Bug#880905: exim4-config: Sender verification could be exploited for brute-force scan

Paul Graham debianbts at omega-software.com
Sun Nov 5 16:03:03 UTC 2017 

Hi!


At 05/11/17 16:09, Andreas Metzler wrote:
>
>> After this change, it's no longer possible for an attacker to use this technique to extract information. All their attempts would result in "relay not permitted" regardless of sender address.
> [...]
>
> I do not see the attacker gain, the same information can be extracted by
> trying out RCPT TO *@omega-software.com with FROM attacker at gmail.com.

Indeed :-)

We even had one of those, this morning:

2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attacker at example.com> rejected RCPT <test1 at omega-software.com>: Unrouteable address
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attacker at example.com> rejected RCPT <test2 at omega-software.com>: Unrouteable address
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attacker at example.com> rejected RCPT <test3 at omega-software.com>: Unrouteable address
....
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attacker at example.com> rejected RCPT <validaddress at omega-software.com>: SPF check failed.

> What am I missing?

This one can be solved too (mostly). Usually they fail some of the other checks. In this case SPF but it could be reverse DNS, DNSBL or other. Same problem: they can tell the difference because they get a different message.

So we mitigated this case by moving the recipient check too. Not just after relay, but after all the other checks that could potentially reject the attempt.

Here's the patch for that. If you want I can send a separate report (that was my initial intent).

-- 
Paul Graham
Development Dept.
http://Omega-Software.com/

Omega Software
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20171105/df6068dd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ndkjllkookmmmbeg.jpeg
Type: image/jpeg
Size: 3512 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20171105/df6068dd/attachment-0001.jpeg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: recipient.patch
Type: text/x-patch
Size: 1363 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20171105/df6068dd/attachment-0001.bin>

More information about the Pkg-exim4-maintainers mailing list