Closed Bug 1893691 Opened 10 months ago Closed 10 months ago

Open Mail Relay Internal @mozilla to @mozilla

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1217545

People

(Reporter: bong127.0.0.1, Unassigned)

Details

(Keywords: reporter-external)

Attachments

(1 file)

vokoscreenNG-2024-04-26_22-42-54.mkv
775.34 KB, video/x-matroska
Details

Sumon emailed security@ with a potential anonymous email relay issue.
Hello,
Issue descripton
your incoming SMTP servers, provided by google , seems to be accepting without authentication mails from addresses @mozilla.org and destined for addresses @mozilla.org.
This can greatly ease spear-phishing attacks, as users usually put much trust into emails coming from their own domain name, let alone people they actually know. For instance, an attacker could craft an email impersonating your CEO or your IT dept. and asking to open a malicious link or attachment, then send it to some of your users by leveraging this vulnerabilty.
Issue reproduction
using the sendemail script sendemail -s alt3.aspmx.l.google.com:25 -o message-file=mail2.txt -t security+test@mozilla.org -f security@mozilla.org -u "security testing of mail relay by sumon" -vvv
If you will, I can also reproduce the issue at your request, with any "from:" and "to:" addresses that you like.
Trace output
As this trace shows, I was able to send an email from security@mozilla.org to security+test@mozilla.org
, without authentication.

Code 1.14 KiBUnwrap lines Copy Download
bugxploit@bugxploit:~$ sendemail -s alt3.aspmx.l.google.com:25 -o message-file=mail2.txt -t security+test@mozilla.org -f security@mozilla.org -u "security testing of mail relay by sumon" -vvv
Apr 26 18:43:00 bugxploit sendemail[29614]: DEBUG => Connecting to alt3.aspmx.l.google.com:25
Apr 26 18:43:00 bugxploit sendemail[29614]: DEBUG => My IP address is: 192.168.0.10
Apr 26 18:43:02 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 220 mx.google.com ESMTP k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:02 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 220
Apr 26 18:43:02 bugxploit sendemail[29614]: SUCCESS => Received: 220 mx.google.com ESMTP k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:02 bugxploit sendemail[29614]: INFO => Sending: EHLO bugxploit
Apr 26 18:43:02 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250-mx.google.com at your service, [103.77.45.228], 250-SIZE 157286400, 250-8BITMIME, 250-STARTTLS, 250-
ENHANCEDSTATUSCODES, 250-PIPELINING, 250 SMTPUTF8
Apr 26 18:43:02 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 18:43:02 bugxploit sendemail[29614]: SUCCESS => Received: 250-mx.google.com at your service, [103.77.45.228], 250-SIZE 157286400, 250-8BITMIME, 250-STARTTLS, 250-ENHANCEDSTATUSCODES, 250-PIPELINING, 250 SMTPUTF8
Apr 26 18:43:02 bugxploit sendemail[29614]: DEBUG => The remote SMTP server supports TLS :)
Apr 26 18:43:02 bugxploit sendemail[29614]: DEBUG => Starting TLS
Apr 26 18:43:02 bugxploit sendemail[29614]: INFO => Sending: STARTTLS
Apr 26 18:43:03 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 220 2.0.0 Ready to start TLS
Apr 26 18:43:03 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 220
Apr 26 18:43:03 bugxploit sendemail[29614]: SUCCESS => Received: 220 2.0.0 Ready to start TLS
Apr 26 18:43:04 bugxploit sendemail[29614]: DEBUG => TLS: Using cipher: TLS_AES_256_GCM_SHA384
Apr 26 18:43:04 bugxploit sendemail[29614]: DEBUG => TLS session initialized :)
Apr 26 18:43:04 bugxploit sendemail[29614]: INFO => Sending: EHLO bugxploit
Apr 26 18:43:04 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250-mx.google.com at your service, [103.77.45.228], 250-SIZE 157286400, 250-8BITMIME, 250-ENHANCEDSTATUS
CODES, 250-PIPELINING, 250-CHUNKING, 250 SMTPUTF8
Apr 26 18:43:04 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 18:43:04 bugxploit sendemail[29614]: SUCCESS => Received: 250-mx.google.com at your service, [103.77.45.228], 250-SIZE 157286400, 250-8BITMIME, 250-ENHANCEDSTATUSCODES, 250-PIPELINING, 250-CHUNKING, 250 SMTPUTF8
Apr 26 18:43:04 bugxploit sendemail[29614]: INFO => Sending: MAIL FROM:<security@mozilla.org>
Apr 26 18:43:05 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250 2.1.0 OK k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:05 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 18:43:05 bugxploit sendemail[29614]: SUCCESS => Received: 250 2.1.0 OK k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:05 bugxploit sendemail[29614]: INFO => Sending: RCPT TO:<security+test@mozilla.org>
Apr 26 18:43:05 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250 2.1.5 OK k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:05 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 18:43:05 bugxploit sendemail[29614]: SUCCESS => Received: 250 2.1.5 OK k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:05 bugxploit sendemail[29614]: INFO => Sending: DATA
Apr 26 18:43:05 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 354 Go ahead k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:05 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 354
Apr 26 18:43:05 bugxploit sendemail[29614]: SUCCESS => Received: 354 Go ahead k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:05 bugxploit sendemail[29614]: INFO => Sending message body
Apr 26 18:43:05 bugxploit sendemail[29614]: Setting content-type: text/plain
Apr 26 18:43:06 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250 2.0.0 OK 1714137186 k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:06 bugxploit sendemail[29614]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Apr 26 18:43:06 bugxploit sendemail[29614]: SUCCESS => Received: 250 2.0.0 OK 1714137186 k2-20020a056870148200b002391f94c18bsi6963453oab.11 - gsmtp
Apr 26 18:43:06 bugxploit sendemail[29614]: Generating a detailed exit message
Apr 26 18:43:06 bugxploit sendemail[29614]: Email was sent successfully! From: <security@mozilla.org> To: <security+test@mozilla.org> Subject: [security testing of mail relay by sumon] Server: [alt3.aspmx.l.google.com:25]

Recommendation
Authentication shall be requested for incoming emails from internal @mozilla.org email addresses, especially when they come from untrusted networks such as Internet.

also make sure ut not for spf record because your spf record are working fine
check your spf record : https://mxtoolbox.com/SuperTool.aspx?action=spf%3amozilla.org&run=toolpage

Status: UNCONFIRMED → RESOLVED
Closed: 10 months ago
Duplicate of bug: 1893681
Resolution: --- → DUPLICATE
Group: websites-security
Duplicate of bug: 1217545
No longer duplicate of bug: 1893681
Flags: sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: