RE: Sender Spoofing via SMTP

["Matt Stovall" <mstovall () charlestonforge com>]

Tomasz,

Could you be a little more specific when talking about SPF breaking the
functionality of the mail server? 

I have been using SPF for about a year now and I have not seen any weird
or problematic symptoms.  I am curious as to what some of the pitfalls
are surrounding it.

I must also say that SPF is most definitely not a fix; it is just one
more layer in place to secure my mail server.

Thanks in advance,

Matt Stovall
Charleston Forge 
251 Industrial Park Drive 
Boone, NC 28607 

-----Original Message-----
From: Tomasz Nidecki [mailto:tonid () hakin9 org] 
Sent: Tuesday, November 08, 2005 6:04 AM
To: security-basics () securityfocus com
Subject: Re: Sender Spoofing via SMTP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Saturday, November 5, 2005, 6:06:49 AM, brandon wrote:

> The server is configured with 2 SMTP virtual servers (VS), each
> one on port 25, one VS for each address. 192.168.1.10 (VS1) is
> internet facing the second 192.168.1.11 (VS2) will connect to the
> internal server(s). All traffic from the internet would be sent to
> smtp.foo.com, which intern would come to the 192.168.1.10 address.
> We allow anonymous connections to this VS, but perform reverse DNS
> lookups on incoming messages, and also apply a sender filter for
> *.foo.com that way even though we are not stopping the outside from
> connecting via telnet, they cannot spoof an internal address (since
> we are filtering that) and they cannot spoof a bogus domain since we
> look for that too. Exchange 2003 already prevents relaying to
> external domains as previously suggested, thanks for making me check
> though! The second VS could now be configured to speak only to the
> backend server(s) and ignore all other traffic from other systems
> (ie client desktops).

Well, the setup will save you some spoofing, but:

* your roaming users will not be able to send mail from their company
accounts to your local users, because they'll be treated the same way
as if someone was spoofing your local domain.

* most spam comes from existant domains, such as yahoo.com, msn.com,
hotmail.com. Your setup will not eliminate that. Nothing will
eliminate that spoofing taking place, as you cannot use SPF if you
want your mailserver to function properly.

> Hostname (internal DNS) - exch1.foo.com - internal IP address
192.168.2.10
> Any and all internal SMTP Virtual servers get configured slightly
> differently. These Virtual servers do not require the filter, no
> reverse DNS lookup and should be configured to require Integrated
> Windows authentication, which will prevent anyone from conecting via
> Telnet to the internal exchange boxes and sending a spoofed email --
> Insert spoofed pink slip from the boss email here -- since once they
> try to do anything beyond a EHLO the connection gets dropped.

Duh. Why so complicated? Let people inside the company to use any mail
client they want. What if they don't have a client which allows the
usage of Integrated Windows authentication?

Use SMTP AUTH instead.

> Does this sound like a pretty safe exchange setup besides the
> obvious 3rd party AV and things of that nature?

Seems quite safe, but does not address many problems as I mentioned:

1. you might be safe from someone from the outside spoofing your
domain, but you'll be making life hell for your roaming users.

Solution: use SMTP AUTH or POP BEFORE SMTP on your external mail
server. If the user authenticates, treat him exactly the way you treat
internal users.

2. your internal users will be forced to Internal Windows
authentication. What if someone works on a Linux box inside your
company? No mail?...

Solution: use SMTP AUTH or POP BEFORE SMTP on your internal mail
server and require this from ALL users. Use a mail server such that
places the authentication info in the Received: headers, so you can
see who was the real person who sent the email, independent of what's
in their Return-Path: [MAIL FROM] and From: headers.

- --
Tomasz Nidecki, Sekr. Redakcji / Managing Editor
hakin9 magazine            http://www.hakin9.org
mailto:tonid () hakin9 org      jid:tonid () tonid net

Do you know what "hacker" means?
http://www.catb.org/~esr/faqs/hacker-howto.html

Czy wiesz, co znaczy slowo "haker"?
http://www.jtz.org.pl/Inne/hacker-howto-pl.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUAQ3CGK0R7PdagQ735AQGJ2wP+Mx9wdaOzun9elxPuafIGl8OyU1oh2dlD
SGkHBb27q2B0U1/VRmcjLt4XZgBx1IuJ4ajtaGrNIqmAKfi8gRSPQfmxlLm0kz0d
e+Tiv0emn4KeKnS56nileGq3Rak4OQ+bob4hLRSwdHEe2LMhb/D0t5qOlx40AhHY
dAAws+Z6mUM=
=0rai
-----END PGP SIGNATURE-----





This message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if 
you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be 
guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or 
incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the 
contents of this message, which arise as a result of e-mail transmission. If verification is required please request a 
hard-copy version.  

Charleston Forge, 251 Industrial Park Drive, Boone, NC 28607 http://www.charlestonforge.com