Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [LIST][SECURITYBASICS] Sender Spoofing via SMTP

From: Tomasz Nidecki <tonid () hakin9 org>
Date: Thu, 17 Nov 2005 12:40:45 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

I've re-read your message Devdas, and finally understood you had
something different in mind with your clues. So here are some more
comments.

Friday, November 11, 2005, 3:21:20 PM, Devdas Bhagat wrote:


2. For an UNAUTHENTICATED user:

2.1. Check the domain in MAIL FROM against a list of your local
     domains
2.2. DENY the mail if it matches, since there should be no such case
     where an unauthenticated user is sending mail with your MAIL
     FROM.



Clue: .forward


The cases when it would disturb pre-delivery forwarding would be
severely limited and in such cases forwarding is usually not used.

Hint: If an unauthenticated user [i.e. another server] is sending mail
to you with your domain's MAIL FROM, that would mean that one of your
users has a forwarding address on another machine, and the mail is to
be received by your user.

Eg.: joe () yourserver com has a forwarding address joe () forward com and
alice () yourserver com wants to write e-mail to Joe. Why would Alice use
the forwarding address, if the domains are in the same company? [I'm
proposing this solution on company servers, NOT ISPs or private
servers, for the purpose of brand protection].

Hence, there would be a problem if alice () yourserver com would write to
joe () forward com and the forward.com mailserver sent mail from
alice () yourserver com to joe () yourserver com. But as I said in the
company environment this should not happen, and if it happens, it only
affects the company's local users.


2.3. Additionally, if possible, also check the domain in From: header
     in the DATA section, before queueing it, and do the same as
     above.



Clue: Mailing lists.


True. This would make mail sent to external mailing lists from company
employees undeliverable to other company employees. But then again,
this proposal is for brand protection for companies. It's up to the
management whether they are willing to adopt such a strategy which
only limits the local company users, no one else.

- --
Tomasz Nidecki, Sekr. Redakcji / Managing Editor
hakin9 magazine            http://www.hakin9.org
mailto:tonid () hakin9 org      jid:tonid () tonid net

Do you know what "hacker" means?
http://www.catb.org/~esr/faqs/hacker-howto.html

Czy wiesz, co znaczy slowo "haker"?
http://www.jtz.org.pl/Inne/hacker-howto-pl.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUAQ3xsPUR7PdagQ735AQGRaAQAs6s71GbqgDnm86yqlNuvup56jr0Q45yW
aXaIlduBYYnVbDDy0DuzuwQ991pP5WLhLJhAnK1O5Y2sK5dGpMizzy2jO2UoT4F1
IBUe/9eaxPwOk9PG5uK8PhkVEE0k15EQgIl1bIpg52+0hKkMp0RMrZDgCHOxPRXT
bIP9fx1pk4A=
=AyJk
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: