Security Incidents mailing list archives

Re: E-Mail relay or break in?

From: nathan () MMIND NET (Nathan Nichols)
Date: Wed, 9 Feb 2000 12:19:04 -0600


I believe that one of the Service Packs for Exchange 5.0 and Exchange 5.5
adds relay blocking (somebody correct me if I'm incorrect).  I'd go grab
SP2 for 5.5 and give it a shot.
-----
Nathan Nichols
Unix Systems Administrator
MasterMind Internet Services
918-743-6161

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of JJ Gray
Sent: Wednesday, February 09, 2000 5:40 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: E-Mail relay or break in?

Strange... if I wanted to test that a mail server would allow open relay I
would make sure I could get the mail myself, to a dummy hotmail/yahoo
account... but your example is within a single domain.
AFAIK Exchange cannot be configured to prevent open relay, also the main
thing I noticed in the SMTP commands is the empty HELO command... RFC 821
says that this should identify the sender SMTP address to the receiver
SMTP.
Ideally the mail server should reject an empty HELO or at least complain
about it not being the source IP of the connection ( which should also be
logged ).   The rest of the SMTP commands are legit though.
It could just be a wind-up *shrug*   Bear in mind that spoofed email can
be
dangerous - if I spoof a mail from your CEO to you, asking sensitive
information, but have the reply-to address to hacker () example com ( which
you
don't see on most email clients ! ) then you will send me the info,
thinking
it will go to your CEO...
Digital signatures and/or encryption can help with this.

Regards,
            JJ

Sed quis custodiet ipsos custodes ?

----- Original Message -----
From: Seth Georgion <sysadmin () SASSPRODUCTIONS COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, February 09, 2000 2:56 AM
Subject: E-Mail relay or break in?
[snip]

And here is the log of what the person typed in word for word.


2/8/00 3:14:42 PM : A connection was accepted from GATE.
2/8/00 3:14:42 PM : <<< IO: |HELO
|
2/8/00 3:14:42 PM : <<< HELO
2/8/00 3:14:43 PM : >>> 250 OK

[snip]

<HR NOSHADE>
<UL>
<LI>application/x-pkcs7-signature attachment: smime.p7s
</UL>

Current thread:

Re: Strange traceroute, (continued)
- Re: Strange traceroute RB (Feb 03)
  - Re: Strange traceroute CyberPsychotic (Feb 05)
    - Re: Strange traceroute Dragos Ruiu (Feb 07)
    - Private networks and home.{net|com} Etaoin Shrdlu (Feb 07)
    - Strange ping reply packets Artur Nowak (Feb 08)
    - Re: Private networks and home.{net|com} Bruce A. Mah (Feb 08)
    - Re: Private networks and home.{net|com} Dragos Ruiu (Feb 09)
    - E-Mail relay or break in? Seth Georgion (Feb 08)
    - Re: E-Mail relay or break in? JJ Gray (Feb 09)
    - Re: E-Mail relay or break in? Graeme (Feb 09)
    - Re: E-Mail relay or break in? Nathan Nichols (Feb 09)
    - Re: E-Mail relay or break in? Ryan Russell (Feb 09)
    - Recent DDoS Bino Gopal (Feb 08)
    - Re: Recent DDoS Qmail Admin (Feb 09)
    - Port 34545 jimwebb () EASYSTREET COM (Feb 09)
    - Re: Recent DDoS MMS26 (Feb 09)
    - Re: Recent DDoS Vanja Hrustic (Feb 09)
    - Re: Recent DDoS (was Ping flood? Whats the point?) Kerry Baker (Feb 09)
    - Re: Recent DDoS (was Ping flood? Whats the point?) Eivind Eklund (Feb 11)
    - SSH2 Exploit? Jonathan A. Zdziarski (Feb 09)
    - Re: SSH2 Exploit? Alexander Kiwerski (Feb 10)

(Thread continues...)