Closed Bug 1893681 Opened 10 months ago Closed 10 months ago

Open Mail Relay Internal @mozilla to @mozilla

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1217545

People

(Reporter: scfraser, Unassigned)

Details

Attachments

(1 file)

vokoscreenNG-2024-04-26_19-12-51.mkv
984.89 KB, application/octet-stream
Details

Sumon emailed security@ with a potential anonymous email relay issue.
Hello,
Issue descripton
your incoming SMTP servers, provided by google , seems to be accepting without authentication mails from addresses @mozilla.org and destined for addresses @mozilla.org.
This can greatly ease spear-phishing attacks, as users usually put much trust into emails coming from their own domain name, let alone people they actually know. For instance, an attacker could craft an email impersonating your CEO or your IT dept. and asking to open a malicious link or attachment, then send it to some of your users by leveraging this vulnerabilty.
Issue reproduction
using the sendemail script sendemail -s alt3.aspmx.l.google.com:25 -o message-file=mail2.txt -t security+test@mozilla.org -f security@mozilla.org -u "security testing of mail relay by sumon" -vvv
If you will, I can also reproduce the issue at your request, with any "from:" and "to:" addresses that you like.
Trace output
As this trace shows, I was able to send an email from security@mozilla.org to security+test@mozilla.org
, without authentication.

Code 1.14 KiBUnwrap lines Copy Download
bugxploit@bugxploit:~$ sendemail -s alt3.aspmx.l.google.com:25 -o message-file=mail2.txt -t security+test@mozilla.org -f security@mozilla.org -u "security testing of mail relay by sumon" -vvv
Apr 26 18:43:00 bugxploit sendemail[29614]: DEBUG => Connecting to alt3.aspmx.l.google.com:25
Apr 26 18:43:00 bugxploit sendemail[29614]: DEBUG => My IP address is: 192.168.0.10
Apr 26 18:43:02 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 220 mx.google.com ESMTP k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:02 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 220
Apr 26 18:43:02 bugxploit sendemail[29614]: SUCCESS => Received: 220 mx.google.com ESMTP k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:02 bugxploit sendemail[29614]: INFO => Sending: EHLO bugxploit
Apr 26 18:43:02 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250-mx.google.com at your service, [103.77.45.228], 250-SIZE 157286400, 250-8BITMIME, 250-STARTTLS, 250-
ENHANCEDSTATUSCODES, 250-PIPELINING, 250 SMTPUTF8
Apr 26 18:43:02 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 18:43:02 bugxploit sendemail[29614]: SUCCESS => Received: 250-mx.google.com at your service, [103.77.45.228], 250-SIZE 157286400, 250-8BITMIME, 250-STARTTLS, 250-ENHANCEDSTATUSCODES, 250-PIPELINING, 250 SMTPUTF8
Apr 26 18:43:02 bugxploit sendemail[29614]: DEBUG => The remote SMTP server supports TLS :)
Apr 26 18:43:02 bugxploit sendemail[29614]: DEBUG => Starting TLS
Apr 26 18:43:02 bugxploit sendemail[29614]: INFO => Sending: STARTTLS
Apr 26 18:43:03 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 220 2.0.0 Ready to start TLS
Apr 26 18:43:03 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 220
Apr 26 18:43:03 bugxploit sendemail[29614]: SUCCESS => Received: 220 2.0.0 Ready to start TLS
Apr 26 18:43:04 bugxploit sendemail[29614]: DEBUG => TLS: Using cipher: TLS_AES_256_GCM_SHA384
Apr 26 18:43:04 bugxploit sendemail[29614]: DEBUG => TLS session initialized :)
Apr 26 18:43:04 bugxploit sendemail[29614]: INFO => Sending: EHLO bugxploit
Apr 26 18:43:04 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250-mx.google.com at your service, [103.77.45.228], 250-SIZE 157286400, 250-8BITMIME, 250-ENHANCEDSTATUS
CODES, 250-PIPELINING, 250-CHUNKING, 250 SMTPUTF8
Apr 26 18:43:04 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 18:43:04 bugxploit sendemail[29614]: SUCCESS => Received: 250-mx.google.com at your service, [103.77.45.228], 250-SIZE 157286400, 250-8BITMIME, 250-ENHANCEDSTATUSCODES, 250-PIPELINING, 250-CHUNKING, 250 SMTPUTF8
Apr 26 18:43:04 bugxploit sendemail[29614]: INFO => Sending: MAIL FROM:<security@mozilla.org>
Apr 26 18:43:05 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250 2.1.0 OK k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:05 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 18:43:05 bugxploit sendemail[29614]: SUCCESS => Received: 250 2.1.0 OK k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:05 bugxploit sendemail[29614]: INFO => Sending: RCPT TO:<security+test@mozilla.org>
Apr 26 18:43:05 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250 2.1.5 OK k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:05 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 18:43:05 bugxploit sendemail[29614]: SUCCESS => Received: 250 2.1.5 OK k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:05 bugxploit sendemail[29614]: INFO => Sending: DATA
Apr 26 18:43:05 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 354 Go ahead k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:05 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 354
Apr 26 18:43:05 bugxploit sendemail[29614]: SUCCESS => Received: 354 Go ahead k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:05 bugxploit sendemail[29614]: INFO => Sending message body
Apr 26 18:43:05 bugxploit sendemail[29614]: Setting content-type: text/plain
Apr 26 18:43:06 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250 2.0.0 OK 1714137186 k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:06 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 18:43:06 bugxploit sendemail[29614]: SUCCESS => Received: 250 2.0.0 OK 1714137186 k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:06 bugxploit sendemail[29614]: Generating a detailed exit message
Apr 26 18:43:06 bugxploit sendemail[29614]: Email was sent successfully! From: <security@mozilla.org> To: <security+test@mozilla.org> Subject: [security testing of mail relay by sumon] Server: [alt3.aspmx.l.google.com:25]

Recommendation
Authentication shall be requested for incoming emails from internal @mozilla.org email addresses, especially when they come from untrusted networks such as Internet.

Hi Sumon, thank you for the report. Can you try sending me an email using this bug? My email is scfraser@mozilla.com.

Flags: needinfo?(bong127.0.0.1)

I have sended it check it from security@mozilla.org

here is the delivery report
bugxploit@bugxploit:~$ sendemail -s alt3.aspmx.l.google.com:25 -o message-file=mail2.txt -t scfraser@mozilla.com -f security@mozilla.org -u "security testing of mail relay by sumon" -vvv
Apr 26 22:08:46 bugxploit sendemail[39172]: DEBUG => Connecting to alt3.aspmx.l.google.com:25
Apr 26 22:08:46 bugxploit sendemail[39172]: DEBUG => My IP address is: 192.168.0.10
Apr 26 22:08:49 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 220 mx.google.com ESMTP s35-20020a0568302aa300b006ebc9a97437si7220612otu.68 - gsmtp
Apr 26 22:08:49 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Found SMTP success code: 220
Apr 26 22:08:49 bugxploit sendemail[39172]: SUCCESS => Received: 220 mx.google.com ESMTP s35-20020a0568302aa300b006ebc9a97437si7220612otu.68 - gsmtp
Apr 26 22:08:49 bugxploit sendemail[39172]: INFO => Sending: EHLO bugxploit
Apr 26 22:08:49 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250-mx.google.com at your service, [103.77.45.228], 250-SIZE 157286400, 250-8BITMIME, 250-STARTTLS, 250-ENHANCEDSTATUSCODES, 250-PIPELINING, 250 SMTPUTF8
Apr 26 22:08:49 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 22:08:49 bugxploit sendemail[39172]: SUCCESS => Received: 250-mx.google.com at your service, [103.77.45.228], 250-SIZE 157286400, 250-8BITMIME, 250-STARTTLS, 250-ENHANCEDSTATUSCODES, 250-PIPELINING, 250 SMTPUTF8
Apr 26 22:08:49 bugxploit sendemail[39172]: DEBUG => The remote SMTP server supports TLS :)
Apr 26 22:08:49 bugxploit sendemail[39172]: DEBUG => Starting TLS
Apr 26 22:08:49 bugxploit sendemail[39172]: INFO => Sending: STARTTLS
Apr 26 22:08:49 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 220 2.0.0 Ready to start TLS
Apr 26 22:08:49 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Found SMTP success code: 220
Apr 26 22:08:49 bugxploit sendemail[39172]: SUCCESS => Received: 220 2.0.0 Ready to start TLS
Apr 26 22:08:50 bugxploit sendemail[39172]: DEBUG => TLS: Using cipher: TLS_AES_256_GCM_SHA384
Apr 26 22:08:50 bugxploit sendemail[39172]: DEBUG => TLS session initialized :)
Apr 26 22:08:50 bugxploit sendemail[39172]: INFO => Sending: EHLO bugxploit
Apr 26 22:08:50 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250-mx.google.com at your service, [103.77.45.228], 250-SIZE 157286400, 250-8BITMIME, 250-ENHANCEDSTATUSCODES, 250-PIPELINING, 250-CHUNKING, 250 SMTPUTF8
Apr 26 22:08:50 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 22:08:50 bugxploit sendemail[39172]: SUCCESS => Received: 250-mx.google.com at your service, [103.77.45.228], 250-SIZE 157286400, 250-8BITMIME, 250-ENHANCEDSTATUSCODES, 250-PIPELINING, 250-CHUNKING, 250 SMTPUTF8
Apr 26 22:08:50 bugxploit sendemail[39172]: INFO => Sending: MAIL FROM:<security@mozilla.org>
Apr 26 22:08:51 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250 2.1.0 OK s35-20020a0568302aa300b006ebc9a97437si7220612otu.68 - gsmtp
Apr 26 22:08:51 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 22:08:51 bugxploit sendemail[39172]: SUCCESS => Received: 250 2.1.0 OK s35-20020a0568302aa300b006ebc9a97437si7220612otu.68 - gsmtp
Apr 26 22:08:51 bugxploit sendemail[39172]: INFO => Sending: RCPT TO:<scfraser@mozilla.com>
Apr 26 22:08:51 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250 2.1.5 OK s35-20020a0568302aa300b006ebc9a97437si7220612otu.68 - gsmtp
Apr 26 22:08:51 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 22:08:51 bugxploit sendemail[39172]: SUCCESS => Received: 250 2.1.5 OK s35-20020a0568302aa300b006ebc9a97437si7220612otu.68 - gsmtp
Apr 26 22:08:51 bugxploit sendemail[39172]: INFO => Sending: DATA
Apr 26 22:08:52 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 354 Go ahead s35-20020a0568302aa300b006ebc9a97437si7220612otu.68 - gsmtp
Apr 26 22:08:52 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Found SMTP success code: 354
Apr 26 22:08:52 bugxploit sendemail[39172]: SUCCESS => Received: 354 Go ahead s35-20020a0568302aa300b006ebc9a97437si7220612otu.68 - gsmtp
Apr 26 22:08:52 bugxploit sendemail[39172]: INFO => Sending message body
Apr 26 22:08:52 bugxploit sendemail[39172]: Setting content-type: text/plain
Apr 26 22:08:52 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250 2.0.0 OK 1714149532 s35-20020a0568302aa300b006ebc9a97437si7220612otu.68 - gsmtp
Apr 26 22:08:52 bugxploit sendemail[39172]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 22:08:52 bugxploit sendemail[39172]: SUCCESS => Received: 250 2.0.0 OK 1714149532 s35-20020a0568302aa300b006ebc9a97437si7220612otu.68 - gsmtp
Apr 26 22:08:52 bugxploit sendemail[39172]: Generating a detailed exit message
Apr 26 22:08:52 bugxploit sendemail[39172]: Email was sent successfully! From: <security@mozilla.org> To: <scfraser@mozilla.com> Subject: [security testing of mail relay by sumon] Server: [alt3.aspmx.l.google.com:25]

Flags: needinfo?(bong127.0.0.1)

Thank you. I got the email you sent as the log describes. There is a change which should resolve this issue in the next few weeks. Because this issue is already known and the change was planned, I'm going to close this report.
Thank you for reporting this and helping keep Mozilla safe online.

Status: NEW → RESOLVED
Closed: 10 months ago
Duplicate of bug: 1217545
Resolution: --- → DUPLICATE
Duplicate of this bug: 1893691
Group: websites-security
No longer duplicate of this bug: 1893691
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: