New hijacking - Done via via good old-fashioned Identity Theft
Robert Bonomi
bonomi at mail.r-bonomi.com
Fri Oct 8 08:55:13 UTC 2010
> From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Thu Oct 7 23:37:29 2010
> Date: Fri, 08 Oct 2010 15:38:12 +1100
> From: Ben McGinnes <ben at adversary.org>
> To: Leen Besselink <leen at consolejunkie.net>
> Subject: Re: New hijacking - Done via via good old-fashioned Identity Theft
> Cc: nanog at nanog.org
>
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --------------enigE085D76E6AF9BB6CCE824E1F
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> On 8/10/10 10:00 AM, Leen Besselink wrote:
> >=20
> > key at domain.tld for when you have a personal domain
> > key-user at domain.tld for when you have a server which understand address=
>
> > extensions
>
> Actually I think it's user+key at domain.tld for the second one. At least
> that's what I've seen for Postfix. Not so sure about other MTAs.
SendmMail 'invented' the 'plussed' extenstion to an address.
Other MTAs mimic SendMail's behavior
The '+key' is ignored for purposes of selecting the delivery mailbox
username+anything gets handed to the LDA for final delivery to mailbox
'username',, _with_ the 'plus part' (i.e. 'anything, from above) available
as an extra parameter.
To selectively accept/discard on the plussed portion of the address,
you either do it in th LDA (procmail, for example, makes this really
easy), or you have to run a 'milter' that knows which plussed parts
are valid for which users.
For a mailserver that does -not- understand 'plussed' addresses, you
can usually fake it out by putting the key as an extra elemnt of the
host-name. e.g. user at key.some.dom.ain.tld. AFAIK eveery MTA accepts
mail with a more-specific name than a name it has been explicitly told
to accept (either for local delivry, or for forwarding) mail for.
More information about the NANOG
mailing list