Date: Thu, 23 Apr 2020 19:10:32 +0000 From: Jeremy Stanley <fungi@...goth.org> To: oss-security@...ts.openwall.com Subject: Re: spoofing of local email sender via a homoglyph attack On 2020-04-23 20:12:34 +0200 (+0200), Solar Designer wrote: [...] > What you reported originally, where you bypass something that just > happens that way in some configurations and wasn't meant to > provide any security against sender address spoofing, looks like > even less of an issue to me. [...] Indeed, if the local attacker is already capable of opening a socket to the MTA, then it seems like it would be even easier instead to just open an outbound socket to the target's MTA directly from that server and bypass the restrictions applied by the local relaying MTA entirely (unless the local MTA process has privileged access to something like a DKIM key or durable TLS client key which the attacker can't access due to filesystem ACLs). Then they wouldn't need to lean on lack of homoglyph differentiation at the recipient's end at all. -- Jeremy Stanley Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.