Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Mcafee Spamkiller 5 spam filter bypass
From: "Gregh" <chows () ozemail com au>
Date: Fri, 16 Jul 2004 14:23:12 +1000

This one reported to Mcafee a short time ago, this day. They don't see it as
a bug, however.

Enter a valid name into your FRIENDS list. Say "John" (john () this site com)
is the entry. Now put an entry in ACCEPTING email from any email address
where the received line has a certain phrase in it. Eg, you may wish to put
"Netsys" for example. Now, any email that comes in with the name "John" so
long as it has "Netsys" in received will be accepted not because of the
presence of "Netsys" but will be received and accepted by Spamkiller 5 and
marked as having come from john () this site com even when the John in question
will be a totally different From address.

So what does this mean?

If spammers can figure out a way to insert the letter "a" into your accepted
rules and keep on sending FROM names (not from ADDRESSES) using the same
name as one already in your friends list, you can bypass spamkiller's other
entries entirely, thus making it totally useless. Now as most Western
hemisphere people know a person called "John" or "Joan" and as most people
don't supply surnames with their first name in email, all it is going to
take for Spamkiller to be bypassed is for spammers to figure out how to
insert a rule into spamkiller 5 accepting any email that has a RECEIVED line
with the letter "a" in it and make sure that they have a spoofed RECEIVED
with that letter in it.

So please tell me - if anyone knows - why the HELL pay for Spamkiller when
it is so easy to bypass? Damned if I know why I did, now!


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Mcafee Spamkiller 5 spam filter bypass Gregh (Jul 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]