process incoming mail text as a command.
Gilles Gravier
ggravier at fsfe.org
Fri Feb 12 09:13:03 UTC 2010
Hi!
On 12/02/2010 10:05, Amedee Van Gasse (ub) wrote:
> On Fri, February 12, 2010 02:59, Tomoki Taniguchi wrote:
>
>> I am hoping someone can help me with this.
>>
>> I want a way to send an email to a server and have it process the
>> content as a command.
>> I think there is a tool out there for this, but can't seem to find the
>> right search criteria to find the proper tool.
>>
>> to limit exposure,
>> 1) I want it to check the email address of the sender (possibly other
>> email header criteria for more security)
>>
> You DO know that the email address is very easy to fake, as well as every
> other email header? Take a look at this example (a SMTP session that you
> can type in the terminal).
>
> telnet mail.example.com 25
> HELO evilcracker.example.com
> MAIL FROM: <tomoki.taniguchi at gmail.com>
> RCPT TO: <tomoki.taniguchi at gmail.com>
> DATA
> Subject: I am spoofing your email address
> From: <tomoki.taniguchi at gmail.com>
>
> rm -rf /
>
> .
> QUIT
>
>
>
>> 2) limit the commands it will process to a predefined list (ie, reboot)
>>
> 3) run the commands as an unprivileged user!!!
>
>
>> I would appreciate it if someone can point me in the right direction
>>
> Why can't you simply use ssh to log in and execute the commands? I suppose
> you must have a good reason, but I really want to help you in keeping your
> box secure, it's up to you to accept or decline my help.
>
I fully concurr with Amedee!
It's VERY dangerous to enable direct mails sending commands to
execute... :) You need to be very careful
One thing could be to implement some kind of cryptographic control. For
example, your mail could be digitally signed, and the receiving 'bot
could then authenticate versus that signature. That way, even if
somebody fakes your e-mail address and sends pretending to be you... the
digital signature will be much harder to intercept.
DO NOT send some kind of login and password in clear. E-mails go through
lots of public infrastructure where they can be intercepted (in
particular WiFi hotspots).
I would also use SSH. (In fact, I *DO*. My home Ubuntu server is behind
a firewall that only lets a few protocols through, one is SSH on port
22, and from the SSH, I can then tunnel VNC and do full admin of my
machine).
Gilles
More information about the ubuntu-users
mailing list