lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 4 Oct 2009 10:53:08 -0400
From: "com|com pipecharacter" <pipecharacter@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: gmail pipe character inconsistencies and fun

Gmail will not let you send email to an email address with a | in it. It
just goes directly to /dev/null. For good reason - it doesn't belong in an
email address. It will not let you create an email address that uses it, and
if you use google apps, you can't create a "group" or mailing list with it
in it.

For some reason google's smtp servers are more than willing to accept an
email from (or to) an email address with the pipe character in it. So if you
start sending someone annoying emails to someone from an email address like
"com|buggingyou@...mple.com", they might try to send your emails straight to
the trash. So they click on the downward arrow in the top right, click on
"filter messages like this", see "com|buggingyou@...mple.com" in the "From:"
field, click on "Next Step >>", delete it, and create filter. Now a huge
chunk of their email will go into the trash. If they clicked "Also apply
this filter to ...", they even delete a huge chunk of the email they already
had.

If course there is a search in the last step, but if you have it filled up
with your junk email they might never even notice what they are doing.

Is this a huge security flaw? Of course not. It still shouldn't exist. The
truth is it doesn't concern me at all.

What really bothers me is what I said above, that you can also send TO an
email address with a pipe character in it. I use a catchall on my google
apps domain, and I control spam by taking all of the fake email addresses
spammers have generated and create an empty mailing list with those names.
Now their spam gets rejected by the smtp servers, and they know they aren't
getting anywhere. My spam box tends to stay empty.

That is, until a spammer started sending email to an email address with | in
it. I can't do anything to stop them. Google is impossible to talk to, so I
had to create a fake vulnerability to get people outside google interested
in it. The original "vulnerability" I talked about does exist, and I'm sure
people could have some fun with it.

Which reminds me, here is another "vulnerability". If you want to spam
someone with a google apps domain and a catchall, they can't block you if
you send email to an email address with a | in it!

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ