Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: E-mail spoofing countermeasures (Was: Backd oor not recognized by Kaspersky)
From: John.Airey () rnib org uk
Date: Thu, 4 Mar 2004 10:59:33 -0000

-----Original Message-----
From: Bill Royds [mailto:broyds () rogers com]
Sent: 04 March 2004 03:08
To: 'Dave Sherohman'
Cc: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] E-mail spoofing countermeasures (Was:
Backdoor not recognized by Kaspersky)

Outlook 2003, Outlook Express 6. Mozilla mail etc. do 
recognize what host to
use for sending depending on what PoP server was used to read 
the mail. They
maintain accounts and any mail that comes in one account (its 
PoP3 server)
goes out that accounts corresponding SMP server. For example, 
this is going
out on my Full Disclosure account, not my Yahoo or Hotmail.
The problem is that there MX entries have nothing logical to 
do with where
an email comes from. MX is mail destination addresses. 
What is needed is a mail source record in DNS (MS record ?) 
that gives the
legitimate  sending hosts for that domain. If the envelope 
from address uses
a certain domain, looking up the MS record for that domain 
should produce an
IP  list that includes the sending host. 
  Using authenticated SMTP, this would still allow a different return
address in headers since envelope from would be user who 
authenticated to
SMTP server. But it  would prevent spoofed email (although 
spam would still
arrive, it could be tied to actual sender, allowing things 
like CAN-SPAM to

I can see at least two problems with this "solution". 
First, errors with DNS configurations are common. I see "lame server" errors
regularly, and at the moment even our own ISP doesn't have reverse DNS
records for our IP addresses on its name servers (and I am hassling them
constantly to fix it).

Second, this "trusted" server will undoubtedly accept email from any
internal host so it won't take long for a virus to find it (they are usually
mail.domain-name or smtp.domain-name). 

A better solution would be to only allow one (or two) mail servers from your
organisation to be able to talk to port 25 on another server (egress
filtering), without another change to the DNS standard. This still has the
same drawback as the second one mentioned above.

John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk 

Why do so many people who call themselves christians use the name of Jesus
Christ as a swear word?


NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • RE: E-mail spoofing countermeasures (Was: Backd oor not recognized by Kaspersky) John . Airey (Mar 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]