

Anyone running with normalize_charset to way in on pros and cons?

Also, about the newline / control chars regex, I want to skip newline
because we expect one of those.

So [\x00-\x09\x0b-\x1f], yes?

Regards,
KAM