[exim-dev] [Bug 2188] New: Moving recipient check last to mi…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2188] New: Moving recipient check last to mitigate brute-force address scan
https://bugs.exim.org/show_bug.cgi?id=2188

            Bug ID: 2188
           Summary: Moving recipient check last to mitigate brute-force
                    address scan
           Product: Exim
           Version: N/A
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: ACLs
          Assignee: jgh146exb@???
          Reporter: development@???
                CC: exim-dev@???


Created attachment 1047
--> https://bugs.exim.org/attachment.cgi?id=1047&action=edit
patch to move recipient check down

This recently came up in Exim logs:

2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attacker@???>
rejected RCPT <test1@???>: Unrouteable address
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attacker@???>
rejected RCPT <test2@???>: Unrouteable address
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attacker@???>
rejected RCPT <test3@???>: Unrouteable address
....
2017-11-05 09:24:14 H=(attacker) [10.20.30.40] F=<attacker@???>
rejected RCPT <validaddress@???>: SPF check failed.

An attacker successfully found a valid local address using brute-force scan.

This was only possible because recipient verification happens early (in this
case before SPF check).

In order to mitigate this kind of attack, we moved recipient verification down
so that it happens after all other checks that could potentially cause a deny.

I think the Exim default config could be improved likewise, by moving sender
verification down after DNSBL checks.

--
You are receiving this mail because:
You are on the CC list for the bug.