Claws-Mail Security issue

Kernels & Hardware, configuring network, installing services

Claws-Mail Security issue

Postby OR1k » 2008-07-01 03:03

Hi all. I have been trying for the past week to get someone from Debian to respond to me for what I see as a potential security issue in claws-mail. I have emailed the maintainer, debian security mailing list, gone to the debian security irc and no one has responded!!!!! This is frustrating to say the least as Debian is supposed to be tranparent and particularly watchful for security issues or helping to investigate them. I am going to paste my text email texts/convos as they explain the situation in detail. I am hoping for a positive resolution to this...

From: <MYEMAILHERE>
To: debian-security-tracker@lists.debian.org
Subject: Fw: Security Question in Claws-Mail
Date: Sun, 29 Jun 2008 22:24:33 -0700
X-Mailer: Claws Mail 3.4.0 (GTK+ 2.12.9; i486-pc-linux-gnu)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi all. I signed up for Alioth last night and could not find this mailing-list link. So if someone would be so kind as to point me in the proper direction of how to sign up for this list it would be great. As of right now I have not received a response back from the listed apt maintainer or from this list and to me this issue is important as it appears that claws mail has a security hole that enables spoofing of email from inside of claws. Please respond.

GK


Begin forwarded message:

Date: Sat, 28 Jun 2008 21:19:26 -0700
From: <MYEMAILHERE>
To: debian-security-tracker@lists.debian.org
Subject: Fw: Security Question in Claws-Mail


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all. As of June 28th I have not received a response back from the maintainer that was list in apt-cache. So I am posting this on here. Any help on what to do from here would be appreciated. I have not had any new entries in the past few days but it has happened a few times since installing Lenny and this is the only email client I use. I rarely use the web site browser. I will add that I use the BetterGmail2 plugin from IW2.x.14 though. But I have not noticed any activity that way only in claws and it uploads to the Gmail servers too.

GK

Begin forwarded message:

Date: Wed, 25 Jun 2008 23:53:08 -0700
From: <MYEMAILHERE>
To: mones@debian.org
Subject: Security Question in Claws-Mail


- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Good morning Ricardo:

I'm writing to you about an issue that I have been having since installing Lenny and Claws-Mail. I could not use claws in sid because it would not work for me so at the time I used Evolution. Since wiping my box and installing Lenny Claws works for me in this environment. This is what I currently have installed on my box:
ii claws-mail 3.4.0-2+b2 Fast, lightweight and user-friendly GTK2 based email client
un claws-mail-doc <none> (no description available)
ii claws-mail-i18n 3.4.0-2 Locale data for Claws Mail (i18n support)
ii claws-mail-pdf-viewer 3.4.0-1+b4 PDF and PostScript viewer for Claws Mail
un claws-mail-pgpcore <none> (no description available)
ii claws-mail-pgpinline 3.4.0-2+b2 PGP/inline plugin for Claws Mail
ii claws-mail-pgpmime 3.4.0-2+b2 PGP/MIME plugin for Claws Mail
ii claws-mail-smime-plugin 3.4.0-1+b4 S/MIME signature/encryption handling for Claws Mail
ii claws-mail-spam-report 3.4.0-1+b4 Spam reporting plugin for Claws Mail
ii claws-mail-themes 20070116.dfsg-1 Pixmap icon themes for the Claws Mail mailer
ii claws-mail-tools 3.4.0-2 Helper and utility scripts for Claws Mail mailer
ii claws-mail-trayicon 3.4.0-2+b2 Notification area plugin for Claws Mail

I use gmail for my email account along with the imap server for gmail. The problem I seem to be having though is somehow in Claws my sent mail is sending bogus spam but I haven't sent anything. Claws is set up for me to always sign my emails before sending and these are not signed but sent from me and appear to be the same subject/headers.

The following is one email of this type:

Delivered-To: MYEMAILHERE
Received: by 10.150.58.12 with SMTP id g12cs404890yba;
Tue, 24 Jun 2008 09:16:16 -0700 (PDT)
Received: by 10.67.24.18 with SMTP id b18mr3497326ugj.11.1214324175506;
Tue, 24 Jun 2008 09:16:15 -0700 (PDT)
Return-Path: <gm57837@plusnet.pl>
Received: from kabinet (85-18-14-28.fastres.net [85.18.14.28])
by mx.google.com with SMTP id 32si33710862ugf.42.2008.06.24.09.16.11;
Tue, 24 Jun 2008 09:16:15 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning gm57837@plusnet.pl does not designate 85.18.14.28 as permitted sender) client-ip=85.18.14.28;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gm57837@plusnet.pl does not designate 85.18.14.28 as permitted sender) smtp.mail=gm57837@plusnet.pl
Date: Tue, 24 Jun 2008 09:16:15 -0700 (PDT)
Content-Return: allowed
X-Mailer: CME-V6.5.4.3; MSN
Return-Path: communications_msn_cs_enus@cimail15.msn.com
Message-Id: <20080624071846.41569.qmail@kabinet>
To: MYEMAILHERE
Subject: Dear MYEMAILHERE June 88% 0FF
From: VIAGRA ® Official Site <MYEMAILHERE>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.

©2008 Microsoft | Unsubscribe | More Newsletters | Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052


As far as I can tell I don't have a rootkit, trojan or the like on my box and it has not been compromised. All un-necessary services/ports are shut down. My passwords are strong and I believe in using gpg, bcrypt, etc for my personal data. Why would this be occuring to me? It has only been in the past few weeks since installing Lenny and Claws.

GK


#### end #########


Does anyone have an idea as to how to handle this issue?
Oh please don't rescue me from DRM, malware, virii and spyware... I want my M$!!!
Linux VampirePenguin 2.6.24-1-686 #1 SMP Sat Apr 19 00:37:55 UTC 2008 i686 GNU/Linux
User avatar
OR1k
 
Posts: 21
Joined: 2007-05-01 11:32

Postby Lavene » 2008-07-01 04:27

Oh dear!

I don't have a solution but if you suspect problems with a package the correct thing to do is to submit a proper bugreport.

If you suspect that your system is pumping out spam you should disconnect it from the net and investigate it. I'm no expert at cleaning out such things but I would assume using a LiveCD like Knoppix or Grml is a good idea. Run a rootkit scanner from the live CD because you can not trust your own system. (I recommend Grml since it's target usage is system rescue and is not loaded with stuff like Openoffice, KDE and other things not needed for system work)

Hopefully someone more knowledgeable than me will come by with some real advice.
Lavene
Site admin
 
Posts: 5096
Joined: 2006-01-04 04:26
Location: Oslo, Norway

Postby OR1k » 2008-07-01 05:19

Hey Lavene.

I didn't think about running grml in addition to what I have on my boxen already. Both chkrootkit and rkhunter came up negative so that is good. Stew and Donde... in #debian think it is just misfiled spam. I don't know if this is the case or not.

Vi^3PP
Oh please don't rescue me from DRM, malware, virii and spyware... I want my M$!!!
Linux VampirePenguin 2.6.24-1-686 #1 SMP Sat Apr 19 00:37:55 UTC 2008 i686 GNU/Linux
User avatar
OR1k
 
Posts: 21
Joined: 2007-05-01 11:32

Postby Lavene » 2008-07-01 06:36

OR1k wrote:Hey Lavene.

I didn't think about running grml in addition to what I have on my boxen already. Both chkrootkit and rkhunter came up negative so that is good. Stew and Donde... in #debian think it is just misfiled spam. I don't know if this is the case or not.

Vi^3PP

I meant running it off the CD, aka liveCD, not installing it. The problem of running stuff like rkhunter from the possibly compromised system is that the result can not be trusted (they might as well be compromised). A live CD is a complete running system that does not touch your harddrive so you know you are running off a clean system.

Anyway, it's probably more plausible that it's misfiled *received* spam and not something the system have sent out.
Lavene
Site admin
 
Posts: 5096
Joined: 2006-01-04 04:26
Location: Oslo, Norway

Postby OR1k » 2008-07-01 07:45

hehehe... um I did run it off of the live cd ;)

results of both scans == -
Oh please don't rescue me from DRM, malware, virii and spyware... I want my M$!!!
Linux VampirePenguin 2.6.24-1-686 #1 SMP Sat Apr 19 00:37:55 UTC 2008 i686 GNU/Linux
User avatar
OR1k
 
Posts: 21
Joined: 2007-05-01 11:32

Postby Lavene » 2008-07-01 07:57

Ah... isn't misunderstandings fun? :P
Lavene
Site admin
 
Posts: 5096
Joined: 2006-01-04 04:26
Location: Oslo, Norway

Postby OR1k » 2008-07-01 09:26

/me passes lavene some fishee pops and grilled cheese sea dogs with a side of m&m and irish mint baileys :)
Oh please don't rescue me from DRM, malware, virii and spyware... I want my M$!!!
Linux VampirePenguin 2.6.24-1-686 #1 SMP Sat Apr 19 00:37:55 UTC 2008 i686 GNU/Linux
User avatar
OR1k
 
Posts: 21
Joined: 2007-05-01 11:32

Postby Issyer » 2008-07-01 11:32

It's not pumping out spam. Sounds like somebody knows his email address and uses it in his/her own purposes. I did the same to one guy only because he was unlucky enough to register the one I wanted to have on a free online email service. And the spammers did it the same to me. They put my email address on their zombies, and I got hundreds of responses including failed email delivery notifications. I had to change my email address.
User avatar
Issyer
 
Posts: 3055
Joined: 2007-05-23 02:59
Location: Khakassia

Postby OR1k » 2008-07-02 03:10

Well I did two things. I dumped Claws for emailing and KMail is now working in Lenny for me. It interfaces nice with kgpg, kaddressbook and such too. KMail also allows for easier conversions of the stock gmail address export. Claws allowed setup of all sent messages to be signed. So I have the same setup in KMail.

Plus and I don't know if this was connected but I also made sure that I uninstalled BetterGmail2 from my browser now that I know I can manually force https all the time in Gmail. I have been using https connections for months now.

Onward and upward.
Oh please don't rescue me from DRM, malware, virii and spyware... I want my M$!!!
Linux VampirePenguin 2.6.24-1-686 #1 SMP Sat Apr 19 00:37:55 UTC 2008 i686 GNU/Linux
User avatar
OR1k
 
Posts: 21
Joined: 2007-05-01 11:32

Postby pcalvert » 2008-07-02 17:51

I think the reason you probably didn't get a reply is that you provided no evidence that there's a security hole in Claws-Mail. What you posted looks like a typical spam e-mail.

Normally, these types of e-mail messages end up Gmail's Spam folder. It looks like you may have somehow configured Claws-Mail in such a way that it was retrieving the spam in addition to the messages in your Inbox.

Phil
“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln
pcalvert
 
Posts: 1821
Joined: 2006-04-21 11:19
Location: Sol Sector


Return to System configuration

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable