Re: [ietf-dkim] Mailsploit
> > >> What is "naive" or "incorrect" about the following decoding? > > po...@whitehouse.govpo...@whitehouse.gov@mailsploit.com > > "=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=" quite literally does decode to > "po...@whitehouse.gov" > encoded-words are simply not permitted inside email addresses. MUA shouldn't attempt to decode this at all. > > Or are you indicating that the naivety is the fact that MUAs may > incorrectly handle the null containing string? Possibly believing that the > MUA will use null termination and incorrectly believe that the From: > address is just "po...@whitehouse.gov"? > > Attempting to decode is the first problem, incorrectly handling null terminators and new lines is the second issue. MUAs simply don't expect new lines and null terminators there. > Although it's not a direct attack on DKIM, if DKIM is implemented properly >> and email address decoding and displaying isn't, users might be fooled. >> > > That is an MUA issue. Perhaps DKIM helps re-enforce an incorrect > assumption based on a bad MUA trait. But I don't see that as a DKIM issue. DKIM works as expected, but as you said it may re-enforce an incorrect assumption that email is from respected source. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[ietf-dkim] Mailsploit
Hi All, I'm not sure if you noticed but it seems many client are affected by 'mailsploit': https://www.mailsploit.com/index Basically the attacker uses special characters inside encoded words to spoof the sender: From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@ mailsploit.com Such header naively decoded incorrectly is: po...@whitehouse.gov*\0*po...@whitehouse.gov@mailsploit.com Although it's not a direct attack on DKIM, if DKIM is implemented properly and email address decoding and displaying isn't, users might be fooled. Of course encoded words are not allowed inside email addresses (address, not names), but is seems many clients try to decode them. What are your thoughts? -- Best regards, Pawel Lesnikowski https://www.limilabs.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Seeking Clarification of the l= Tag
There are few details I'd like to clarify. Body hash for this message is correctly computed by the sender. Entire signature of this message in fact valid - this is why Port25, Gmail, and Mail.dll validate DKIM signature with 'pass' result. The only problem is the value of l= parameter of DKIM-Signature header (l=2). The value is greater than total number of bytes after body canonicalization (0 bytes). This is easy to spot and all parsers simply ignore incorrect l= value. Hash is computed for entire canonicalized body (of length 0). Now the question is should the validation fail or pass in such case? -- Best regards, Pawel Lesnikowski http://www.limilabs.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html