I have now had a couple of ppl ask if I was attending this year, and
while it is in Toronto which is nice, and I have been saying for the
last couple of years we need to get a few people down to one, sometimes
scheduling is a pain..
But while investigating the topics on tap, and trying to get some idea
of the anticipated attendance numbers this year, I had a little chuckle..
I had forgotten the login for Maawg, so had to do a password reset..
And the email arrived in my spam folder.. so of course I had to look at
it more closely.
Seems that they use 'mailgun' for delivery of those notices.
And looking at the message, at first glance I can see how similar it
looks to all of the 'phishing' types of emails that pretend to be
password resets.
Received: from so254-8.mailgun.net (HELO so254-8.mailgun.net) (198.61.254.8)
Okay, they use a shared service from MailGun.. (I assume this is a shared IP in
the pool, and the pool has been a sender of spam before)
Return-Path: <[email protected]>
host mailserver.m3aawg.org
mailserver.m3aawg.org mail is handled by 10 mxa.mailgun.org.
mailserver.m3aawg.org mail is handled by 10 mxb.mailgun.org.
host m3aawg.org
m3aawg.org has address 67.192.153.75
m3aawg.org mail is handled by 10 mx.m3aawg.org.cust.b.hostedemail.com
And while it is nice that they at least use a domain name related to m3aawg,
not really what a person would think of 'whitelisting' ..
And of course, in todays age.. no one should be 'bouncing' messages any more..
we should be rejecting during SMTP transactions where ever possible.
And really, if it 'did' "bounce" from say a client or internal mail delivery
mechanism, it wouldn't go to the EnvelopeFrom, it would go to the apparent from..
(and of course, I think the webmaster would want to know right away if bounces
are happening any ways, instead of looking for a bounce report)
host -t TXT mailserver.m3aawg.org
mailserver.m3aawg.org descriptive text "v=spf1 include:mailgun.org ~all"
Hmmm... that is pretty wide.. and not even a -all...
So, the thought was.. what stops someone else from sending a similar message
out of mailgun.
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mailserver.m3aawg.org;
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mailserver.m3aawg.org;
Received: from webm (Unknown [67.192.153.75])
(originated from a server that doesn't have an rDNS/PTR record?)
Aeronet Communications (C01901751) 67.192.153.64/27
(MAAWG, you might like to get a PTR record, especially if this is a dedicated
server.. )
X-PHP-Originating-Script: 33:SimpleMailInvoker.php (Like we don't see a lot of
that in compromises)
From: M3AAWG <[email protected]> (Would like to see quotes around the
friendly name)
Subject: Replacement login information for at M3AAWG
(Extra space and bare , in body are because missing first/last names, but
also a common trend in phishing attacks by script kiddies)
Okay, now .. how easy would it be to forge those password reset pages..
I leave this to your imagination, how a person could register a similar domain
name to m3aawg.org.
Sign up for a mailgun account, and send messages that are forged to be almost
identical..
m3aaawg.com/org
w3aawg.com/org
(Those are available)
I see a lot of sessions that look good at MAAWG, some beginner sessions even,
but it might be a interesting topic to use this as example of risks..
A targeted phishing attack against this group might look good on a hacker
resume..
But the point is, "everyone" should occasionally rethink current practices and
look at the risks.
Would you click on a link that went to:
https://www.m3aaawg.org/user/reset/.... (You get the drift)
And while I like the way that MAAWG uses a 'one time pass' instead of asking
for credentials, if you have never used it before, you would not be surprised
if it asked you more questions.
It may be also vulnerable to a man in the middle attack, if the DNS of the
recipient is somehow compromised.. but that is not unique to this case of
course..
Personally, I believe the EnvelopeFrom should ALWAYS reflect the senders domain
name, makes white/black listing more effective, and easy to test if it is
accurate/valid.
Hope there are discussions on that topic..
Anyways, still thinking of attending, so would like to hear about others going..
Topics I would be open to chatting with anyone about:
* ISP Recommendations, PTR naming conventions and blocking Port 25 (still, 15
years later same topic, IoT)
(So many foreign ISP's haven't yet made a move in this direction, allowing
for destructive levels of Bot activity)
* EnvelopeFrom Best Practices
* Next Evolution(s) of Email Security (Auth Recommendations)
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
