Re: Mail Server problem / query

[Prashant Gawade <prashant.gawade () paladion net>]

In-Reply-To: <20050413214455.1004.qmail () web86602 mail ukl yahoo com>

hi all

I had same problem few months back. This is what I got that time.
Anyone can setup an exchange server and send spoofed mail to your organization but in this case we can always trace 
back using source IP.
But by default relay agent allowed relaying within same domain. There are few solutions available for this but 
implementation will depends upon email architecture.

1.Using Microsoft Exchange Intelligent Message Filter

This feature is only available in exchange 2003 SP1.
Many options like sender ID, Receiver ID filtering etc.
http://www.microsoft.com/exchange/downloads/2003/imf/default.mspx

2.Using Anti-spam software
Many commercial anti-spam applications available, which will drop such spoofed mail .While sending mail it will show as 
“queued for delivery” but actually it will not get delivered

3.Using separate SMTP gateway with authentication enabled
In IIS SMTP virtual server gateway we can apply restriction based on 
        Authentication
        IP based Filtering
http://support.microsoft.com/default.aspx?scid=kb;en-us;324281

4.Sender Policy Framework (SPF) or Sender ID Framework(SIDF)
The Sender ID Framework is an e-mail authentication technology protocol that helps address the problem of spoofing and 
phishing by verifying the domain name from which e-mail is sent
http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx


Prashant Vijayanand Gawade
Security Engineer
Paladion Networks
Navi Mumbai
http://www.paladion.net




> Received: (qmail 3483 invoked from network); 14 Apr 2005 01:31:09 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 14 Apr 2005 01:31:09 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 90569237008; Wed, 13 Apr 2005 19:30:27 -0600 (MDT)
> Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <pen-test.list-id.securityfocus.com>
> List-Post: <mailto:pen-test () securityfocus com>
> List-Help: <mailto:pen-test-help () securityfocus com>
> List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:pen-test-subscribe () securityfocus com>
> Delivered-To: mailing list pen-test () securityfocus com
> Delivered-To: moderator for pen-test () securityfocus com
> Received: (qmail 26340 invoked from network); 13 Apr 2005 22:08:49 -0000
> Message-ID: <20050413214455.1004.qmail () web86602 mail ukl yahoo com>
> Date: Wed, 13 Apr 2005 22:44:55 +0100 (BST)
> From: Marc Davison <m_davison () talk21 com>
> Subject: Mail Server problem / query 
> To: pen-test () securityfocus com
> MIME-Version: 1.0
> Content-Type: text/plain; charset=iso-8859-1
> Content-Transfer-Encoding: 8bit
>
> Hi all, I hope you can help with this. I have been
> testing a server for open-relay and found that I could
> connect from an external machine and send mails using
> a MAIL FROM (the local domain) and a RCPT TO (the
> local domain) - now this may seem fine as internal
> users will need to send mail to other internal users
> but my query is whether there are mail servers which
> can be configured to recognise that the connection was
> an external address and therefore that the MAIL FROM
> address was invalid. eg I can send a mail from the CEO
> of the company to his own secretary asking her to copy
> his hotmail address on all future mails and to the
> secretary, this mail seems perfectly valid yet me
> (prospective attacker) outside the comapany may now
> receive loads of sensitive mails (assuming the
> secretary is the type who doesn't like to query things
> and ask questions) - thanks in advance.
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com