Re: Sender Spoofing via SMTP

[Tomasz Nidecki <tonid () hakin9 org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Thursday, November 3, 2005, 4:56:23 PM, brandon wrote:

> If I telnet to a system on the internet and perform the following:

> telnet target 25
> EHLO (assuming Exchange)
> MAIL FROM: someone
> RCPT TO: someone_else () TargetDomain com
> DATA ....

> The server will happily forward my mail to the internal mailbox
> without validating anything. I did not have to authenticate, I did
> not even have to provide a real sender on the system, I could make
> one up. Again, I know this is a common issue, the question is how
> can I prevent this from happening?

I know there were many answers already, and I'm not sure I understand
the situation well, but:

1. if "TargetDomain.com" is your LOCAL domain, this is what's supposed
to happen. You cannot set it up any other way, or other mailservers
will not be able to send any mail to your domain. ANY mail, from ANY
sender and ANY IP should be accepted [unless filtered, eg. by spam or
virus protection] for your LOCAL domains.

2. if "TargetDomain.com" is an external domain, there are a couple of
things to consider.

2.1. If the "target" is your mailserver's external IP and you're
connecting from the Internet to your mailserver, your mailserver is an
open relay and I suggest you fix this ASAP, or else you'll end up on
blocking lists [DNSBL]. You should not accept ANY mail to external
domains, if the connection is from the outside. If you have roaming
users, you will have to set up some kind of authentication, such as
SMTP AUTH or POP BEFORE SMTP. Sorry, can't help you with Exchange, I'm
a qmail admin myself...

2.2. If the "target" is your mailserver's internal IP and you're
connecting from the inside of your network, this is not a bad thing to
happen, but it is not required for the mailserver to work correctly.
It's quite often that internal networks relay all mail from their
users without authentication. We use that setup in our company for
example.

2.3. If you're afraid of mail spoofing by your users in your internal
network, you may turn off relaying without authentication and require
authentication by every user, even in your internal network. However,
I don't know whether exchange adds this information [authenticated
user name] to mail headers. Most mailserver's dont. qmail luckily does
[at least the most popular SMTP AUTH patch does]. If Exchange doesn't,
there's no use to implement this at all, because even if a user
authenticates, he/she can still give ANY mail address both in MAIL
FROM and in the From: header in mail. The only thing that would show
who sent the mail in reality would be either the IP address [if
they're fixed] or the authenticated user name [in the headers, if
Exchange supports this].

Hope this is a bit helpful, still...

- --
Tomasz Nidecki, Sekr. Redakcji / Managing Editor
hakin9 magazine            http://www.hakin9.org
mailto:tonid () hakin9 org      jid:tonid () tonid net

Do you know what "hacker" means?
http://www.catb.org/~esr/faqs/hacker-howto.html

Czy wiesz, co znaczy slowo "haker"?
http://www.jtz.org.pl/Inne/hacker-howto-pl.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUAQ28WOUR7PdagQ735AQE84wP6A9BxbVSppJozi7Iav1VEA513kvgUyXhV
K6eOXgk2sdDyTwKYSmfNak2UwTJjkBVndaKBVnF7cVcV67MljYmd0RIYGtF1rrcY
pw4DnHMQHN6MpuDmKXwXrBvg0DscHFUGbk63ibRbSL+xI34WyYv83dSWSffCx2Aw
aNMr4q8cBM0=
=bpXx
-----END PGP SIGNATURE-----