Home page logo
/

basics logo Security Basics mailing list archives

Re: Sender Spoofing via SMTP
From: brandon.steili () gmail com
Date: 3 Nov 2005 20:20:35 -0000

Everyone,

Thanks for your replies thus far, but they have helped add few more thoughts. By the way, I'm also looking for any 
thoughts on how to restrict this from happening internally as well. Using the about example, I can connect to a local 
exchange server and intiate the same spoofing technique to another local user -- for example I can connect to the 
server via Telnet to 25 and send my cubemate an email from santa () mydomain and tell him that the north pole has been 
having connectivity issues... It's junk like this I am trying to prevent internal and external people from doing 
straight from a telnet session.

Quote(Andrew Chong) - Currently, two common technologies are SMIME and PGP to digitallysign/encrypt emails.
Response - This would help validate the sender to the enduser, which is a good start (and easy to teach to users). Not 
really the overall solution but definetly getting there. Thanks!

Quote(Craig Wright) - Internal mail will not generally pass through SMTP 
Response - Great Point, but in this scenario I am connecting to port 25 and intiating the message directly via SMTP on 
the server. I think regardless of what happens to the message once it hits the queue and gets moved around by the 
Information Store or another MTA the fatal problem is that I was able to connect and send send the message?

Quote (Dallas Jordan & Corey LeBleu) (sort of combining these two) - I believe you should set your email server to only 
relay email coming from your domain. that would prevent people from the internet connecting to the server and sending 
emails randomly. Unauthenticating Mail Relay Response - However if I setup the server so it requires authentication for 
communication, would this not break the ability for other domains to send email to my users? I have validated that I 
cannot spoof outbound emails from the internet based connection, so I'm not a completely open relay, but open
enough that external connections can spoof an internal email sender and get that mail delivered to a recipient.

Sorry for hitting this so hard, but I have done a bunch of searching on the net, read way too much Technet and although 
I find bits and pieces, nothing really addresses the ability to spoof a sender or prevent this type of relaying without 
breaking everything else.

Thanks Again for the responses!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault