

Probable Cache Poisoning of Mail-Handling Domains - heidibrayer
http://www.cert.org/blogs/certcc/post.cfm?EntryID=206

======
ChuckMcM
Presumably the point here would be to either intercept the messages in flight
or change content. Of course the receiving mail handler will get the HELO
message from this weird inter-modal relay. One wonders if there is a need for
keep a list of validated relays. As the attack is not continuous, it should be
possible to track final received-from headers in the messages to identify
periods where the system was potentially mis-behaving.

It is also possible that people do maintenance on servers and move the MX
record around to keep traffic off the server while they are working on it.

~~~
dvanduzer
oh my god

cf.
[http://markmail.org/message/ogk6p5jv33d5oyvb](http://markmail.org/message/ogk6p5jv33d5oyvb)

~~~
jacquesm
That's pretty prescient.

~~~
dvanduzer
thanks

------
danyork
The good news is that we're seeing an increased deployment of DNSSEC-
validating DNS resolvers - now about 12% of all DNS queries per APNIC stats -
[http://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&g...](http://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&g=0)

Now we just need to get more domains signed so that MX records can be
validated by those resolvers and these kind of redirections can be mitigated.

~~~
danyork
The step to go beyond that, of course, would be to use DANE with the SMTP
connections so that the entire mail exchange could happen over TLS and using
certs that have been validated via DNSSEC/DANE. But first step is to get the
MX records signed and to have DNS resolvers validating that fact.

------
Panino
DNSCurve + MinimaLT would completely stop these attacks. Based on public
statements and hackathon reports I think MinimaLT will be released this
semester (development is coordinated from rites.uic.edu).

[http://www.ethos-os.org/~solworth/minimalt-20131031.pdf](http://www.ethos-
os.org/~solworth/minimalt-20131031.pdf)

~~~
fanf2
DNSSEC would completely stop these attacks, and it has actually been deployed
unlike DNScurve or MinimaLT.

~~~
Panino
Less than 1% of domains under .com are DNSSEC-signed, and many of them are
long-term failing. At this point, 20 years after work began on DNSSEC, it's
time to move on.

~~~
danyork
Meanwhile, 85% of .GOV domains are DNSSEC-signed as are 34% of .NL domains and
18% of .BR. The improved security of DNS via DNSSEC _is_ happening... it's
just unevenly distributed.

~~~
Panino
_85% of .GOV domains are DNSSEC-signed_

Which is funny because the US Congress passed a law mandating DNSSEC for .gov
domains. Not to mention the many outages, plus non-deployments, where domains
CNAME to a non-DNSSEC CDN.

 _34% of .NL domains_

That's because it's common for .nl domain owners to essentially be paid to run
DNSSEC. That's how bad it is.

I note that you don't run DNSSEC yourself.

[http://dnsviz.net/d/danyork.com/dnssec/](http://dnsviz.net/d/danyork.com/dnssec/)

~~~
danyork
> I note that you don't run DNSSEC yourself.

Actually, I _do_ run DNSSEC on most of my domains, but for that particular
one, danyork.com, I unfortunately lost DNSSEC support when I needed to switch
the name servers to CloudFlare to be able to essentially have a CNAME at the
apex (using what CloudFlare calls their "flattening" service).

Longer story... but the good news (for me) is that CloudFlare has publicly
said they will be providing DNSSEC signing for their CDN by the end of 2014...
so in theory I should be back to having that domain signed within the next few
months.

FYI, CloudFlare's slides from the ICANN presentation where they talked about
this are at: [http://t.co/34sAH1FVLB](http://t.co/34sAH1FVLB)

------
mnw21cam
The article expresses surprise that traffic is diverted to IP addresses in
Google's IP block. Could nefarious types be using BGP to temporarily take over
a small block of IP addresses here, as described in
[https://news.ycombinator.com/item?id=8263391](https://news.ycombinator.com/item?id=8263391)
?

------
jacquesm
Malware on routers in between?

------
kldavis4
Could this be NSA snooping?

~~~
jauer
I'd bet criminal. If you have physical access to pipes, why bother with
something this obvious?

~~~
psykovsky
Why not (other) researchers doing some (other) study on the efectiveness of
such obvious attacks? You know, active study, instead of passive.

~~~
Zikes
If some researchers were trying to intercept my emails as a part of some
active study, I would still consider it to be a criminal activity.

~~~
brlewis
If the NSA were trying to intercept my emails without a warrant, I would still
consider it to be a criminal activity.

~~~
spacefight
Warrants? They have plenty of NSLs and even executive orders at hand.

~~~
brlewis
"By law, NSLs can request only non-content information, for example,
transactional records and phone numbers dialed." \-
[http://en.wikipedia.org/wiki/National_security_letter](http://en.wikipedia.org/wiki/National_security_letter)

Executive orders are also subject to law. An executive order would not have
made Nixon's wiretaps legal, for example.

