RE: Sender Spoofing via SMTP

["Andrew Chong" <andrewjw () singnet com sg>]

This is a well known SMTP protocol bug.
Currently, two common technologies are SMIME and PGP to digitally
sign/encrypt emails.

Regards,
Andrew Chong, cissp 

-----Original Message-----
From: brandon.steili () gmail com [mailto:brandon.steili () gmail com] 
Sent: Thursday, November 03, 2005 11:56 PM
To: security-basics () securityfocus com
Subject: Sender Spoofing via SMTP


Hi List,

I know this is a common issue that does not seem to be well addressed,
but I was hoping you folks could give some suggestions. (preferably for
Exchange 2003)

If I telnet to a system on the internet and perform the following:

telnet target 25
EHLO (assuming Exchange)
MAIL FROM: someone
RCPT TO: someone_else () TargetDomain com
DATA .... 

The server will happily forward my mail to the internal mailbox without
validating anything. I did not have to authenticate, I did not even have
to provide a real sender on the system, I could make one up. Again, I
know this is a common issue, the question is how can I prevent this from
happening? 

With the proliferation of social engineers / phishers, etc I would like
to try and find a way to prevent this, not because it is a big problem
but because it might become a big problem. 

Obviously user training can only go so far and our clients are not going
to think twice if they recieve an email that appears to be from a
company exec...

Thanks!