aws-lambda-ses-forwarder icon indicating copy to clipboard operation
aws-lambda-ses-forwarder copied to clipboard
verified publisher icon arithmetric

people using masked 'from' address to send spam with additional CC'd

Open ebox86 opened this issue 7 years ago • 2 comments

I've implemented the script to generally positive results and for my use-case, it's turned out to be a really great solution. However, i've come across a small issue relating to spam that i'm not quite sure how to mitigate.

I've noticed, in very sporadic bursts, that a malicious spam user(s) will send a spam message(s) to one of our aliases, and then CC or otherwise add additional recipients to the message. When this message gets sent out, because one of our aliases is on the message, its hitting our SES/Lambda and getting re-sent out using the masked 'from' address as noted on line 31 of the script. This is bad because now the spam message looks, at first glance, as if it originated from our domain.

Has anyone else experienced this? I filed an AWS support ticket about this, requesting additional help in configuring the lambda and associated iam role for stricter security, only to later realize that this is 'working as designed', expected behavior of the script.

I have contemplated restricting initial emails sent to our aliases to remove or strip, or reject additional recipients or the CC field, but not replies. But this i feel would cause confusing, wonky and undesirable consequences for my users and seems like the wrong approach.

Any ideas on how this issue could be solved/mitigated by something in the script?

ebox86 avatar Jun 25 '18 20:06 ebox86

I haven't seen this happen yet but if it does indeed happen I would be interested in the fix.

lbellows avatar Jun 26 '18 21:06 lbellows

Funny enough Gmail just patched an issue that was rather similar in how it abuses a distribution list or existing resource to trigger the forwarding of spam to other users on the list from a "trusted" email address/domain which bypasses a lot of spam filters.

https://www.techradar.com/news/google-finally-forced-to-patch-serious-gmail-bug-after-exploit-published-online

Your suggestion of only allowing addresses matching the domain to receive forwards from the list is a good one. Send messages out using the list as a Reply-To and using SMTP creds to do so is probably another step towards better security rather than sending a message to the address and hoping it forwards it on correctly without being open to abuse.

dragon788 avatar Aug 24 '20 16:08 dragon788