Re: Is predictable spam filtering a vulnerability?

To: R Armiento <rar_bt@xxxxxxxxxxx>
Subject: Re: Is predictable spam filtering a vulnerability?
From: krispykringle@xxxxxxxxxx
Date: Thu, 17 Jun 2004 13:04:55 -0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <200406161326.AA304546076@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200406161326.AA304546076@xxxxxxxxxxx>
User-agent: Mutt/1.5.6i

Very interesting proposition, but I can't think of any real advantage here. In 
the hypothetical scenario, could the attacker not simply send an email 
purportedly from the boss to begin with saying, ``please forward the secret 
plans to attacker@xxxxxxxxxxxxxxxxxx''? For that matter, isn't it likely that a 
recipient in such a poorly run system with such little regard for reading 
headers (and I don't delude myself that this is uncommon) would not notice if 
an attacker were to send an e-mail with a from address boss@xxxxxxxxxxx but a 
reply-to of hax0r@xxxxxxxxxxxxxxxxxxxxxxxxxxx? In other words, the specific 
``exploit'' here is not the spam filter so much as the ignorance of the victim. 

Anywho, it seems most decent spam filters have whitelisting; 
bigcheese@xxxxxxxxxxx is unlikely to filter out servileMBA@xxxxxxxxxxx, even if 
the e-mail does contain the key words. The spam filter is usually not applied 
to legitimate known-good e-mail addresses. 

Interesting discussion nonetheless. 

Dan

On Wed, Jun 16, 2004 at 01:26:28PM +0200, R Armiento wrote:
> 
> During a recent email conversation with several participants, we discovered 
> that the email service of one participant silently dropped legitimate emails 
> that happened to contain certain combinations of words common in spam. I 
> believe this sort of filter is common practice, and in fact even in place for 
> some of my own email addresses.
> 
> However, this experience made me think: isn't predictable spam filtering in 
> general a vulnerability that could be used as a hoax device? Since most users 
> reply to an email citing the complete source email, including 
> filter-offending words, it should be possible to keep a reply, forward, or 
> even a whole thread, under the radar of specific recipients. If used in 
> combination with forged replies from addresses predictably dropping emails, I 
> think this may be a dangerous tool for social engineering. 
> 
> For example: attacker 'A' sends 'B' a social engineering request for "the 
> secret plans" and says "if you are unsure, forward my request to your boss 
> and ask if this is okay". 'B' forwards the email to his boss 'C' and asks "Is 
> this okay?". However, 'C':s spam filter silently drops the email. 'A' forges 
> a reply from 'C' saying: "Sure, no problem, go ahead."
> 
> Regards,
> R. Armiento

References:
- Is predictable spam filtering a vulnerability?
  - From: R Armiento

Prev by Date: time
Next by Date: [ GLSA 200406-15 ] Usermin: Multiple vulnerabilities
Previous by thread: Re: Is predictable spam filtering a vulnerability?
Next by thread: RE: Is predictable spam filtering a vulnerability?
Index(es):
- Date
- Thread