User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3 Build Identifier: Thunderbird version 0.8 (20040913) I have disabled remote images in Thunderbird, unless the sender is in my address book. I got the following header in an obscene message: Received: from 151.164.30.66 (EHLO mtac2.prodigy.net) (151.164.30.66) by mta827.mail.sc5.yahoo.com with SMTP; Tue, 05 Oct 2004 13:41:01 -0700 X-Header-Overseas: Mail.from.Overseas.source.219.255.199.227 X-Header-NoReverseIP: IP.name.lookup.failed[219.255.199.227] X-Originating-IP: [219.255.199.227] Received: from pacbell.net ([219.255.199.227]) by mtac2.prodigy.net (8.12.10 inb shim/8.12.10) with SMTP id i95KewEt022888 for <my_email@pacbell.net>; Tue, 5 Oct 2004 15:40:59 -0500 (CDT) Message-ID: <081101c4ab1c$c19d6c59$92e6e1db@sum01> From: "Katherine Clapton" <my_email@pacbell.net> To: <my_email@pacbell.net> Subject: If you think these won't make her happy, your dumb! Date: Wed, 6 Oct 2004 05:41:03 +0900 Some porn images were displayed and shouldn't have been. (My 9-year-old wants to know why he can't have an email address of his own. This is one of the reasons.) (My previous employer would fire you if obscene pictures were displayed at work, siting "sexual harrassment" if anyone else saw it.) Sam Spade indicates: X-Originating-IP: [219.255.199.227] Received: from pacbell.net ([219.255.199.227]) by mtac2.prodigy.net (8.12.10 inb shim/8.12.10) with SMTP id i95KewEt022888 for <my_email@pacbell.net>; Tue, 5 Oct 2004 15:40:59 -0500 (CDT) mtac2.prodigy.net received this from someone claiming to be pacbell.net but really from 219.255.199.227(No rDNS) Is there an easy way to detect forged addresses before looking in my address book for a match? Reproducible: Always Steps to Reproduce: 1. dummy up some email using the above headers 2. put your address as the sender 3. look at remote images that you didn't want to look at Actual Results: The remote images show up, even though they shouldn't have. Expected Results: Detected the forged sender and not bothered to look up my name in my address book or displayed the remote images.

There is a full sample message from bug 263152 that demonstrates this same problem -- attachment 161258 [details]. As in this bug, the msg's From: address contains a bogus name but the same mail address as the To:, which clears the whitelist hurdle.

*** Bug 263152 has been marked as a duplicate of this bug. ***

Wouldn't taking yourself out of the address book workaround this? Also note that many mailing lists use identical from and to addresses.

You can't make a blanket rule about saying that an eMail from yourself is a forgery. Some are, but some people, like me for instance, want to be able to send a copy of eMails to ourselves, and if you hardwire Tb to reject eMail to yourself you will find me, at least, switching back to Eudora. Yes, I know that spammers use our own eMail addresses to try to get around our whitelists. The proper solution is not to blacklist ourselves but to handle whitelisting of our own addresses as a special case. I have a filter to take care of people who try to impersonate me, namely I only accept eMail "from me" if it is coming from a PLACE (IP address or software type) which I send from. Works very well. To date I have had no false positives and no false negatives, and this solution is applicable to eMails and all of their content (not just the pictures mentioned in this report). Jeff Barry JeffBatHome@Speakeasy.net

Wayne why is this in security and not in Core Filters ?

don't recall my reasoning (if there was any at all). Are there bugs of this type in security?

(In reply to comment #6) > don't recall my reasoning (if there was any at all). Are there bugs of this > type in security? First one I've found but I have not been looking at all of them yet.

I believe a perfect solution is to require the user to click the "load images" button when the from address is the same as the to address. So simple and so elegant. For the people that actually do send e-mails to themselves and they have remote images, this is a very minor inconvenience relative to the huge security issue this could be since spammers can easily verify that your address is in use by having it load up a remote script that outputs an image.

(In reply to Jeff Barry from comment #4) > You can't make a blanket rule about saying that an eMail from yourself is a > forgery. Some are, but some people, like me for instance, want to be able > to send a copy of eMails to ourselves, and if you hardwire Tb to reject > eMail to yourself [it will be bad UX for such users]... I agree that we can't make this a blanket hardwired rule, needs more thought and sophistication. Adjusting summary accordingly. (In reply to Mike Robinson from comment #9) > I believe a perfect solution is to require the user to click the "load > images" button when the from address is the same as the to address. So > simple and so elegant. It's probably less simple under the hood, and to get right for different scenarios. > For the people that actually do send e-mails to themselves and they have > remote images, this is a very minor inconvenience relative to the huge > security issue this could be since spammers can easily verify that your > address is in use by having it load up a remote script that outputs an image. This should be investigated what kind of protection we already have against it.