It's possible to forge headers in certain circumstances. It's not easy. And this is the first time this has happened.
It's ridiculously easy to forge email headers. Headers are manually created whenever programmatically sending email messages. That's how messages can be sent from addresses that don't exist, like devnull@example.com or noreply@yourdomain.com. They don't even send a confirmation email that you have to approve before stuff is posted?
Headers are manually created whenever programmatically sending email messages
To clarify this a little, in case anyone isn't familiar, to send an email message programmatically, you basically just send a string with some headers and body content to the email server. Here are what the headers look like:
Date: Sat, 13 Jun 2009 06:53:06 -0400
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <200906131053.n5DAr2Nv025105@jclinux>
To: <root@jclinux>
To change the sender, all you'd need to do is change the from line. For example:
From: Steve Jobs <sjobs@apple.com>
A default sendmail implementation will deliver that message all day. Email headers should never be used for authentication.
That was my point. When I read in his article that he wasn't requiring a password to post, I thought I'd see if he was telling the truth, turns out he was.
As far as I understand it, you can't fake being an SMTP server sending mail from such a domain because their emails get signed with a private key whose matching public key is published by DNS.
• If you can break DNS, you can get an NXDOMAIN reply, making recipients think there aren't any domainkeys
• If the domainkey private key is small, you can factor it. There's an article on HN's frontpage right now about this.
• If the server uses domainkeys, but it doesn't specifically verify the From: header, an attacker can still forge a message if they share a popular mail provider with their target. I don't know if this is still practical.
• Stupidity. DKIM is difficult to test, and as a security measure it would need to be tested.
An autoreponse confirmation would be immune to all of these attacks and would be trivial to implement correctly.
99% of the time? So if someone decides to trash my reputation they can just post a bunch of stupid blog entries as me and it is on me to (a) detect that this even happened by checking my mail, (b) go do whatever work needed to remove the post and (c) try to explain to everyone what happened (likely causing even more people to do it when they realize how ridiculous the system I'm using is) and salvage my reputation?
That doesn't sound like "works 99% of the time" to me, that sounds like an epic fail.
EDIT: It appears that this was more of a configuration issue, so the above only applies if you set up your account this way.
You can already post a bunch of stupid blog comments as someone else, as long as people realize Posterous has a similar problem, it's not going to ruin your life. (Plus, (a) doesn't seem to be that big of a problem for a service you're using your email to access.)
Commenting on someone's site using a different name is pretty different from being able to fake a post. I have no expectation that comments are written by who they say they are, but I do expect all the posts to be written by the same person.
Sort of defeats the purpose of Posterous though. It's nice to be able to send an email and be done with it. Though for an account coming under constant attack, it'd be nice to have the option though.
Edit: What they should really do is obfuscate the posting email addresses a little. Make my posting email 1234randomwords@posterous.com, and give me the option to change it to something else if I am coming under attack.
Usually, Posterous catches this stuff and sends an email asking you to confirm that you really are you. They analyze the headers more closely than just looking at the name. For some reason, this didn't work in this case.
Headers are name/value pairs, a typical email will have 20 of those. It's possible to copy them if you have received an email from the blog owner or maybe from a mailing list post.
Email address is not enough. This one case was a coincidence.
"We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing."
I think he said that: The blog owner's email host did not provide SPF protection; the intruder's email host appended some headers that lured Posterous to classify the email as genuine.
So, having access to the blog owner's email headers would not have provided any additional advantage to the intruder.
Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.
We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.
For the vast majority of users who use gmail, hotmail or other services, this was never an issue.
Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.
Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!
Is it possible to publish the algorithms and technique you are using to prevent spoofing.
It would really be a big help to us as well as every body else.
This is definitely happening in the wild, as well. A friend of mine had some spam advertising a mobile phone site posted to her Posterous, which fed into her Facebook feed, etc..
Sure active users will notice spam posts but what about the long tail of customers who no longer update their Posterous blog? What happens when a 'creative' link marketer finds a way to index those sites and inject posts?
While we're talking about Posterous, does anyone know why it adds a random number to the end of article URLs, as in http://blog.dustincurtis.com/apparently-765 ? I know it's not a big deal, but I find that aesthetically unpleasing, as it kind of ruins an otherwise beautiful URL.
Google's crawler (especially the blog and news ones) requires a three digit or larger number in the url. That is why you should keep a year/date in a url.
Update: Not sure why I got downvoted, but here is the reference from Google News:
It is a namespace thing. I am pretty sure. When I use a title for my posterous posts that no one ever used before, the permalink is just the title. When I for example post something titled generally like "photo" it becomes "photo-73864"
if you check for example: http://posterous.com/explore
You can see all pretty unique titles without a number appended and then a post titled "Tetris" gets "/tetris-194"
Even if you post something without a title it just gets an ID assigned which is (this is a guess tho) the unique ID in their database of all blogs.
Why not let users use email certificates if they want? That's what I've got going on in Tgethr. Let users decide if extra trouble of setting up an email cert is worth it (it's not that bad), and now all of a sudden you have spam proof email discussion lists. We just check the message signature to make sure yep your message is signed as dustincurtis@gmail.com or whatever and we'll accept the message.
What I'm surprised is why posterous doesn't do more check on all the headers sent by the email software (X-Mailer, and so on) and ask for a confirmation if those other headers are different enough from a known correct configuration...
Of course someone who received an email from the blog owner could use that to fake all those headers but at least it would prevent people posting by simply guessing the email address.
Of course, not using such full blown solutions will mean that posterous' heuristics techniques will be susceptible to all sorts of attacks, such as man-in-the-middle, relay attacks and so forth.
On the other hand, looking for solutions that are resilient to more sophisticated attacks, mostly considering IBE schemes, is quite convoluted (it involves provable security models, such as http://www.google.com/#hl=en&q=provable+security+signatu... ). There are even variations on IBE, such as certificateless, which require you to trust even less people.
This is of course, assuming you are not willing to inconvenience users by making them reply a email you send them after they tried to poste. Such email would contain a custom made url (the secret) that would enable the post to actually be posted. On the other hand, this solution feels more inconvenient than using OAuth methods.
Nonetheless, not all users care about security/privacy (those that do, will always have the usual login scheme). If you chose to go other way, good luck to you. After all, people still use MD5 for security applications nowadays.
1. Change from "Contributors can post" to "Anyone can post". Counterintuitive, but the first is based on email FROM, the second is moderated.
2. Make a hash as your FROM address. Add it as an alias to send from in Gmail (or whatever you use). Send to posterous from the hash address. Your email address becomes your password.
You should be able to PGP sign your emails to confirm that they're good. If an unsigned email suddenly appears, a confirmation email should be sent back to the sender address before it is posted.
Twitter had similar issue in their Text -> Tweet system. People were using softwares to send Text messages and using anybody's phone number as they want. They fixed it by using 4 digit pin and I think Posterous should do the same.
"You can set a password on your Posterous site so only the readers you want can see it. To see your site, a user must go to your site url and also enter the correct password for your site."
Posterous really does fail here. I can see why they would want to tolerate a little of this to preserve ease of use for their users (just like Amazon with their Kindle email address). However, there are a number of steps that Posterous can take to combat forged headers in ways that should not impact users at all. Enabling SPF, for example, would be a good start.
Technically, it's the same problem as email spam, and most of the same tools can be used to combat it. Posterous should flag posts that they aren't sure of and make users confirm them before putting them up, etc.
EDIT:
The other fix would be to use an email address that can't be guessed from the blog address. In other words, the email address is the password.
> The other fix would be to use an email address that can't be guessed from the blog address. In other words, the email address is the password.
Multiply (http://multiply.com) does something similar. You set your post-by-email id. And, then email your posts to the post-by-email-id@your-multiply-id.multiply.com. You decide how complicated or easy you want your post-by-email-id to be.
As someone said, this is not 100% secure as the email address is sent as clear text as it passes through mail servers, but it's more difficult for someone to guess it.
They do perform additional checks on the message sent to make sure it came from you, perhaps similar to those that Posterous does.
It's ridiculously easy to forge email headers. Headers are manually created whenever programmatically sending email messages. That's how messages can be sent from addresses that don't exist, like devnull@example.com or noreply@yourdomain.com. They don't even send a confirmation email that you have to approve before stuff is posted?