You don’t need a password. Posterous fail. (opens in new tab)

(blog.dustincurtis.com)

160 pointsprabodh15y ago75 comments

75 comments

It's possible to forge headers in certain circumstances. It's not easy. And this is the first time this has happened.

It's ridiculously easy to forge email headers. Headers are manually created whenever programmatically sending email messages. That's how messages can be sent from addresses that don't exist, like devnull@example.com or noreply@yourdomain.com. They don't even send a confirmation email that you have to approve before stuff is posted?

jcnnghm15y ago

Headers are manually created whenever programmatically sending email messages

To clarify this a little, in case anyone isn't familiar, to send an email message programmatically, you basically just send a string with some headers and body content to the email server. Here are what the headers look like:

  Date: Sat, 13 Jun 2009 06:53:06 -0400
  From: Mail Delivery Subsystem <MAILER-DAEMON>
  Message-Id: <200906131053.n5DAr2Nv025105@jclinux>
  To: <root@jclinux>

To change the sender, all you'd need to do is change the from line. For example:

  From: Steve Jobs <sjobs@apple.com>

A default sendmail implementation will deliver that message all day. Email headers should never be used for authentication.

robinduckett15y ago

That was my point. When I read in his article that he wasn't requiring a password to post, I thought I'd see if he was telling the truth, turns out he was.

adamsmith15y ago

But most major domains use domain keys / DKIM.

http://en.wikipedia.org/wiki/DKIM

As far as I understand it, you can't fake being an SMTP server sending mail from such a domain because their emails get signed with a private key whose matching public key is published by DNS.

1 more reply

edanm15y ago

As I understand it, they send you a mail telling you about the post and letting you remove it. Not perfect, but probably works 99% of the time.

loewenskind15y ago

99% of the time? So if someone decides to trash my reputation they can just post a bunch of stupid blog entries as me and it is on me to (a) detect that this even happened by checking my mail, (b) go do whatever work needed to remove the post and (c) try to explain to everyone what happened (likely causing even more people to do it when they realize how ridiculous the system I'm using is) and salvage my reputation?

That doesn't sound like "works 99% of the time" to me, that sounds like an epic fail.

EDIT: It appears that this was more of a configuration issue, so the above only applies if you set up your account this way.

2 more replies

leftnode15y ago

Shouldn't it work oppositely? Prevent the post from appearing until you explicitly approve it from a link in an email.

2 more replies

dcurtis15y ago

I updated the post to reflect reality.

Usually, Posterous catches this stuff and sends an email asking you to confirm that you really are you. They analyze the headers more closely than just looking at the name. For some reason, this didn't work in this case.

coderdude15y ago

According to him he just changed his email address to your email address in Outlook.

Edit: dcurtis edited his comment. Originally he claimed there was some kind of secret algorithm that prevents spoofing.

1 more reply

loup-vaillant15y ago

But, if they only analyse the headers, they are screwed anyway. Don't they also check the IP of the SMTP server as well or something?

borisk15y ago

Headers are name/value pairs, a typical email will have 20 of those. It's possible to copy them if you have received an email from the blog owner or maybe from a mailing list post.

crc500215y ago

You only need to know the owner's email address.

Access to a message or a mailing list post by them won't provide any further advantage.

1 more reply

kwyjibo15y ago

No, they don't.

ergo9815y ago

I honestly am at a loss to understand how Dustin Curtis keeps getting linked from here.

a4agarwal15y ago

Hey guys. I'm the cofounder of Posterous.

Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.

We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.

For the vast majority of users who use gmail, hotmail or other services, this was never an issue.

Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.

Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.

Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!

uhspot15y ago

Hi,

Is it possible to publish the algorithms and technique you are using to prevent spoofing. It would really be a big help to us as well as every body else.

Thanks,

robinduckett15y ago

I did it. Sorry Dustin. It really was me. I changed one field in outlook.

I realise Posterous requires you to "confirm" the post, I just wanted to see if you had defaulted that requirement to off.

vinhboy15y ago

I find it bizarre that it took this long for someone to do this...

apphacker15y ago

You realize you broke the law and admitted to it.

mikeryan15y ago

Honest question, what law was broken here?

michael_dorfman15y ago

This is definitely happening in the wild, as well. A friend of mine had some spam advertising a mobile phone site posted to her Posterous, which fed into her Facebook feed, etc..

xinsight15y ago

It is easy.

  $ /usr/sbin/sendmail -f dustin@dustincurtis.com  
  dustin@posterous.com
  Subject: hi
  
  Spam spam spam
  
  ^D

robinduckett15y ago

You have to know his email address.

One quick whois lookup, and I found the email he was likely sending from. His site has another email listed, so I did a little digging.

ddrager15y ago

Or,

  $ telnet mailhost.com 25
  HELO myserver.hostname.com 
  MAIL FROM: dustin@dustincurtis.com 
  RCPT TO: post@posterous.com
  DATA
  Subject: Hello
  spam spam
  .
  QUIT

travisp15y ago

You don't even need to know the command line, you can often do stuff like that just from Outlook.

ramchip15y ago

You don't even need to know Outlook, you can often do stuff like that just from the command line. ;)

rantfoil15y ago

Actually that's not going to work. This sort of approach would definitely hit our spoof filters.

josefresco15y ago

Sure active users will notice spam posts but what about the long tail of customers who no longer update their Posterous blog? What happens when a 'creative' link marketer finds a way to index those sites and inject posts?

pg15y ago

Running a spam filter on posts should work well.

mikeryan15y ago

I'd almost be more concerned with essentially getting DDOS'd with spam traffic to the posting address.

codeflo15y ago

While we're talking about Posterous, does anyone know why it adds a random number to the end of article URLs, as in http://blog.dustincurtis.com/apparently-765 ? I know it's not a big deal, but I find that aesthetically unpleasing, as it kind of ruins an otherwise beautiful URL.

snewe15y ago

Google's crawler (especially the blog and news ones) requires a three digit or larger number in the url. That is why you should keep a year/date in a url.

Update: Not sure why I got downvoted, but here is the reference from Google News:

http://www.google.com/support/news_pub/bin/answer.py?hl=en&#...

codeflo15y ago

Don't downvote snewe, he/she is correct: http://www.google.com/support/news_pub/bin/answer.py?answer=...

I can't figure out why though. It sounds like an incredibly stupid rule.

Psyonic15y ago

Why do they want this?

1 more reply

mitchellhislop15y ago

It might be a namespace thing? I have seen that too, and that is the only thing that comes to mind.

1 more reply

jrnkntl15y ago

It is a namespace thing. I am pretty sure. When I use a title for my posterous posts that no one ever used before, the permalink is just the title. When I for example post something titled generally like "photo" it becomes "photo-73864"

codeflo15y ago

So all post URLs share a single global namespace, regardless of ownership? That's not a very clever design IMO.

1 more reply

nate15y ago

Why not let users use email certificates if they want? That's what I've got going on in Tgethr. Let users decide if extra trouble of setting up an email cert is worth it (it's not that bad), and now all of a sudden you have spam proof email discussion lists. We just check the message signature to make sure yep your message is signed as dustincurtis@gmail.com or whatever and we'll accept the message.

gommm15y ago

What I'm surprised is why posterous doesn't do more check on all the headers sent by the email software (X-Mailer, and so on) and ask for a confirmation if those other headers are different enough from a known correct configuration...

Of course someone who received an email from the blog owner could use that to fake all those headers but at least it would prevent people posting by simply guessing the email address.

rantfoil15y ago

Oh, we do that. This was a specific bug that is now fixed.

DanielRibeiro15y ago

Strange that none noted that identity based encryption (IBE for the acquainted ones)solves this problem quite easily (more on http://www.voltage.com/technology/ibe.htm). Boneh and Franklin scheme was the first proposed one, but nowadays this is not only on crypto papers, but they are even RFCS for such schemes: http://www.rfc-editor.org/rfc/rfc5409.txt. There are even some non-commercial implementations around: http://crypto.stanford.edu/ibe/.

Of course, not using such full blown solutions will mean that posterous' heuristics techniques will be susceptible to all sorts of attacks, such as man-in-the-middle, relay attacks and so forth.

On the other hand, looking for solutions that are resilient to more sophisticated attacks, mostly considering IBE schemes, is quite convoluted (it involves provable security models, such as http://www.google.com/#hl=en&q=provable+security+signatu... ). There are even variations on IBE, such as certificateless, which require you to trust even less people.

This is of course, assuming you are not willing to inconvenience users by making them reply a email you send them after they tried to poste. Such email would contain a custom made url (the secret) that would enable the post to actually be posted. On the other hand, this solution feels more inconvenient than using OAuth methods.

Nonetheless, not all users care about security/privacy (those that do, will always have the usual login scheme). If you chose to go other way, good luck to you. After all, people still use MD5 for security applications nowadays.

Terretta15y ago

Two solutions:

1. Change from "Contributors can post" to "Anyone can post". Counterintuitive, but the first is based on email FROM, the second is moderated.

2. Make a hash as your FROM address. Add it as an alias to send from in Gmail (or whatever you use). Send to posterous from the hash address. Your email address becomes your password.

graywh15y ago

To add an additional outgoing address to Gmail, don't you have to verify that you can receive messages at that account first?

tkaemming15y ago

You could presumably use the plus sign "hack" to make that a bit easier: http://gmailblog.blogspot.com/2008/03/2-hidden-ways-to-get-m...

nailer15y ago

> "Contributors can post" ... is based on email FROM

Sounds somewhat mislabelled then.

mike-cardwell15y ago

You should be able to PGP sign your emails to confirm that they're good. If an unsigned email suddenly appears, a confirmation email should be sent back to the sender address before it is posted.

ashishbharthi15y ago

Twitter had similar issue in their Text -> Tweet system. People were using softwares to send Text messages and using anybody's phone number as they want. They fixed it by using 4 digit pin and I think Posterous should do the same.

borisk15y ago

Not so big a deal IMHO. You can always set a pass if spammers start targeting your blog.

Terretta15y ago

The password is for visiting, not for posting. If you set a password, nobody can visit your blog w/o the password.

http://posterous.com/help/private_sites

"You can set a password on your Posterous site so only the readers you want can see it. To see your site, a user must go to your site url and also enter the correct password for your site."

borisk15y ago

Right, my bad. Still there is an option to receive confirmation link for each post.

d0m15y ago

Oh my I feel bad, I started this in the other post' comments.

tman15y ago

Posterous really does fail here. I can see why they would want to tolerate a little of this to preserve ease of use for their users (just like Amazon with their Kindle email address). However, there are a number of steps that Posterous can take to combat forged headers in ways that should not impact users at all. Enabling SPF, for example, would be a good start.

Technically, it's the same problem as email spam, and most of the same tools can be used to combat it. Posterous should flag posts that they aren't sure of and make users confirm them before putting them up, etc.

EDIT:

The other fix would be to use an email address that can't be guessed from the blog address. In other words, the email address is the password.

prakashk15y ago

> The other fix would be to use an email address that can't be guessed from the blog address. In other words, the email address is the password.

Multiply (http://multiply.com) does something similar. You set your post-by-email id. And, then email your posts to the post-by-email-id@your-multiply-id.multiply.com. You decide how complicated or easy you want your post-by-email-id to be.

As someone said, this is not 100% secure as the email address is sent as clear text as it passes through mail servers, but it's more difficult for someone to guess it.

They do perform additional checks on the message sent to make sure it came from you, perhaps similar to those that Posterous does.

axod15y ago

> "The other fix would be to use an email address that can't be guessed from the blog address. In other words, the email address is the password."

You'd still be sending your password in the clear, possibly through other peoples mail servers. Not great security.

tman15y ago

The perfect is the enemy of the good.

There is a trade-off here between security and usability. 99% security is good enough for a lot of purposes and has its place.

2 more replies

j / k navigate · click thread line to collapse

75 comments

jcnnghm15y ago

It's possible to forge headers in certain circumstances. It's not easy. And this is the first time this has happened.

jcnnghm15y ago

Headers are manually created whenever programmatically sending email messages

  Date: Sat, 13 Jun 2009 06:53:06 -0400
  From: Mail Delivery Subsystem <MAILER-DAEMON>
  Message-Id: <200906131053.n5DAr2Nv025105@jclinux>
  To: <root@jclinux>

To change the sender, all you'd need to do is change the from line. For example:

  From: Steve Jobs <sjobs@apple.com>

A default sendmail implementation will deliver that message all day. Email headers should never be used for authentication.

robinduckett15y ago

That was my point. When I read in his article that he wasn't requiring a password to post, I thought I'd see if he was telling the truth, turns out he was.

adamsmith15y ago

But most major domains use domain keys / DKIM.

http://en.wikipedia.org/wiki/DKIM

As far as I understand it, you can't fake being an SMTP server sending mail from such a domain because their emails get signed with a private key whose matching public key is published by DNS.

1 more reply

edanm15y ago

As I understand it, they send you a mail telling you about the post and letting you remove it. Not perfect, but probably works 99% of the time.

loewenskind15y ago

That doesn't sound like "works 99% of the time" to me, that sounds like an epic fail.

EDIT: It appears that this was more of a configuration issue, so the above only applies if you set up your account this way.

2 more replies

leftnode15y ago

Shouldn't it work oppositely? Prevent the post from appearing until you explicitly approve it from a link in an email.

2 more replies

dcurtis15y ago

I updated the post to reflect reality.

coderdude15y ago

According to him he just changed his email address to your email address in Outlook.

Edit: dcurtis edited his comment. Originally he claimed there was some kind of secret algorithm that prevents spoofing.

1 more reply

loup-vaillant15y ago

But, if they only analyse the headers, they are screwed anyway. Don't they also check the IP of the SMTP server as well or something?

borisk15y ago

Headers are name/value pairs, a typical email will have 20 of those. It's possible to copy them if you have received an email from the blog owner or maybe from a mailing list post.

crc500215y ago

You only need to know the owner's email address.

Access to a message or a mailing list post by them won't provide any further advantage.

1 more reply

kwyjibo15y ago

No, they don't.

ergo9815y ago

I honestly am at a loss to understand how Dustin Curtis keeps getting linked from here.

a4agarwal15y ago

Hey guys. I'm the cofounder of Posterous.

Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.

For the vast majority of users who use gmail, hotmail or other services, this was never an issue.

Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!

uhspot15y ago

Hi,

Is it possible to publish the algorithms and technique you are using to prevent spoofing. It would really be a big help to us as well as every body else.

Thanks,

robinduckett15y ago

I did it. Sorry Dustin. It really was me. I changed one field in outlook.

I realise Posterous requires you to "confirm" the post, I just wanted to see if you had defaulted that requirement to off.

vinhboy15y ago

I find it bizarre that it took this long for someone to do this...

apphacker15y ago

You realize you broke the law and admitted to it.

mikeryan15y ago

Honest question, what law was broken here?

michael_dorfman15y ago

This is definitely happening in the wild, as well. A friend of mine had some spam advertising a mobile phone site posted to her Posterous, which fed into her Facebook feed, etc..

xinsight15y ago

It is easy.

  $ /usr/sbin/sendmail -f dustin@dustincurtis.com  
  dustin@posterous.com
  Subject: hi
  
  Spam spam spam
  
  ^D

robinduckett15y ago

You have to know his email address.

One quick whois lookup, and I found the email he was likely sending from. His site has another email listed, so I did a little digging.

ddrager15y ago

Or,

  $ telnet mailhost.com 25
  HELO myserver.hostname.com 
  MAIL FROM: dustin@dustincurtis.com 
  RCPT TO: post@posterous.com
  DATA
  Subject: Hello
  spam spam
  .
  QUIT

travisp15y ago

You don't even need to know the command line, you can often do stuff like that just from Outlook.

ramchip15y ago

You don't even need to know Outlook, you can often do stuff like that just from the command line. ;)

rantfoil15y ago

Actually that's not going to work. This sort of approach would definitely hit our spoof filters.

josefresco15y ago

pg15y ago

Running a spam filter on posts should work well.

mikeryan15y ago

I'd almost be more concerned with essentially getting DDOS'd with spam traffic to the posting address.

codeflo15y ago

snewe15y ago

Google's crawler (especially the blog and news ones) requires a three digit or larger number in the url. That is why you should keep a year/date in a url.

Update: Not sure why I got downvoted, but here is the reference from Google News:

http://www.google.com/support/news_pub/bin/answer.py?hl=en&#...

codeflo15y ago

Don't downvote snewe, he/she is correct: http://www.google.com/support/news_pub/bin/answer.py?answer=...

I can't figure out why though. It sounds like an incredibly stupid rule.

Psyonic15y ago

Why do they want this?

1 more reply

mitchellhislop15y ago

It might be a namespace thing? I have seen that too, and that is the only thing that comes to mind.

1 more reply

jrnkntl15y ago

codeflo15y ago

So all post URLs share a single global namespace, regardless of ownership? That's not a very clever design IMO.

1 more reply

nate15y ago

gommm15y ago

Of course someone who received an email from the blog owner could use that to fake all those headers but at least it would prevent people posting by simply guessing the email address.

rantfoil15y ago

Oh, we do that. This was a specific bug that is now fixed.

DanielRibeiro15y ago

Of course, not using such full blown solutions will mean that posterous' heuristics techniques will be susceptible to all sorts of attacks, such as man-in-the-middle, relay attacks and so forth.

Terretta15y ago

Two solutions:

1. Change from "Contributors can post" to "Anyone can post". Counterintuitive, but the first is based on email FROM, the second is moderated.

2. Make a hash as your FROM address. Add it as an alias to send from in Gmail (or whatever you use). Send to posterous from the hash address. Your email address becomes your password.

graywh15y ago

To add an additional outgoing address to Gmail, don't you have to verify that you can receive messages at that account first?

tkaemming15y ago

You could presumably use the plus sign "hack" to make that a bit easier: http://gmailblog.blogspot.com/2008/03/2-hidden-ways-to-get-m...

nailer15y ago

> "Contributors can post" ... is based on email FROM

Sounds somewhat mislabelled then.

mike-cardwell15y ago

You should be able to PGP sign your emails to confirm that they're good. If an unsigned email suddenly appears, a confirmation email should be sent back to the sender address before it is posted.

ashishbharthi15y ago

borisk15y ago

Not so big a deal IMHO. You can always set a pass if spammers start targeting your blog.

Terretta15y ago

The password is for visiting, not for posting. If you set a password, nobody can visit your blog w/o the password.

http://posterous.com/help/private_sites

"You can set a password on your Posterous site so only the readers you want can see it. To see your site, a user must go to your site url and also enter the correct password for your site."

borisk15y ago

Right, my bad. Still there is an option to receive confirmation link for each post.

d0m15y ago

Oh my I feel bad, I started this in the other post' comments.

tman15y ago

EDIT:

The other fix would be to use an email address that can't be guessed from the blog address. In other words, the email address is the password.

prakashk15y ago

> The other fix would be to use an email address that can't be guessed from the blog address. In other words, the email address is the password.

As someone said, this is not 100% secure as the email address is sent as clear text as it passes through mail servers, but it's more difficult for someone to guess it.

They do perform additional checks on the message sent to make sure it came from you, perhaps similar to those that Posterous does.

axod15y ago

> "The other fix would be to use an email address that can't be guessed from the blog address. In other words, the email address is the password."

You'd still be sending your password in the clear, possibly through other peoples mail servers. Not great security.

tman15y ago

The perfect is the enemy of the good.

There is a trade-off here between security and usability. 99% security is good enough for a lot of purposes and has its place.

2 more replies

j / k navigate · click thread line to collapse