Home page logo

pauldotcom logo PaulDotCom mailing list archives

Spoofing emails
From: natron at invisibledenizen.org (natron)
Date: Sun, 17 May 2009 10:09:36 -0500

On Fri, May 15, 2009 at 8:25 PM, John Miller <johnemiller at gmail.com> wrote:
an attacker. Requiring all incomming messages with an internal FROM address
to perform some sort of authentication can help to mitigate this threat.

This works to keep MAIL FROM: addresses being spoofed to appear to
come from internal users, but what about the scenario where the FROM:
address in the DATA section does not match the MAIL FROM: address used
in delivery?  I'm not an email administrator; what are the
configuration options in Exchange / Postfix / etc that allow you to
force them to match?


$ telnet mail.somedomain.com 25
Connected to mail.somedomain.com
Escape character is '^]'.
HELO zyx
250 Blahblahblah says hello back
MAIL FROM: some-email-address at someplace-else.com
250 Ok
RCPT TO: victimuser at somedomain.com
250 Ok
354 Feed me
From: "IT Department" <it-dept at somdomain.com>
To: "All personnel"
Subject: Patch Installation - Action Required


In the above example, the MAIL FROM: is
"some-email-address at someplace-else.com" but the From: address within
the DATA section is "IT Department" <it-dept at somdomain.com>.  Outlook
2003 and 2007 both display the From: field given by the DATA section,
not the MAIL FROM: field used to deliver the message.  You only see
the actual sender if you view the headers sent along with the email.

What's the best solution in this case?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]