2

I have just unregistered a domain. Now my mail client (Thunderbird) popped up a message saying that it cannot connect to the mail server. That's fine - for the moment.

However, I wonder what would happen when someone else registers the domain. Given the registrant would have an interest in attacking, would it be possible for him to figure out user name and password from a dangling client that repeatedly tries to connect?

Obviously, people would not immediately delete their mailbox locally. Perhaps there are still some mails to be archived or similar.

Is there some kind of "last action" a mail server can send to the client in order to prevent the mail client from connecting to a future server on the same name?

For my mailclient, Thunderbird does not have an option for disabling an account. I can also not delete the server name completely. It wants a valid server name. If nothing is entered, it will automatically choose the old name again.

Thomas Weller
  • 3,246
  • 3
  • 21
  • 39

2 Answers2

1

If you have a domain that has handled important email for you, you need to keep it registered forever or at least until any email you might receive is completely useless.

An attacker can easily buy your old domain, setup a mail server to accept all mail regardless of whether or not the user exists, and accept any mail sent to you.

This means that s/he could send your bank a password reset request for example, accept the email, click on the link and steal your money.

There's no particular risk for your client software. The only risk I can see is that whoever owns the domain can accept and read your incoming mail.

PushfPopf
  • 300
  • 1
  • 6
  • Why wouldn't the client software be a risk? If the new domain owners get a certificate from a trusted authority (easily done, now that they legitimately own the domain) they could also easily set up to process logins and record the username and password. If any users of the previous server re-use that password anywhere else they're in trouble. – Ben Nov 01 '18 at 17:48
  • @Ben That would be a risk for the user, not the client software. – PushfPopf Nov 01 '18 at 17:57
  • Risks to the user are *exactly what this question is about*: "would it be possible...to figure out user name and password from a dangling client that repeatedly tries to connect", "Is there some [action] a mail server can send to the client in order to prevent the mail client from connecting to a future server on the same name", etc. The question is about whether a mail client is a risk *to the user* if its server's domain is taken over by malicious actors, and specifically whether they can steal your old mail server password. The answer is "yes". – Ben Nov 01 '18 at 18:12
  • 1
    Thunderbird warns the user if the server certificate changes. If the user accepts the new certificate, there's nothing to prevent the server from recording the userid/password sent to it. However this isn't a vulnerability or automatic. The user would have to agree to send his credentials to a server he knows is not legitimate. – PushfPopf Nov 01 '18 at 18:21
-1

Yeah, that's a remote possibility but it could be possible. If somebody register the domain and set up something to "listen" the requests, all the non-encrypted requests will be owned directly, and not sure about the encrypted ones. Probably too but this could need a more elaborated fake server to be created.

Siracuso
  • 91
  • 1
  • 11