Security Basics mailing list archives
RE: Sendmail 8.11 configuration/security issue - some clarification
From: oobs3c02 () attbi com
Date: Mon, 06 Jan 2003 22:11:49 +0000
All, Thanks for the input on this so far. To clarify, John65 () pobox com is exactly right in stating that I'm trying to stop the spoofing of my domain as the sender to my own domain (e.g. helpdesk@xyz to johnSmith@xyz where helpdesk is the spoofed sender). This is not an open relay server and the spam is not (as far as I can tell) as a result of any viruses guessing at accounts. The primary concern is with stopping mail with my domain as the sender and my domain as the recipient if the sender IP is not within networks which I control. I don't want to give any "crackers" monitoring this mailing list any ideas (most likely they've thought of this already) but this makes the probability of someone opening up an email and executing an attachment much greater. In some testing me and some other guys did, it was trivial to send an email from an outside address with the sender spoofed to look like an internal, trusted source (the spoofing is very easy but knowledge of the internal account naming convention, etc. was a little bit more difficult to match). This would make it much easier for me to send an email from helpdesk () xyz com requesting that JohnSmith () xyz com execute the attached file. Sure he might know not to execute attachments from other untrusted domains but would he not open this from his "own" helpdesk? The amount of knowledge to execute this attack would be somewhat trivial to obtain - simple Google searches would most likely return the email addresses for a targeted company. A very large % of typical users would never think to check SMTP headers - they likely don't even know what those are. I'm not sure that this problem can be resolved within sendmail config files but if anyone knows differently, please let me know. Thanks again, Jim
I think the original sender and several of the respondents may be confusing 'spam with forged headers' with 'open relaying.' The original question was not about his relay being hijacked to send spam, it was about mail coming IN to his company xyz.com for joe () xyz com purporting to be from another sender at xyz.com when it really came from somewhere else. That's NOT open relaying, that's forging headers and there's not much you can do about it without breaking things (What if mary () xyz com wants to use her xyz.com return address when she's sending mail from home to joe () xyz com via her local ISP dialup -- Why would you want to block that?) What's the difference if incoming spam has one forged address or another anyway? It's still spam! 'Switching to Postfix', using a 'content security gateway,' or 'TLS' are not going to solve this problem (forging of email headers).
Current thread:
- RE: Sendmail 8.11 configuration/security issue - some clarification oobs3c02 (Jan 06)
- RE: Sendmail 8.11 configuration/security issue - some clarification john65 (Jan 07)
- Re: Sendmail 8.11 configuration/security issue - some clarification GB Clark (Jan 07)
- Re: Sendmail 8.11 configuration/security issue - some clarification Ned Fleming (Jan 07)
- Re: Sendmail 8.11 configuration/security issue - some clarification GB Clark (Jan 08)
- Re: Sendmail 8.11 configuration/security issue - some clarification theog (Jan 09)