Here's an ingeneous one...

  • Thread starter Thread starter Thomas A. Horsley
  • Start date Start date
T

Thomas A. Horsley

I got a mail at work the other day (where we, unfortunately, run exchange
and outlook with the "corporate" interface to exchange).

As near as I can tell from saving it off in ".msg" format and then poking
around inside of it with emacs, it was sent to a nonexistant address, but
one that looked like it was inside the company (To: (e-mail address removed) kind
of thing). On top of that, it had my valid email address spoofed as the
sender (From: (e-mail address removed)).

This apparently had the effect of exchange generating a bounce message to me
([email protected]) including the original virus message as an
attachment. The clever bit is that this bounce message arrives in my
inbox appearing to be locally generated mail. If I examine the "properties"
dialog, there are no internet headers on it. (Though with emacs I did
find internet headers embedded in the .msg file which looked like the
mail I described and originated outside the company).

Naturally, being the ultra-paranoid that I am, I didn't open the attachment
or even read the mail directly at all, but I can see this technique having
potential.

Just another reason bounce message are a bad idea :-).
 
Thomas A. Horsley said:
I got a mail at work the other day (where we, unfortunately, run exchange
and outlook with the "corporate" interface to exchange).
Click to expand...

So this is not an Email story then... 8-)
As near as I can tell from saving it off in ".msg" format and then poking
around inside of it with emacs, it was sent to a nonexistant address, but
one that looked like it was inside the company (To: (e-mail address removed) kind
of thing). ...
Click to expand...

More specifically, might this "badname" have been more like:

(e-mail address removed)

or, even more generically might it have been a string from an a Message-ID:
header that would have been generated by your company's Email system?

The very simple "find Email addresses" algorithms most current self-mailing
viruses use have the habit of picking the values from Message-ID: headers of
Email messages as Email addresses, which is not surprising if you read
section 3.6.4 of the "Internet Message Format" specification, RFC 2822:

ftp://ftp.rfc-editor.org/in-notes/rfc2822.txt
... On top of that, it had my valid email address spoofed as the
sender (From: (e-mail address removed)).
Click to expand...

Well, there's nothing new there...
This apparently had the effect of exchange generating a bounce message to me
Yep...

([email protected]) including the original virus message as an
Click to expand...

Tsk, tsk. Your Exchange server admin should look for an option to (severely)
limit the amount of the original message sent back in bounce messages (I don't
know if Exchange actually supports this, but many real mail servers do).
attachment. The clever bit is that this bounce message arrives in my
inbox appearing to be locally generated mail. If I examine the "properties"
dialog, there are no internet headers on it. (Though with emacs I did
find internet headers embedded in the .msg file which looked like the
mail I described and originated outside the company).
Click to expand...

That would be correct. The message was sent from outside forging as if from
an internal Email address and to an invalid internal address. First, this
raises the possibility that your Exchange server may be able to be abused
from the Internet as a relay and second, you should ask the Exchange admin if
it is correct that your server accepts "externally sourced" messages from
"internal" addresses.

Also, the "Internet headers" you refer to as presumably due to Exchange
observing the recommended behaviour when bouncing Internet mail. RFC 2821
describes what an SMTP server implementation should do when bouncing messages
after accepting responsibility for delivering them (as was the case here).
Naturally, being the ultra-paranoid that I am, I didn't open the attachment
or even read the mail directly at all, but I can see this technique having
potential.
Click to expand...

"potential"?

This has been working well for a few years now...
Just another reason bounce message are a bad idea :-).
Click to expand...

Just another reason bouncing the _whole_ message is a bad idea. The issue
here is really that the server has no way of telling what the message
contents are. In other cases it is necessary that at least a "whoops --
seems like a bad address" type bounce gets sent and only a human can really
decide between the two, so we get the server to bounce everything alike...
 
Back
Top