mailing list archives
RE: E-mail spoofing countermeasures (Was: Backd oor not recognized by Kaspersky)
From: John.Airey () rnib org uk
Date: Thu, 4 Mar 2004 10:59:33 -0000
From: Bill Royds [mailto:broyds () rogers com]
Sent: 04 March 2004 03:08
To: 'Dave Sherohman'
Cc: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] E-mail spoofing countermeasures (Was:
Backdoor not recognized by Kaspersky)
Outlook 2003, Outlook Express 6. Mozilla mail etc. do
recognize what host to
use for sending depending on what PoP server was used to read
the mail. They
maintain accounts and any mail that comes in one account (its
goes out that accounts corresponding SMP server. For example,
this is going
out on my Full Disclosure account, not my Yahoo or Hotmail.
The problem is that there MX entries have nothing logical to
do with where
an email comes from. MX is mail destination addresses.
What is needed is a mail source record in DNS (MS record ?)
that gives the
legitimate sending hosts for that domain. If the envelope
from address uses
a certain domain, looking up the MS record for that domain
should produce an
IP list that includes the sending host.
Using authenticated SMTP, this would still allow a different return
address in headers since envelope from would be user who
SMTP server. But it would prevent spoofed email (although
spam would still
arrive, it could be tied to actual sender, allowing things
like CAN-SPAM to
I can see at least two problems with this "solution".
First, errors with DNS configurations are common. I see "lame server" errors
regularly, and at the moment even our own ISP doesn't have reverse DNS
records for our IP addresses on its name servers (and I am hassling them
constantly to fix it).
Second, this "trusted" server will undoubtedly accept email from any
internal host so it won't take long for a virus to find it (they are usually
mail.domain-name or smtp.domain-name).
A better solution would be to only allow one (or two) mail servers from your
organisation to be able to talk to port 25 on another server (egress
filtering), without another change to the DNS standard. This still has the
same drawback as the second one mentioned above.
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk
Why do so many people who call themselves christians use the name of Jesus
Christ as a swear word?
NOTICE: The information contained in this email and any attachments is
confidential and may be privileged. If you are not the intended
recipient you should not use, disclose, distribute or copy any of the
content of it or of any attachment; you are requested to notify the
sender immediately of your receipt of the email and then to delete it
and any attachments from your system.
RNIB endeavours to ensure that emails and any attachments generated by
its staff are free from viruses or other contaminants. However, it
cannot accept any responsibility for any such which are transmitted.
We therefore recommend you scan all attachments.
Please note that the statements and views expressed in this email and
any attachments are those of the author and do not necessarily represent
those of RNIB.
RNIB Registered Charity Number: 226227
Full-Disclosure - We believe in it.
- RE: E-mail spoofing countermeasures (Was: Backd oor not recognized by Kaspersky) John . Airey (Mar 04)