back to article If you want to hijack widely used JavaScript packages, try phishing for devs through these DMARC-shaped holes in key Node.js domains

Two significant domains for the Node.js community, npmjs.com and nodejs.org, lack DMARC email security policies, an oversight that could allow a miscreant to send easily spoofed emails to the community. The Register was alerted to the issue by a developer using the pseudonym niftylettuce who expressed concern that forged …

  1. Duncan Macdonald Silver badge
    Stop

    Use a non-web email client

    A good non-web email client (like Thunderbird) that includes a view source (including all headers) capability makes it much easier to tell fakes from real messages. (I have received several messages purporting to be from TV licensing - but with an origin address ending in .jp it was obvious that they were fakes.) Web based email often lacks this important feature.

    1. FILE_ID.DIZ
      Boffin

      Re: Use a non-web email client

      Well, first off... gmail's web client is actually pretty robust. Shows a lot more information without having to go into the weeds, so bravo for them. But only with respect to helping detect spam and fraudulent emails... otherwise, I don't touch the stuff except maybe once every six months to go clear out the mountain of spam in there and to keep my account active.

      If only other MUAs (web or program) would show the 5321.Mail domain, it'd help a lot.

      The real problem is mobile MUAs. There's just not enough screen real estate to provide a robust UI for sussing out bogus emails. Hell, mobile MUAs can't even get the UI to help users differentiate between Trash and Spam....

      On to this article.. now, not sure if this is new since it was published, but nodejs.org has a dmarc record... but it is just set for monitoring. Having monitoring is way better than no DMARC record, so.... I'm curious about the timeline now.

      nodejs.org has a small SPF footprint - only has google mail in their SPF record... but they have an -all at the end. Hopefully they know what they're doing. Typically domains with an -all at the end don't.

      Looking at npmjs.com, they too have a DMARC record, and like nodejs.org, it's just monitoring... but looking at the number of third-party includes in npmjs.com's SPF record, looks like they have their work cut out for them before they can crank that up.

      And yes, DKIM must be done too.. But really, I wouldn't depend on DMARC if I didn't have both SPF and DKIM working perfectly for all emails. The reason is that either of these can break pretty easily with forwarding (hence why the -all in the SPF is dumb) or even going through a third-party spam filter... and the same with DKIM... it is very fragile.

      1. Anonymous Coward
        Anonymous Coward

        Re: gmail

        However, gmail also silently ditches emails where the sender is not listed in the spf record for the domain.

        A warning I can understand, even outlook style disabling links/attachments, but just to send it to /dev/null is out of order.

        Yes, I know it wouldn't be a problem if idiot, in this case telecoms, providers set their email up correctly.

        1. FILE_ID.DIZ
          Boffin

          Re: gmail

          This didn't make it into my original post, but whether or not that lettuce person chose amazon's SES service specifically or just by happen chance, but the npmjs.com already allows for email to come from amazonses.com. So it's going to pass SPF whether the 5321 domain is aligned with the 5322 domain or not.

          In the screenshot, the 5321 domain was amazonses.com, so SPF was good.

          Remember that SPF only validates the 5321 from domain, not the 5322 domain, which is what is generally visible in most email clients.

          And by using global service provider(s) to handle your email, you open yourself up to a whole different set of problems. Makes it easy for a crim to open an account with that same global service provider and leverage your own SPF record against you if they want to target you specifically.

          With DMARC, that should be harder[1], since DMARC requires domain alignment between the 5321 and 5322 domains, along with SPF or DKIM success (with the DKIM signing domain aligned too) for the email not to be flagged as suspect.

          [1] Unless you also lose control of your DNS. And then you're doubly fucked and likely they aren't just phishing.

      2. sitta_europea

        Re: Use a non-web email client

        "''''nodejs.org has a small SPF footprint - only has google mail in their SPF record... but they have an -all at the end. Hopefully they know what they're doing. Typically domains with an -all at the end don't."

        What a load of tripe. Small footprint? Google mail? Let's see now....

        _netblocks.google.com: about 215,000 IPs

        _netblocks3.google.com: about 137,000 IPs

        _netblocks2.google.com: about 3 x 10^29 IPs

        Domains with -all at the end are just taking it seriously. If you dont know how to forward mail without also forging it, don't do it.

    2. iron Silver badge

      Re: Use a non-web email client

      Never click links in emails that ask you to log into an account. Doesn't matter where it appears to come from, just don't do it. If you think the email may be legit open a browser and navigate to the relevant site manually. Simple, effective, works on all devices, requires no technical knowledge and foils 100% of phishing emails.

      1. CrackedNoggin

        Re: Use a non-web email client

        A company should only allow email clients that disable email links.

  2. chuBb. Bronze badge
    Trollface

    NPM LOL!!!!

    its the gift that keeps giving

  3. allan wallace

    No DMARC in this day and age!?!?

    That's just like theregister.co.uk

    and theregister.com

    and let's not mention the issues with SPF...

    Incidentally while the password reset emails are not signed with DKIM,

    they are at least delivered with TLS...

    1. sitta_europea

      Re: No DMARC in this day and age!?!?

      "and let's not mention the issues with SPF..."

      Too late!

  4. CrackedNoggin

    Is it possible to reset 2FA via mail? Are there any major npmjs accounts the aren't using 2FA? That would be dumb.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020