
You don’t need a password. Posterous fail.  - prabodh
http://blog.dustincurtis.com/apparently-765
======
jcnnghm
_It's possible to forge headers in certain circumstances. It's not easy. And
this is the first time this has happened._

It's ridiculously easy to forge email headers. Headers are manually created
whenever programmatically sending email messages. That's how messages can be
sent from addresses that don't exist, like devnull@example.com or
noreply@yourdomain.com. They don't even send a confirmation email that you
have to approve before stuff is posted?

~~~
jcnnghm
_Headers are manually created whenever programmatically sending email
messages_

To clarify this a little, in case anyone isn't familiar, to send an email
message programmatically, you basically just send a string with some headers
and body content to the email server. Here are what the headers look like:

    
    
      Date: Sat, 13 Jun 2009 06:53:06 -0400
      From: Mail Delivery Subsystem <MAILER-DAEMON>
      Message-Id: <200906131053.n5DAr2Nv025105@jclinux>
      To: <root@jclinux>
    

To change the sender, all you'd need to do is change the from line. For
example:

    
    
      From: Steve Jobs <sjobs@apple.com>
    

A default sendmail implementation will deliver that message all day. Email
headers should never be used for authentication.

~~~
adamsmith
But most major domains use domain keys / DKIM.

<http://en.wikipedia.org/wiki/DKIM>

As far as I understand it, you can't fake being an SMTP server sending mail
from such a domain because their emails get signed with a private key whose
matching public key is published by DNS.

~~~
geocar
There are several ways to defeat DKIM here:

• If you can break DNS, you can get an NXDOMAIN reply, making recipients think
there aren't any domainkeys

• If the domainkey private key is small, you can factor it. There's an article
on HN's frontpage right now about this.

• If the server uses domainkeys, but it doesn't specifically verify the From:
header, an attacker can still forge a message if they share a popular mail
provider with their target. I don't know if this is still practical.

• Stupidity. DKIM is difficult to test, and as a security measure it would
need to be tested.

An autoreponse confirmation would be immune to all of these attacks and would
be trivial to implement correctly.

~~~
apphacker
An auto-response confirmation would make posterous suck.

~~~
geocar
and yet DKIM is insecure for sender authentication.

------
a4agarwal
Hey guys. I'm the cofounder of Posterous.

Yes, someone did figure out how to post to Dustin's site today. This security
hole is now fixed.

We had a specific problem with the way we dealt with SPF records. Dustin
didn't set any up, and there was a specific way that Robin Duckett's email
server responded that caused us to flag it as a false negative for spoofing.

For the vast majority of users who use gmail, hotmail or other services, this
was never an issue.

Since our launch on day one, we have taken email spoof detection very
seriously. It's one of our core differentiators: to be able to securely post
to your blog by emailing a single, easy to remember address. We don't want to
do secret addresses or secret words.

Over the past 2 years, we've developed robust spoof detection ip and spend a
ton of time trying to stay a step ahead of hackers. Fortunately, we've only
had a few very specific, isolated cases where one of our sites was spoofed and
each time we have improved our system.

Thanks for bringing this to our attention. We always need to be one step ahead
of the hackers/spoofers, and we thank the Hacker News community for keeping us
on our toes!

~~~
uhspot
Hi,

Is it possible to publish the algorithms and technique you are using to
prevent spoofing. It would really be a big help to us as well as every body
else.

Thanks,

Al

------
robinduckett
I did it. Sorry Dustin. It really was me. I changed one field in outlook.

I realise Posterous requires you to "confirm" the post, I just wanted to see
if you had defaulted that requirement to off.

~~~
apphacker
You realize you broke the law and admitted to it.

~~~
mikeryan
Honest question, what law was broken here?

------
michael_dorfman
This is definitely happening in the wild, as well. A friend of mine had some
spam advertising a mobile phone site posted to her Posterous, which fed into
her Facebook feed, etc..

------
xinsight
It _is_ easy.

    
    
      $ /usr/sbin/sendmail -f dustin@dustincurtis.com  
      dustin@posterous.com
      Subject: hi
      
      Spam spam spam
      
      ^D

~~~
travisp
You don't even need to know the command line, you can often do stuff like that
just from Outlook.

~~~
ramchip
You don't even need to know Outlook, you can often do stuff like that just
from the command line. ;)

------
josefresco
Sure active users will notice spam posts but what about the long tail of
customers who no longer update their Posterous blog? What happens when a
'creative' link marketer finds a way to index those sites and inject posts?

~~~
pg
Running a spam filter on posts should work well.

~~~
mikeryan
I'd almost be more concerned with essentially getting DDOS'd with spam traffic
to the posting address.

------
codeflo
While we're talking about Posterous, does anyone know why it adds a random
number to the end of article URLs, as in
<http://blog.dustincurtis.com/apparently-765> ? I know it's not a big deal,
but I find that aesthetically unpleasing, as it kind of ruins an otherwise
beautiful URL.

~~~
snewe
Google's crawler (especially the blog and news ones) requires a three digit or
larger number in the url. That is why you should keep a year/date in a url.

Update: Not sure why I got downvoted, but here is the reference from Google
News:

[http://www.google.com/support/news_pub/bin/answer.py?hl=en&#...</a>

~~~
Psyonic
Why do they want this?

------
nate
Why not let users use email certificates if they want? That's what I've got
going on in Tgethr. Let users decide if extra trouble of setting up an email
cert is worth it (it's not that bad), and now all of a sudden you have spam
proof email discussion lists. We just check the message signature to make sure
yep your message is signed as dustincurtis@gmail.com or whatever and we'll
accept the message.

------
gommm
What I'm surprised is why posterous doesn't do more check on all the headers
sent by the email software (X-Mailer, and so on) and ask for a confirmation if
those other headers are different enough from a known correct configuration...

Of course someone who received an email from the blog owner could use that to
fake all those headers but at least it would prevent people posting by simply
guessing the email address.

~~~
rantfoil
Oh, we do that. This was a specific bug that is now fixed.

------
DanielRibeiro
Strange that none noted that identity based encryption (IBE for the acquainted
ones)solves this problem quite easily (more on
<http://www.voltage.com/technology/ibe.htm>). Boneh and Franklin scheme was
the first proposed one, but nowadays this is not only on crypto papers, but
they are even RFCS for such schemes: <http://www.rfc-
editor.org/rfc/rfc5409.txt>. There are even some non-commercial
implementations around: <http://crypto.stanford.edu/ibe/>.

Of course, not using such full blown solutions will mean that posterous'
heuristics techniques will be susceptible to all sorts of attacks, such as
man-in-the-middle, relay attacks and so forth.

On the other hand, looking for solutions that are resilient to more
sophisticated attacks, mostly considering IBE schemes, is quite convoluted (it
involves provable security models, such as
[http://www.google.com/#hl=en&q=provable+security+signatu...](http://www.google.com/#hl=en&q=provable+security+signature&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=64f719c8669fe4b7)
). There are even variations on IBE, such as certificateless, which require
you to trust even less people.

This is of course, assuming you are not willing to inconvenience users by
making them reply a email you send them after they tried to poste. Such email
would contain a custom made url (the secret) that would enable the post to
actually be posted. On the other hand, this solution feels more inconvenient
than using OAuth methods.

Nonetheless, not all users care about security/privacy (those that do, will
always have the usual login scheme). If you chose to go other way, good luck
to you. After all, people still use MD5 for security applications nowadays.

------
Terretta
Two solutions:

1\. Change from "Contributors can post" to "Anyone can post".
Counterintuitive, but the first is based on email FROM, the second is
moderated.

2\. Make a hash as your FROM address. Add it as an alias to send from in Gmail
(or whatever you use). Send to posterous from the hash address. Your email
address becomes your password.

~~~
graywh
To add an additional outgoing address to Gmail, don't you have to verify that
you can receive messages at that account first?

~~~
tkaemming
You could presumably use the plus sign "hack" to make that a bit easier:
[http://gmailblog.blogspot.com/2008/03/2-hidden-ways-to-
get-m...](http://gmailblog.blogspot.com/2008/03/2-hidden-ways-to-get-more-
from-your.html)

------
mike-cardwell
You should be able to PGP sign your emails to confirm that they're good. If an
unsigned email suddenly appears, a confirmation email should be sent back to
the sender address before it is posted.

------
ashishbharthi
Twitter had similar issue in their Text -> Tweet system. People were using
softwares to send Text messages and using anybody's phone number as they want.
They fixed it by using 4 digit pin and I think Posterous should do the same.

------
borisk
Not so big a deal IMHO. You can always set a pass if spammers start targeting
your blog.

~~~
Terretta
The password is for visiting, not for posting. If you set a password, nobody
can visit your blog w/o the password.

<http://posterous.com/help/private_sites>

"You can set a password on your Posterous site so only the readers you want
can see it. To see your site, a user must go to your site url and also enter
the correct password for your site."

~~~
borisk
Right, my bad. Still there is an option to receive confirmation link for each
post.

------
d0m
Oh my I feel bad, I started this in the other post' comments.

------
tman
Posterous really does fail here. I can see why they would want to tolerate a
little of this to preserve ease of use for their users (just like Amazon with
their Kindle email address). However, there are a number of steps that
Posterous can take to combat forged headers in ways that should not impact
users at all. Enabling SPF, for example, would be a good start.

Technically, it's the same problem as email spam, and most of the same tools
can be used to combat it. Posterous should flag posts that they aren't sure of
and make users confirm them before putting them up, etc.

EDIT:

The other fix would be to use an email address that can't be guessed from the
blog address. In other words, the email address is the password.

~~~
axod
> "The other fix would be to use an email address that can't be guessed from
> the blog address. In other words, the email address is the password."

You'd still be sending your password in the clear, possibly through other
peoples mail servers. Not great security.

~~~
tman
The perfect is the enemy of the good.

There is a trade-off here between security and usability. 99% security is good
enough for a lot of purposes and has its place.

~~~
infinite8s
Except that's more like 10% or even 1% security.

~~~
tman
Oh really? I don't think you know what you mean.

In point of fact, I just sent myself a very important password in clear text.
Hack me.

~~~
axod
The task for a spammer isn't to hack <USERS> account. It's to hack _ANY_
account.

Being able to hack any posterous account is going to be far far easier than
trying to hack a particular account.

