Re: E-Mail relay or break in?

[nexus () PATROL I-WAY CO UK (JJ Gray)]

Strange... if I wanted to test that a mail server would allow open relay I
would make sure I could get the mail myself, to a dummy hotmail/yahoo
account... but your example is within a single domain.
AFAIK Exchange cannot be configured to prevent open relay, also the main
thing I noticed in the SMTP commands is the empty HELO command... RFC 821
says that this should identify the sender SMTP address to the receiver SMTP.
Ideally the mail server should reject an empty HELO or at least complain
about it not being the source IP of the connection ( which should also be
logged ).   The rest of the SMTP commands are legit though.
It could just be a wind-up *shrug*   Bear in mind that spoofed email can be
dangerous - if I spoof a mail from your CEO to you, asking sensitive
information, but have the reply-to address to hacker () example com ( which you
don't see on most email clients ! ) then you will send me the info, thinking
it will go to your CEO...
Digital signatures and/or encryption can help with this.

Regards,
            JJ

Sed quis custodiet ipsos custodes ?

----- Original Message -----
From: Seth Georgion <sysadmin () SASSPRODUCTIONS COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, February 09, 2000 2:56 AM
Subject: E-Mail relay or break in?
[snip]

> And here is the log of what the person typed in word for word.
>
>
> 2/8/00 3:14:42 PM : A connection was accepted from GATE.
> 2/8/00 3:14:42 PM : <<< IO: |HELO
> |
> 2/8/00 3:14:42 PM : <<< HELO
> 2/8/00 3:14:43 PM : >>> 250 OK
[snip]

<HR NOSHADE>
<UL>
<LI>application/x-pkcs7-signature attachment: smime.p7s
</UL>