Security Basics mailing list archives
RE: Sender Spoofing via SMTP
From: "Matt Stovall" <mstovall () charlestonforge com>
Date: Tue, 8 Nov 2005 16:05:03 -0500
Tomasz, Could you be a little more specific when talking about SPF breaking the functionality of the mail server? I have been using SPF for about a year now and I have not seen any weird or problematic symptoms. I am curious as to what some of the pitfalls are surrounding it. I must also say that SPF is most definitely not a fix; it is just one more layer in place to secure my mail server. Thanks in advance, Matt Stovall Charleston Forge 251 Industrial Park Drive Boone, NC 28607 -----Original Message----- From: Tomasz Nidecki [mailto:tonid () hakin9 org] Sent: Tuesday, November 08, 2005 6:04 AM To: security-basics () securityfocus com Subject: Re: Sender Spoofing via SMTP -----BEGIN PGP SIGNED MESSAGE----- Hash: MD5 Saturday, November 5, 2005, 6:06:49 AM, brandon wrote:
The server is configured with 2 SMTP virtual servers (VS), each one on port 25, one VS for each address. 192.168.1.10 (VS1) is internet facing the second 192.168.1.11 (VS2) will connect to the internal server(s). All traffic from the internet would be sent to smtp.foo.com, which intern would come to the 192.168.1.10 address. We allow anonymous connections to this VS, but perform reverse DNS lookups on incoming messages, and also apply a sender filter for *.foo.com that way even though we are not stopping the outside from connecting via telnet, they cannot spoof an internal address (since we are filtering that) and they cannot spoof a bogus domain since we look for that too. Exchange 2003 already prevents relaying to external domains as previously suggested, thanks for making me check though! The second VS could now be configured to speak only to the backend server(s) and ignore all other traffic from other systems (ie client desktops).
Well, the setup will save you some spoofing, but: * your roaming users will not be able to send mail from their company accounts to your local users, because they'll be treated the same way as if someone was spoofing your local domain. * most spam comes from existant domains, such as yahoo.com, msn.com, hotmail.com. Your setup will not eliminate that. Nothing will eliminate that spoofing taking place, as you cannot use SPF if you want your mailserver to function properly.
Hostname (internal DNS) - exch1.foo.com - internal IP address
192.168.2.10
Any and all internal SMTP Virtual servers get configured slightly differently. These Virtual servers do not require the filter, no reverse DNS lookup and should be configured to require Integrated Windows authentication, which will prevent anyone from conecting via Telnet to the internal exchange boxes and sending a spoofed email -- Insert spoofed pink slip from the boss email here -- since once they try to do anything beyond a EHLO the connection gets dropped.
Duh. Why so complicated? Let people inside the company to use any mail client they want. What if they don't have a client which allows the usage of Integrated Windows authentication? Use SMTP AUTH instead.
Does this sound like a pretty safe exchange setup besides the obvious 3rd party AV and things of that nature?
Seems quite safe, but does not address many problems as I mentioned: 1. you might be safe from someone from the outside spoofing your domain, but you'll be making life hell for your roaming users. Solution: use SMTP AUTH or POP BEFORE SMTP on your external mail server. If the user authenticates, treat him exactly the way you treat internal users. 2. your internal users will be forced to Internal Windows authentication. What if someone works on a Linux box inside your company? No mail?... Solution: use SMTP AUTH or POP BEFORE SMTP on your internal mail server and require this from ALL users. Use a mail server such that places the authentication info in the Received: headers, so you can see who was the real person who sent the email, independent of what's in their Return-Path: [MAIL FROM] and From: headers. - -- Tomasz Nidecki, Sekr. Redakcji / Managing Editor hakin9 magazine http://www.hakin9.org mailto:tonid () hakin9 org jid:tonid () tonid net Do you know what "hacker" means? http://www.catb.org/~esr/faqs/hacker-howto.html Czy wiesz, co znaczy slowo "haker"? http://www.jtz.org.pl/Inne/hacker-howto-pl.html -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUAQ3CGK0R7PdagQ735AQGJ2wP+Mx9wdaOzun9elxPuafIGl8OyU1oh2dlD SGkHBb27q2B0U1/VRmcjLt4XZgBx1IuJ4ajtaGrNIqmAKfi8gRSPQfmxlLm0kz0d e+Tiv0emn4KeKnS56nileGq3Rak4OQ+bob4hLRSwdHEe2LMhb/D0t5qOlx40AhHY dAAws+Z6mUM= =0rai -----END PGP SIGNATURE----- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Charleston Forge, 251 Industrial Park Drive, Boone, NC 28607 http://www.charlestonforge.com
Current thread:
- Re: Re: Sender Spoofing via SMTP, (continued)
- Re: Re: Sender Spoofing via SMTP dominiquesb (Nov 07)
- Re: Re: Sender Spoofing via SMTP Bryan S. Sampsel (Nov 08)
- Re: Re: Sender Spoofing via SMTP brandon . steili (Nov 07)
- Re: Re: Sender Spoofing via SMTP Barrie Dempster (Nov 08)
- Re: Re: Sender Spoofing via SMTP Bryan S. Sampsel (Nov 08)
- RE: Sender Spoofing via SMTP Matt Stovall (Nov 08)
- Re: [LIST][SECURITYBASICS] Sender Spoofing via SMTP Tomasz Nidecki (Nov 09)
- Re: [LIST][SECURITYBASICS] Sender Spoofing via SMTP Devdas Bhagat (Nov 15)
- Re: Sender Spoofing via SMTP Tomasz Nidecki (Nov 16)
- Re: [LIST][SECURITYBASICS] Sender Spoofing via SMTP Tomasz Nidecki (Nov 17)
- Re: [LIST][SECURITYBASICS] Sender Spoofing via SMTP Tomasz Nidecki (Nov 09)
- Re: Re: Sender Spoofing via SMTP dominiquesb (Nov 07)
- RE: Sender Spoofing via SMTP Matt Stovall (Nov 08)
- Re: Sender Spoofing via SMTP Tomasz Nidecki (Nov 09)