Koozali.org: home of the SME Server

SME 9.2 vulnerable to mailsploit?

Offline Curtis

  • 12
  • +0/-0
SME 9.2 vulnerable to mailsploit?
« on: December 12, 2017, 04:22:04 PM »
Hello all!  My brief testing on SME 9.2 suggests it is vulnerable to spoofed messages as described here: https://www.mailsploit.com

I am running Horde 5.2.17, but I suspect the earlier versions of Horde and qmail are vulnerable.  The page linked above includes a tool to send a malformed message to your server.  Mine accepted all 14 test messages and more than a handful of them were successful at spoofing the sender's address.

Anyone else tested their system?

Thanks,
Curt




Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: SME 9.2 vulnerable to mailsploit?
« Reply #1 on: December 13, 2017, 01:12:52 PM »
Are you saying that when you send "all 14" tests to yourself, then open them in Horde, they show the "from" address you entered in mailsploit?

I ran the test on my server and didn't receive any of the tests - presumably my qpsmtpd or firewall settings blocked the sending mail server (or it takes longer than 25 minutes for mailsploit to get around to sending its messages).

If you provide the IP address that delivered the messages to your SME server I will try to figure out why the delivery to my system failed.

I have found no connection attempts from the mailsploit.com MX ips (198.54.122.215, 198.54.122.213) or A ips (104.25.35.16), no new email in my Inbox, and no record of 'mailsploit' or 'potus' in my qpsmtpd log files.

Offline Curtis

  • 12
  • +0/-0
Re: SME 9.2 vulnerable to mailsploit?
« Reply #2 on: December 13, 2017, 05:19:10 PM »
Good morning,

Yes, your description is accurate. https://imgur.com/a/Hn9Im

Message sources:
Received: from a7-28.smtp-out.eu-west-1.amazonses.com (HELO a7-28.smtp-out.eu-west-1.amazonses.com) (54.240.7.28)
Received: from a7-30.smtp-out.eu-west-1.amazonses.com (HELO a7-30.smtp-out.eu-west-1.amazonses.com) (54.240.7.30)
Received: from a7-31.smtp-out.eu-west-1.amazonses.com (HELO a7-31.smtp-out.eu-west-1.amazonses.com) (54.240.7.31)
Received: from a7-33.smtp-out.eu-west-1.amazonses.com (HELO a7-33.smtp-out.eu-west-1.amazonses.com) (54.240.7.33)

Thanks,
Curt

Offline JohnG

  • ***
  • 88
  • +0/-0
Re: SME 9.2 vulnerable to mailsploit?
« Reply #3 on: December 13, 2017, 07:30:36 PM »
FYI I tried it using Internet Explorer but it didn't seem to do anything when SEND was clicked, then using Chrome I got a response that it was sent. About a minute later the 14 emails arrived. Didn't examine it enough to see what the results mean, will do that later.