Re: Sendmail 8.11 configuration/security issue - some clarification

[GB Clark <gclarkii () vsservices com>]

On Mon, 06 Jan 2003 22:11:49 +0000
oobs3c02 () attbi com wrote:

> All,
>
> Thanks for the input on this so far.  To clarify, John65 () pobox com is exactly 
> right in stating that I'm trying to stop the spoofing of my domain as the 
> sender to my own domain (e.g. helpdesk@xyz to johnSmith@xyz where helpdesk is 
> the spoofed sender).  This is not an open relay server and the spam is not (as 
> far as I can tell) as a result of any viruses guessing at accounts.
>
> The primary concern is with stopping mail with my domain as the sender and my 
> domain as the recipient if the sender IP is not within networks which I 
> control.  I don't want to give any "crackers" monitoring this mailing list any 
> ideas (most likely they've thought of this already) but this makes the 
> probability of someone opening up an email and executing an attachment much 
> greater.  In some testing me and some other guys did, it was trivial to send an 
> email from an outside address with the sender spoofed to look like an internal, 
> trusted source (the spoofing is very easy but knowledge of the internal account 
> naming convention, etc. was a little bit more difficult to match).  This would 
> make it much easier for me to send an email from helpdesk () xyz com requesting 
> that JohnSmith () xyz com execute the attached file.  Sure he might know not to 
> execute attachments from other untrusted domains but would he not open this 
> from his "own" helpdesk?  The amount of knowledge to execute this attack would 
> be somewhat trivial to obtain - simple Google searches would most likely return 
> the email addresses for a targeted company.  A very large % of typical users 
> would never think to check SMTP headers  - they likely don't even know what 
> those are.  
>
> I'm not sure that this problem can be resolved within sendmail config files but 
> if anyone knows differently, please let me know.
>
> Thanks again,
>
> Jim
>
> > I think the original sender and several of the respondents may be
> > confusing 'spam with forged headers' with 'open relaying.'
> >
> > The original question was not about his relay being hijacked to send
> > spam, it was about mail coming IN to his company xyz.com for joe () xyz com
> > purporting to be from another sender at xyz.com when it really came from
> > somewhere else. That's NOT open relaying, that's forging headers and
> > there's not much you can do about it without breaking things (What if
> > mary () xyz com wants to use her xyz.com return address when she's sending
> > mail from home to joe () xyz com via her local ISP dialup -- Why would you
> > want to block that?) What's the difference if incoming spam has one
> > forged address or another anyway? It's still spam!
> >
> > 'Switching to Postfix', using a 'content security gateway,' or 'TLS' are
> > not going to solve this problem (forging of email headers).
Hi,

Modern Sendmails have the concepts of milters (mail filters).  Using these you can
access mail at any stage and apply a filter to it.  Hit up Google with "milter sendmail"
and you'll get plenty of information.  I use Spam Assassin with a milter and it catches ALOT
of stuff, including forged headers.  There are packages out there to allow you to write filters
in C, C++, perl, and other languages.

GB

-- 
GB Clark II             | Roaming FreeBSD Admin
gclarkii () VSServices COM | General Geek 
           CTHULU for President - Why choose the lesser of two evils?