Hi!
At 05/11/17 16:09, Andreas Metzler wrote:
After this change, it's no longer possible for an attacker to use this technique to
extract information. All their attempts would result in "relay not permitted"
regardless of sender address.
[...]
I do not see the attacker gain, the same information can be extracted by
trying out RCPT TO *@omega-software.com with FROM attac...@gmail.com.
Indeed :-)
We even had one of those, this morning:
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attac...@example.com> rejected RCPT
<te...@omega-software.com>: Unrouteable address
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attac...@example.com> rejected RCPT
<te...@omega-software.com>: Unrouteable address
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attac...@example.com> rejected RCPT
<te...@omega-software.com>: Unrouteable address
....
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attac...@example.com> rejected RCPT
<validaddr...@omega-software.com>: SPF check failed.
What am I missing?
This one can be solved too (mostly). Usually they fail some of the other
checks. In this case SPF but it could be reverse DNS, DNSBL or other. Same
problem: they can tell the difference because they get a different message.
So we mitigated this case by moving the recipient check too. Not just after
relay, but after all the other checks that could potentially reject the attempt.
Here's the patch for that. If you want I can send a separate report (that was
my initial intent).
--
Paul Graham
Development Dept.
http://Omega-Software.com/
Omega Software
--- 30_exim4-config_check_rcpt_sender 2017-11-05 15:06:25.839001108 +0100
+++ exim4-4.86.2-patched/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt 2017-11-05 15:07:54.158520031 +0100
@@ -189,12 +189,6 @@
!verify = sender
.endif
- # We also require all accepted addresses to be verifiable. This check will
- # do local part verification for local domains, but only check the domain
- # for remote domains.
- require
- verify = recipient
-
# Verify recipients listed in local_rcpt_callout with a callout.
# This is especially handy for forwarding MX hosts (secondary MX or
@@ -340,6 +334,16 @@
.include CHECK_RCPT_LOCAL_ACL_FILE
.endif
+ # Recipient check leaks information about which local accounts exist.
+ # This could be exploited in a brute-force scan to find valid addresses (usually
+ # for spam purposes). Performing this check last gives the other checks a chance
+ # to deny the request before they succeed at extracting this information.
+
+ # We also require all accepted addresses to be verifiable. This check will
+ # do local part verification for local domains, but only check the domain
+ # for remote domains.
+ require
+ verify = recipient
#############################################################################
# This check is commented out because it is recognized that not every
