It's possible to forge headers in certain circumstances. It's not easy. And this is the first time this has happened.
It's ridiculously easy to forge email headers. Headers are manually created whenever programmatically sending email messages. That's how messages can be sent from addresses that don't exist, like [email protected] or [email protected]. They don't even send a confirmation email that you have to approve before stuff is posted?
Headers are manually created whenever programmatically sending email messages
To clarify this a little, in case anyone isn't familiar, to send an email message programmatically, you basically just send a string with some headers and body content to the email server. Here are what the headers look like:
Date: Sat, 13 Jun 2009 06:53:06 -0400
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <200906131053.n5DAr2Nv025105@jclinux>
To: <root@jclinux>
To change the sender, all you'd need to do is change the from line. For example:
Usually, Posterous catches this stuff and sends an email asking you to confirm that you really are you. They analyze the headers more closely than just looking at the name. For some reason, this didn't work in this case.
Headers are name/value pairs, a typical email will have 20 of those. It's possible to copy them if you have received an email from the blog owner or maybe from a mailing list post.
Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.
We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.
For the vast majority of users who use gmail, hotmail or other services, this was never an issue.
Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.
Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!
Is it possible to publish the algorithms and technique you are using to prevent spoofing.
It would really be a big help to us as well as every body else.
This is definitely happening in the wild, as well. A friend of mine had some spam advertising a mobile phone site posted to her Posterous, which fed into her Facebook feed, etc..
Sure active users will notice spam posts but what about the long tail of customers who no longer update their Posterous blog? What happens when a 'creative' link marketer finds a way to index those sites and inject posts?
While we're talking about Posterous, does anyone know why it adds a random number to the end of article URLs, as in http://blog.dustincurtis.com/apparently-765 ? I know it's not a big deal, but I find that aesthetically unpleasing, as it kind of ruins an otherwise beautiful URL.
Google's crawler (especially the blog and news ones) requires a three digit or larger number in the url. That is why you should keep a year/date in a url.
Update: Not sure why I got downvoted, but here is the reference from Google News:
It is a namespace thing. I am pretty sure. When I use a title for my posterous posts that no one ever used before, the permalink is just the title. When I for example post something titled generally like "photo" it becomes "photo-73864"
Why not let users use email certificates if they want? That's what I've got going on in Tgethr. Let users decide if extra trouble of setting up an email cert is worth it (it's not that bad), and now all of a sudden you have spam proof email discussion lists. We just check the message signature to make sure yep your message is signed as [email protected] or whatever and we'll accept the message.
What I'm surprised is why posterous doesn't do more check on all the headers sent by the email software (X-Mailer, and so on) and ask for a confirmation if those other headers are different enough from a known correct configuration...
Of course someone who received an email from the blog owner could use that to fake all those headers but at least it would prevent people posting by simply guessing the email address.
Of course, not using such full blown solutions will mean that posterous' heuristics techniques will be susceptible to all sorts of attacks, such as man-in-the-middle, relay attacks and so forth.
On the other hand, looking for solutions that are resilient to more sophisticated attacks, mostly considering IBE schemes, is quite convoluted (it involves provable security models, such as http://www.google.com/#hl=en&q=provable+security+signatu... ). There are even variations on IBE, such as certificateless, which require you to trust even less people.
This is of course, assuming you are not willing to inconvenience users by making them reply a email you send them after they tried to poste. Such email would contain a custom made url (the secret) that would enable the post to actually be posted. On the other hand, this solution feels more inconvenient than using OAuth methods.
Nonetheless, not all users care about security/privacy (those that do, will always have the usual login scheme). If you chose to go other way, good luck to you. After all, people still use MD5 for security applications nowadays.
1. Change from "Contributors can post" to "Anyone can post". Counterintuitive, but the first is based on email FROM, the second is moderated.
2. Make a hash as your FROM address. Add it as an alias to send from in Gmail (or whatever you use). Send to posterous from the hash address. Your email address becomes your password.
You should be able to PGP sign your emails to confirm that they're good. If an unsigned email suddenly appears, a confirmation email should be sent back to the sender address before it is posted.
Twitter had similar issue in their Text -> Tweet system. People were using softwares to send Text messages and using anybody's phone number as they want. They fixed it by using 4 digit pin and I think Posterous should do the same.
"You can set a password on your Posterous site so only the readers you want can see it. To see your site, a user must go to your site url and also enter the correct password for your site."
Posterous really does fail here. I can see why they would want to tolerate a little of this to preserve ease of use for their users (just like Amazon with their Kindle email address). However, there are a number of steps that Posterous can take to combat forged headers in ways that should not impact users at all. Enabling SPF, for example, would be a good start.
Technically, it's the same problem as email spam, and most of the same tools can be used to combat it. Posterous should flag posts that they aren't sure of and make users confirm them before putting them up, etc.
EDIT:
The other fix would be to use an email address that can't be guessed from the blog address. In other words, the email address is the password.
> The other fix would be to use an email address that can't be guessed from the blog address. In other words, the email address is the password.
Multiply (http://multiply.com) does something similar. You set your post-by-email id. And, then email your posts to the [email protected]. You decide how complicated or easy you want your post-by-email-id to be.
As someone said, this is not 100% secure as the email address is sent as clear text as it passes through mail servers, but it's more difficult for someone to guess it.
They do perform additional checks on the message sent to make sure it came from you, perhaps similar to those that Posterous does.
[+] [-] jcnnghm|16 years ago|reply
It's ridiculously easy to forge email headers. Headers are manually created whenever programmatically sending email messages. That's how messages can be sent from addresses that don't exist, like [email protected] or [email protected]. They don't even send a confirmation email that you have to approve before stuff is posted?
[+] [-] jcnnghm|16 years ago|reply
To clarify this a little, in case anyone isn't familiar, to send an email message programmatically, you basically just send a string with some headers and body content to the email server. Here are what the headers look like:
To change the sender, all you'd need to do is change the from line. For example: A default sendmail implementation will deliver that message all day. Email headers should never be used for authentication.[+] [-] edanm|16 years ago|reply
[+] [-] dcurtis|16 years ago|reply
Usually, Posterous catches this stuff and sends an email asking you to confirm that you really are you. They analyze the headers more closely than just looking at the name. For some reason, this didn't work in this case.
[+] [-] borisk|16 years ago|reply
[+] [-] kwyjibo|16 years ago|reply
[+] [-] ergo98|16 years ago|reply
[+] [-] a4agarwal|16 years ago|reply
Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.
We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.
For the vast majority of users who use gmail, hotmail or other services, this was never an issue.
Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.
Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!
[+] [-] uhspot|15 years ago|reply
Is it possible to publish the algorithms and technique you are using to prevent spoofing. It would really be a big help to us as well as every body else.
Thanks,
Al
[+] [-] robinduckett|16 years ago|reply
I realise Posterous requires you to "confirm" the post, I just wanted to see if you had defaulted that requirement to off.
[+] [-] vinhboy|16 years ago|reply
[+] [-] apphacker|16 years ago|reply
[+] [-] michael_dorfman|16 years ago|reply
[+] [-] xinsight|16 years ago|reply
[+] [-] robinduckett|16 years ago|reply
One quick whois lookup, and I found the email he was likely sending from. His site has another email listed, so I did a little digging.
[+] [-] ddrager|16 years ago|reply
[+] [-] travisp|16 years ago|reply
[+] [-] rantfoil|16 years ago|reply
[+] [-] josefresco|16 years ago|reply
[+] [-] pg|16 years ago|reply
[+] [-] codeflo|16 years ago|reply
[+] [-] snewe|16 years ago|reply
Update: Not sure why I got downvoted, but here is the reference from Google News:
http://www.google.com/support/news_pub/bin/answer.py?hl=en&#...
[+] [-] mitchellhislop|16 years ago|reply
[+] [-] jrnkntl|16 years ago|reply
[+] [-] nate|16 years ago|reply
[+] [-] gommm|16 years ago|reply
Of course someone who received an email from the blog owner could use that to fake all those headers but at least it would prevent people posting by simply guessing the email address.
[+] [-] rantfoil|16 years ago|reply
[+] [-] DanielRibeiro|16 years ago|reply
Of course, not using such full blown solutions will mean that posterous' heuristics techniques will be susceptible to all sorts of attacks, such as man-in-the-middle, relay attacks and so forth.
On the other hand, looking for solutions that are resilient to more sophisticated attacks, mostly considering IBE schemes, is quite convoluted (it involves provable security models, such as http://www.google.com/#hl=en&q=provable+security+signatu... ). There are even variations on IBE, such as certificateless, which require you to trust even less people.
This is of course, assuming you are not willing to inconvenience users by making them reply a email you send them after they tried to poste. Such email would contain a custom made url (the secret) that would enable the post to actually be posted. On the other hand, this solution feels more inconvenient than using OAuth methods.
Nonetheless, not all users care about security/privacy (those that do, will always have the usual login scheme). If you chose to go other way, good luck to you. After all, people still use MD5 for security applications nowadays.
[+] [-] Terretta|16 years ago|reply
1. Change from "Contributors can post" to "Anyone can post". Counterintuitive, but the first is based on email FROM, the second is moderated.
2. Make a hash as your FROM address. Add it as an alias to send from in Gmail (or whatever you use). Send to posterous from the hash address. Your email address becomes your password.
[+] [-] graywh|16 years ago|reply
[+] [-] nailer|16 years ago|reply
Sounds somewhat mislabelled then.
[+] [-] mike-cardwell|16 years ago|reply
[+] [-] unknown|16 years ago|reply
[deleted]
[+] [-] unknown|16 years ago|reply
[deleted]
[+] [-] ashishbharthi|16 years ago|reply
[+] [-] borisk|16 years ago|reply
[+] [-] Terretta|16 years ago|reply
http://posterous.com/help/private_sites
"You can set a password on your Posterous site so only the readers you want can see it. To see your site, a user must go to your site url and also enter the correct password for your site."
[+] [-] unknown|16 years ago|reply
[deleted]
[+] [-] d0m|16 years ago|reply
[+] [-] unknown|16 years ago|reply
[deleted]
[+] [-] tman|16 years ago|reply
Technically, it's the same problem as email spam, and most of the same tools can be used to combat it. Posterous should flag posts that they aren't sure of and make users confirm them before putting them up, etc.
EDIT:
The other fix would be to use an email address that can't be guessed from the blog address. In other words, the email address is the password.
[+] [-] prakashk|16 years ago|reply
Multiply (http://multiply.com) does something similar. You set your post-by-email id. And, then email your posts to the [email protected]. You decide how complicated or easy you want your post-by-email-id to be.
As someone said, this is not 100% secure as the email address is sent as clear text as it passes through mail servers, but it's more difficult for someone to guess it.
They do perform additional checks on the message sent to make sure it came from you, perhaps similar to those that Posterous does.
[+] [-] axod|16 years ago|reply
You'd still be sending your password in the clear, possibly through other peoples mail servers. Not great security.