Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Spoofing emails
From: natron at invisibledenizen.org (natron)
Date: Sun, 17 May 2009 10:09:36 -0500

On Fri, May 15, 2009 at 8:25 PM, John Miller <johnemiller at gmail.com> wrote:
an attacker. Requiring all incomming messages with an internal FROM address
to perform some sort of authentication can help to mitigate this threat.

This works to keep MAIL FROM: addresses being spoofed to appear to
come from internal users, but what about the scenario where the FROM:
address in the DATA section does not match the MAIL FROM: address used
in delivery?  I'm not an email administrator; what are the
configuration options in Exchange / Postfix / etc that allow you to
force them to match?

E.g.:

$ telnet mail.somedomain.com 25
Trying 1.2.3.4...
Connected to mail.somedomain.com
Escape character is '^]'.
220 
****************************************************************************************************************************************************************
HELO zyx
250 Blahblahblah says hello back
MAIL FROM: some-email-address at someplace-else.com
250 Ok
RCPT TO: victimuser at somedomain.com
250 Ok
DATA
354 Feed me
From: "IT Department" <it-dept at somdomain.com>
To: "All personnel"
Subject: Patch Installation - Action Required

...


In the above example, the MAIL FROM: is
"some-email-address at someplace-else.com" but the From: address within
the DATA section is "IT Department" <it-dept at somdomain.com>.  Outlook
2003 and 2007 both display the From: field given by the DATA section,
not the MAIL FROM: field used to deliver the message.  You only see
the actual sender if you view the headers sent along with the email.

What's the best solution in this case?

N


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault