Qpopper patch to snare Mail2Web clients

Introduction

This directory contains a patch for qpopper (4.0.8) that I wrote to deal with the Mail2Web.com problem, a free web Email proxy service that offers to let users read their Email by connecting to their remote mail server.

There are 2 problems with their service:

  1. it sometimes leaves idle qpopper process hanging around (probably when the user interrupts the browser in mid session); and

  2. if they cannot authenticate successfully for whatever reason, Mail2Web will start spewing the user's authentication information around, even to other servers outside the mail domain. This means someone can passively collect usernames and passwords.

I explain the problem more fully in this write-up

This patch to qpopper 4.0.8 (which can easily be adapted to other versions) will cause qpopper to enter into a fake POP3 session if it recognizes that the client is coming from Mail2Web's network. It will put itself into a sandbox (setuid(), setgid(), chroot()) and start a POP3 session that allows the client access to a RFC822 mailbox with one message. It will accept any user or password information as valid. In fact you don't even need that; it's stateless. The daemon goes into a read-execute loop that will definitely terminate when an inactivity timeout occurs, a maximum command count is reached, or the client quits.

The message the user gets cannot be deleted, although it will quite happily accept a "DELE" pop command.

By accepting any authentication data as valid, it will fool Mail2Web into thinking it has found the right mail server, and will stop it from roaming around the network and giving out this sensitive information. It can also provide a warning to the Mail2Web user about why their service is insecure and provide some negative advertising.

Files to download

  • m2w.patch: a patch to popper.c that will add the Mail2Web session code.
  • m2w.mbox: an example mailbox in RFC822 format that will be displayed to the user. Place this in the chroot() jail directory.

Installation

  1. Unpack qpopper 4.0.8, go to popper source directory (where popper.c is found) and apply the patch.
    patch < m2w.patch

  2. Adjust define symbols if necessary:

    • SAFE_UID, SAFE_GID: a UID and GID that qpopper will assume during the Mail2Web session. No files should be owned by this UID or GID.
    • SAFE_ROOT: the directory that qpopper will chroot() to during the Mail2Web session. It ought to contain the mailbox MAILBOX fed to the client.
    • MAILBOX: the name of the mailbox file. It ought to contain one RFC822 compliant message that you want to display to the Mail2Web user.
    • MAXMESS: the maximum number of lines in the message. Extra lines will be truncated.
    • MAXCMDS: the maximum number of commands the session will execute. Typically, only a half-dozen is required.
    • OUR_TIMEOUT: the maximum number of seconds to wait for a command. The maximum length of time spent during a Mail2Web session should be MAXCMDS*OUR_TIMEOUT.

  3. Build and install qpopper binary.

  4. Set up chroot jail (SAFE_ROOT) that contains message (MAILBOX) you want to give to Mail2Web client.
    mkdir /etc/qpopper/jail
    cp m2w.mbox /etc/qpopper/jail
    chmod 0755 /etc/qpopper/jail
    chmod 0444 /etc/qpopper/jail
    chown -R root:other /etc/qpopper/jail

  5. Test it by entering a fake Email address in your Email domain with a fake password, and see if your message ends up on the screen (as well as in your system logs).

If you have suggestions or corrections, by all means send them to me.

Joseph Tam < >