RE: Sendmail 8.11 configuration/security issue - some clarification

[oobs3c02 () attbi com]

All,

Thanks for the input on this so far.  To clarify, John65 () pobox com is exactly 
right in stating that I'm trying to stop the spoofing of my domain as the 
sender to my own domain (e.g. helpdesk@xyz to johnSmith@xyz where helpdesk is 
the spoofed sender).  This is not an open relay server and the spam is not (as 
far as I can tell) as a result of any viruses guessing at accounts.

The primary concern is with stopping mail with my domain as the sender and my 
domain as the recipient if the sender IP is not within networks which I 
control.  I don't want to give any "crackers" monitoring this mailing list any 
ideas (most likely they've thought of this already) but this makes the 
probability of someone opening up an email and executing an attachment much 
greater.  In some testing me and some other guys did, it was trivial to send an 
email from an outside address with the sender spoofed to look like an internal, 
trusted source (the spoofing is very easy but knowledge of the internal account 
naming convention, etc. was a little bit more difficult to match).  This would 
make it much easier for me to send an email from helpdesk () xyz com requesting 
that JohnSmith () xyz com execute the attached file.  Sure he might know not to 
execute attachments from other untrusted domains but would he not open this 
from his "own" helpdesk?  The amount of knowledge to execute this attack would 
be somewhat trivial to obtain - simple Google searches would most likely return 
the email addresses for a targeted company.  A very large % of typical users 
would never think to check SMTP headers  - they likely don't even know what 
those are.  

I'm not sure that this problem can be resolved within sendmail config files but 
if anyone knows differently, please let me know.

Thanks again,

Jim

> I think the original sender and several of the respondents may be
> confusing 'spam with forged headers' with 'open relaying.'
>
> The original question was not about his relay being hijacked to send
> spam, it was about mail coming IN to his company xyz.com for joe () xyz com
> purporting to be from another sender at xyz.com when it really came from
> somewhere else. That's NOT open relaying, that's forging headers and
> there's not much you can do about it without breaking things (What if
> mary () xyz com wants to use her xyz.com return address when she's sending
> mail from home to joe () xyz com via her local ISP dialup -- Why would you
> want to block that?) What's the difference if incoming spam has one
> forged address or another anyway? It's still spam!
>
> 'Switching to Postfix', using a 'content security gateway,' or 'TLS' are
> not going to solve this problem (forging of email headers).