Gossamer Forum
Home : Products : Gossamer Mail : Discussion :

Gossamer Mail in Headers = Security Issue

Quote Reply
Gossamer Mail in Headers = Security Issue
Hello,

Where do I look to get rid of the "Gossamer Mail" notice that appears in the source headers of sent messages.

This appears in the following Format:

X-Gloop: Gossamer Mail
X-Loop: Gossamer Mail

I want to change this for two reasons:

- It tends to obliterate our "independance as a business.

- But most importantly, it offers an open door to hackers who might want to harm my email system.

Basically, I do not trust that Gossamer Mail, in its current state, is a fully secure product. With the headers telling people what kind of software was used to generate the email, I fear that someone might one day try an exploit on my email system and totally destroy what I am doing.

When a hacker does not know the program generating an email, he or she would have a harder time finding out. But if he knows this from the start, 50% of his job is done as it thus becomes easy to work specifically towards diabolic motives.

So, I need urgently to know where I need to look to get read of any mention of Gossamer Mail in the message headers.

Thanks.
Quote Reply
Re: [Mama] Gossamer Mail in Headers = Security Issue In reply to
Hi,

Those headers are essential in preventing mail loops. You can change the contents of the headers to a random string, as the program just looks for the existance of the headers. This would be done in incoming and outgoing.pl.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Gossamer Mail in Headers = Security Issue In reply to
So, instead of Gossamer Mail, I can simply replace it with some other value wihout deleting the header entries altogether?

I am gonna try.

Thanks.
Quote Reply
Re: [Mama] Gossamer Mail in Headers = Security Issue In reply to
Yep thats right, it is only so GMail can see if the message has been through the system already otherwise it would cause an awful loop (as Alex mentioned) :)

Last edited by:

Paul: Jul 24, 2002, 9:21 AM
Quote Reply
Re: [Alex] Gossamer Mail in Headers = Security Issue In reply to
OK, I wanna be sure I won't break my install.

I did not find any instance of "Gossamer Mail" values in incoming.pl. However, I found some in outgoing.pl.

Because I don't want to break my install, tell me if the following is correct.

In Outgoing.pl, can I replace all the instances of "Gossamer Mail" below with some text such as "EMailer" so that the instances below....


Lines 183 / 184

$top->set('X-GLoop' => 'Gossamer Mail');
$top->set('X-Loop' => 'Gossamer Mail');

Lines 282 / 283

$head->set('X-GLoop' => 'Gossamer Mail');
$head->set('X-Loop' => 'Gossamer Mail');

Line 308

# Detection of loops
my $loop = $head->get('X-GLoop');
if ($loop and $loop eq 'Gossamer Mail') {

Lines 377/378

$head->set('X-GLoop' => 'Gossamer Mail');
$head->set('X-Loop' => 'Gossamer Mail');


...would become


Lines 183 / 184

$top->set('X-GLoop' => 'EMailer');
$top->set('X-Loop' => 'EMailer');

Lines 282 / 283

$head->set('X-GLoop' => 'EMailer');
$head->set('X-Loop' => 'EMailer');

Line 308

# Detection of loops
my $loop = $head->get('X-GLoop');
if ($loop and $loop eq 'EMailer') {

Lines 377/378

$head->set('X-GLoop' => 'EMailer');
$head->set('X-Loop' => 'EMailer');



.... without breaking GM?

Thanks.
Quote Reply
Re: [Mama] Gossamer Mail in Headers = Security Issue In reply to
Actually the value for the X-Loop/X-GLoop header doesn't matter. incoming.pl only checks for the existence of the header itself, so you can change the value to anything you want. I did a grep through the code and these are the lines I found you would need to change:
Code:
batch/outgoing.pl:182: $top->set('X-GLoop' => 'Gossamer Mail');
batch/outgoing.pl:183: $top->set('X-Loop' => 'Gossamer Mail');
batch/outgoing.pl:281: $head->set('X-GLoop' => 'Gossamer Mail');
batch/outgoing.pl:282: $head->set('X-Loop' => 'Gossamer Mail');
batch/outgoing.pl:376: $head->set('X-GLoop' => 'Gossamer Mail');
batch/outgoing.pl:377: $head->set('X-Loop' => 'Gossamer Mail');
Which corresponds with your findings.

Adrian
Quote Reply
Re: [brewt] Gossamer Mail in Headers = Security Issue In reply to
Perfect, my man.

It feels so goooooood... Wink

Thanks.
Quote Reply
Re: [brewt] Gossamer Mail in Headers = Security Issue In reply to
Couple of questions on this...

1. Can I safely change the same on version 2.0.2-Upgrade?

2. Can you build the change into future versions if it's a potential security risk?

cheers,

regan.
Quote Reply
Re: [ryel01] Gossamer Mail in Headers = Security Issue In reply to
In Reply To:
1. Can I safely change the same on version 2.0.2-Upgrade?
Yes

In Reply To:
2. Can you build the change into future versions if it's a potential security risk?
It's not really a security risk as there are no known vulnerabilities with Gossamer Mail, but many people do like to keep the name "Gossamer Mail" out of the software to make it look more customized. I'll see if we can get it changed to something more generic.

Adrian