Security Basics mailing list archives
Re: Sender Spoofing via SMTP
From: Tomasz Nidecki <tonid () hakin9 org>
Date: Tue, 8 Nov 2005 12:04:08 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: MD5 Saturday, November 5, 2005, 6:06:49 AM, brandon wrote:
The server is configured with 2 SMTP virtual servers (VS), each one on port 25, one VS for each address. 192.168.1.10 (VS1) is internet facing the second 192.168.1.11 (VS2) will connect to the internal server(s). All traffic from the internet would be sent to smtp.foo.com, which intern would come to the 192.168.1.10 address. We allow anonymous connections to this VS, but perform reverse DNS lookups on incoming messages, and also apply a sender filter for *.foo.com that way even though we are not stopping the outside from connecting via telnet, they cannot spoof an internal address (since we are filtering that) and they cannot spoof a bogus domain since we look for that too. Exchange 2003 already prevents relaying to external domains as previously suggested, thanks for making me check though! The second VS could now be configured to speak only to the backend server(s) and ignore all other traffic from other systems (ie client desktops).
Well, the setup will save you some spoofing, but: * your roaming users will not be able to send mail from their company accounts to your local users, because they'll be treated the same way as if someone was spoofing your local domain. * most spam comes from existant domains, such as yahoo.com, msn.com, hotmail.com. Your setup will not eliminate that. Nothing will eliminate that spoofing taking place, as you cannot use SPF if you want your mailserver to function properly.
Hostname (internal DNS) - exch1.foo.com - internal IP address 192.168.2.10 Any and all internal SMTP Virtual servers get configured slightly differently. These Virtual servers do not require the filter, no reverse DNS lookup and should be configured to require Integrated Windows authentication, which will prevent anyone from conecting via Telnet to the internal exchange boxes and sending a spoofed email -- Insert spoofed pink slip from the boss email here -- since once they try to do anything beyond a EHLO the connection gets dropped.
Duh. Why so complicated? Let people inside the company to use any mail client they want. What if they don't have a client which allows the usage of Integrated Windows authentication? Use SMTP AUTH instead.
Does this sound like a pretty safe exchange setup besides the obvious 3rd party AV and things of that nature?
Seems quite safe, but does not address many problems as I mentioned: 1. you might be safe from someone from the outside spoofing your domain, but you'll be making life hell for your roaming users. Solution: use SMTP AUTH or POP BEFORE SMTP on your external mail server. If the user authenticates, treat him exactly the way you treat internal users. 2. your internal users will be forced to Internal Windows authentication. What if someone works on a Linux box inside your company? No mail?... Solution: use SMTP AUTH or POP BEFORE SMTP on your internal mail server and require this from ALL users. Use a mail server such that places the authentication info in the Received: headers, so you can see who was the real person who sent the email, independent of what's in their Return-Path: [MAIL FROM] and From: headers. - -- Tomasz Nidecki, Sekr. Redakcji / Managing Editor hakin9 magazine http://www.hakin9.org mailto:tonid () hakin9 org jid:tonid () tonid net Do you know what "hacker" means? http://www.catb.org/~esr/faqs/hacker-howto.html Czy wiesz, co znaczy slowo "haker"? http://www.jtz.org.pl/Inne/hacker-howto-pl.html -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUAQ3CGK0R7PdagQ735AQGJ2wP+Mx9wdaOzun9elxPuafIGl8OyU1oh2dlD SGkHBb27q2B0U1/VRmcjLt4XZgBx1IuJ4ajtaGrNIqmAKfi8gRSPQfmxlLm0kz0d e+Tiv0emn4KeKnS56nileGq3Rak4OQ+bob4hLRSwdHEe2LMhb/D0t5qOlx40AhHY dAAws+Z6mUM= =0rai -----END PGP SIGNATURE-----
Current thread:
- Re: Sender Spoofing via SMTP, (continued)
- Re: Sender Spoofing via SMTP Pranav Lal (Nov 07)
- Re: Sender Spoofing via SMTP Ansgar -59cobalt- Wiechers (Nov 07)
- Re: Sender Spoofing via SMTP Pranav Lal (Nov 09)
- Re: Sender Spoofing via SMTP Chris Moody (Nov 10)
- Re: Sender Spoofing via SMTP Pranav Lal (Nov 07)
- RE: Sender Spoofing via SMTP David Gillett (Nov 07)
- Re: Sender Spoofing via SMTP S.A.B.R.O. Net Security (Nov 08)
- Re: Sender Spoofing via SMTP Tomasz Nidecki (Nov 08)
- Re: Re: Sender Spoofing via SMTP Bryan S. Sampsel (Nov 08)
- Re: Re: Sender Spoofing via SMTP Barrie Dempster (Nov 08)
- Re: Re: Sender Spoofing via SMTP Bryan S. Sampsel (Nov 08)
- Re: [LIST][SECURITYBASICS] Sender Spoofing via SMTP Tomasz Nidecki (Nov 09)
- Re: [LIST][SECURITYBASICS] Sender Spoofing via SMTP Devdas Bhagat (Nov 15)
- Re: Sender Spoofing via SMTP Tomasz Nidecki (Nov 16)