Good evening, Jason,
On Sat, 18 Sep 2004, Jason J. Ellingson wrote:
> I'm sure someone thought of this, but I don't see it asked before... so...
> =====
> 1) Person X regularly gets emails from Person Y (good friends)
>
> 2) Person Z is a bad guy... so he sends Person X a GTUBE email with a faked
> FROM: address of Person Y.
>
> 3) Now, GTUBE scores a 1000 points, and gets set to the AWL database.
>
> 4) Future emails from Person Y to Person X now get tagged as spam since AWL
> keeps bumping up the score because of the GTUBE that was sent earlier.
> =====
> I hope that makes sense...
>
> I gotta think this isn't gonna happen... but anyone know if it can? If so,
> I'm not going to enable AWL on my server.
You're asking the right questions.
To the best of my knowledge, this has already been addressed.
What goes in the AWL isn't just the raw email address, it's the email
address plus the first two octets of the source IP address. For someone
to successfully attack this way, the attacker would need a legal IP
address in the same class B network as the legitimate sender.
If sent from a different network, the +1000 user would show up in
a different AWL entry than the legitimate sender.
Cheers,
- Bill
---------------------------------------------------------------------------
"I am Homer of Borg! Prepare to be... OOooo! donuts!"
(Courtesy of: Carlos Morgado <[EMAIL PROTECTED]>)
--------------------------------------------------------------------------
William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org
--------------------------------------------------------------------------
