Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)
From: Dave Sherohman <esper () sherohman org>
Date: Wed, 3 Mar 2004 19:29:08 -0600

On Wed, Mar 03, 2004 at 04:45:57PM -0500, Lachniet, Mark wrote:
Of course on the down side, you'd have to use your email server, with
legit MX record as your smart host for all users (may be a hassle for
home offices and POP clients, maybe requiring outgoing SMTP auth, but
that's easy right?)

Let us say that I have two email accounts with two different service
providers who use two different mail servers.  (Home/work,
IM/webboards, whatever.)  Let us also say that I read mail from both
accounts using a single MUA in a single session, possibly providing
me with a unified 'virtual inbox', possibly not.  Finally, let us say
that responses to messages addressed to Address_A should appear to
come from Address_A and responses to messages addressed to Address_B
should appear to come from Address_B.  (Similar to the 'alternates'
feature of mutt, if you're familiar with that.)

All in all, I would say this seems like a very reasonable situation.
Considering that Yahoo!'s web mail interface includes the ability to
check mail on other services via POP3, I suspect that it may even be
rather common.

It is also utterly incompatible with your 'SMTP ident' suggestion
unless MUAs (and probably MTAs as well) are modified to select from
among multiple smarthosts and/or command-line sendmail based on what
address the message being sent claims to come from.

Your suggestion could also be easily defeated by the mega-spammers
(you know - the ones with enough money to con an ISP into letting
them spam without cutting them off) setting up servers with MTAs
which have been modified to claim that they recognize any
message-id from any domain.  Just set up bogus MX records pointing at
such a server, and spam (or propagate Outlook worms) to your heart's
content from anywhere you want!

-- 
The freedoms that we enjoy presently are the most important victories of the
White Hats over the past several millennia, and it is vitally important that
we don't give them up now, only because we are frightened.
  - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault