Qpopper patch to snare Mail2Web clients
Introduction
This directory contains a patch for qpopper (4.0.8) that I wrote to deal
with the Mail2Web.com problem, a free web
Email proxy service that offers to let users read their Email by connecting
to their remote mail server.
There are 2 problems with their service:
- it sometimes leaves idle qpopper process hanging around (probably when the
user interrupts the browser in mid session); and
- if they cannot authenticate successfully for whatever reason, Mail2Web
will start spewing the user's authentication information around, even to
other servers outside the mail domain. This means someone can passively
collect usernames and passwords.
I explain the problem more fully in this write-up
This patch to qpopper 4.0.8 (which can easily
be adapted to other versions) will cause qpopper to enter into a fake POP3
session if it recognizes that the client is coming from Mail2Web's network.
It will put itself into a sandbox (setuid(), setgid(), chroot()) and start
a POP3 session that allows the client access to a RFC822 mailbox with one
message. It will accept any user or password information as valid. In fact you
don't even need that; it's stateless. The daemon goes into a read-execute
loop that will definitely terminate when an inactivity timeout occurs, a
maximum command count is reached, or the client quits.
The message the user gets cannot be deleted, although it will quite
happily accept a "DELE" pop command.
By accepting any authentication data as valid, it will fool Mail2Web into
thinking it has found the right mail server, and will stop it from roaming
around the network and giving out this sensitive information. It can also
provide a warning to the Mail2Web user about why their service is insecure
and provide some negative advertising.
Files to download
- m2w.patch: a patch to popper.c that will add the
Mail2Web session code.
- m2w.mbox: an example mailbox in RFC822 format that
will be displayed to the user. Place this in the chroot() jail directory.
Installation
- Unpack qpopper 4.0.8, go to popper source directory (where popper.c is
found) and apply the patch.
patch < m2w.patch
- Adjust define symbols if necessary:
- SAFE_UID, SAFE_GID: a UID and GID that
qpopper will assume during the Mail2Web session. No files
should be owned by this UID or GID.
- SAFE_ROOT: the directory that qpopper will
chroot() to during the Mail2Web session. It ought
to contain the mailbox MAILBOX fed to the client.
- MAILBOX: the name of the mailbox file. It ought to
contain one RFC822 compliant message that you want to display
to the Mail2Web user.
- MAXMESS: the maximum number of lines in the message.
Extra lines will be truncated.
- MAXCMDS: the maximum number of commands the session
will execute. Typically, only a half-dozen is required.
- OUR_TIMEOUT: the maximum number of seconds
to wait for a command. The maximum length of
time spent during a Mail2Web session should
be MAXCMDS*OUR_TIMEOUT.
- Build and install qpopper binary.
- Set up chroot jail (SAFE_ROOT) that contains message (MAILBOX)
you want to give to Mail2Web client.
mkdir /etc/qpopper/jail
cp m2w.mbox /etc/qpopper/jail
chmod 0755 /etc/qpopper/jail
chmod 0444 /etc/qpopper/jail
chown -R root:other /etc/qpopper/jail
- Test it by entering a fake Email address in your Email domain with a fake
password, and see if your message ends up on the screen (as well as in your system
logs).
If you have suggestions or corrections, by all means send them to me.
Joseph Tam < >
|