RE: Protection against fake mails

[Craig Wright <Craig.Wright () bdo com au>]

If I want to be really clever....

Step one:
Compromise a router on the path between a mail server on the route of the email you want to spoof.

Step two:
Spoof the IP of the mail server and set rules on the router to store and forward packets allowing all real mails on and 
answering your own packets

Step three:
Create a script using valid options (too easy to make a typo yourself). A few bounce messages to a throw-away account 
will give you all you need from the header.

Step four:
Send Real looking but fake email. Fake IP, fake options and it will seem forensically sound. The only thing will be 
logs and headers on the senders site - and this may not be available.

Regards,
Craig Wright (GSE-Compliance)


Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. 
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () 
bdo com au.

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved 
under Professional Standards Legislation.
-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Owen
Sent: Friday, 11 April 2008 12:40 AM
To: WALI
Cc: security-basics () securityfocus com
Subject: Re: Protection against fake mails

WALI wrote:
> If we a do a google search for the following string "Send free,
> anonymous and easy fake email", one of the sites we get is
> 'deadfake.com'...and many others. I can send an email to myself from
> myself by filling in the two fields at the website.
>
> Technically, what such sites seems to be doing is that, such mailers add
> an X-Mailer attribute to the message header indicating the message
> origin, and an X-Originating-Ip (a real one).
>
> How do I guard against such emails originating from fake email
> impersonations. Is there something I can do at our email gateway, proxy
> or exchange sever (2003) levels?

As an aside, what a great spam target  collection tool.

Nick

--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid