Friday, December 8, 2017


Sabri Haddouche:

Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters.

Bugs were found in over 30 applications, including prominent ones like Apple Mail (macOS, iOS and watchOS), Mozilla Thunderbird, various Microsoft email clients, Yahoo! Mail, ProtonMail and others.

Via Benny Kjær Nielsen:

In short, it tricks some email clients into finding the wrong email address within an email address header like “From”. The email client would then display the wrong sender. The definition of “wrong” here is based on RFC5322.

It is important to understand that spoofing a “From” header has always been easy and, in my opinion, it is still easy.


In the most recent test release of MailMate I’ve added the following improvement: Whenever the name part of an address header contains a @ then it’s replaced with a skull (💀). That should at least make the user aware of simple attempts to spoof an address header.

SpamSieve 2.9.29 is vulnerable to the spoofing problem, which could manifest as a whitelist rule matching a message that was not actually “from” that address. This is fixed in the public beta.

EagleFiler 1.8.1 is not affected by the spoofing.

Neither is affected by the code injection attacks.

Null characters can cause all sorts of problems outside of e-mail. For example, testing my fix for this bug crashed Xcode’s SourceKitService.

Update (2017-12-08): Here’s the Thunderbird tracking bug.

Comments RSS · Twitter

Leave a Comment