Security Incidents mailing list archives
Re: E-Mail relay or break in?
From: nathan () MMIND NET (Nathan Nichols)
Date: Wed, 9 Feb 2000 12:19:04 -0600
I believe that one of the Service Packs for Exchange 5.0 and Exchange 5.5 adds relay blocking (somebody correct me if I'm incorrect). I'd go grab SP2 for 5.5 and give it a shot. ----- Nathan Nichols Unix Systems Administrator MasterMind Internet Services 918-743-6161 -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of JJ Gray Sent: Wednesday, February 09, 2000 5:40 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: E-Mail relay or break in? Strange... if I wanted to test that a mail server would allow open relay I would make sure I could get the mail myself, to a dummy hotmail/yahoo account... but your example is within a single domain. AFAIK Exchange cannot be configured to prevent open relay, also the main thing I noticed in the SMTP commands is the empty HELO command... RFC 821 says that this should identify the sender SMTP address to the receiver SMTP. Ideally the mail server should reject an empty HELO or at least complain about it not being the source IP of the connection ( which should also be logged ). The rest of the SMTP commands are legit though. It could just be a wind-up *shrug* Bear in mind that spoofed email can be dangerous - if I spoof a mail from your CEO to you, asking sensitive information, but have the reply-to address to hacker () example com ( which you don't see on most email clients ! ) then you will send me the info, thinking it will go to your CEO... Digital signatures and/or encryption can help with this. Regards, JJ Sed quis custodiet ipsos custodes ? ----- Original Message ----- From: Seth Georgion <sysadmin () SASSPRODUCTIONS COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Wednesday, February 09, 2000 2:56 AM Subject: E-Mail relay or break in? [snip]
And here is the log of what the person typed in word for word. 2/8/00 3:14:42 PM : A connection was accepted from GATE. 2/8/00 3:14:42 PM : <<< IO: |HELO | 2/8/00 3:14:42 PM : <<< HELO 2/8/00 3:14:43 PM : >>> 250 OK
[snip] <HR NOSHADE> <UL> <LI>application/x-pkcs7-signature attachment: smime.p7s </UL>
Current thread:
- Re: Strange traceroute, (continued)
- Re: Strange traceroute RB (Feb 03)
- Re: Strange traceroute CyberPsychotic (Feb 05)
- Re: Strange traceroute Dragos Ruiu (Feb 07)
- Private networks and home.{net|com} Etaoin Shrdlu (Feb 07)
- Strange ping reply packets Artur Nowak (Feb 08)
- Re: Private networks and home.{net|com} Bruce A. Mah (Feb 08)
- Re: Private networks and home.{net|com} Dragos Ruiu (Feb 09)
- E-Mail relay or break in? Seth Georgion (Feb 08)
- Re: E-Mail relay or break in? JJ Gray (Feb 09)
- Re: E-Mail relay or break in? Graeme (Feb 09)
- Re: E-Mail relay or break in? Nathan Nichols (Feb 09)
- Re: Strange traceroute CyberPsychotic (Feb 05)
- Re: E-Mail relay or break in? Ryan Russell (Feb 09)
- Re: Strange traceroute RB (Feb 03)
- Recent DDoS Bino Gopal (Feb 08)
- Re: Recent DDoS Qmail Admin (Feb 09)
- Port 34545 jimwebb () EASYSTREET COM (Feb 09)
- Re: Recent DDoS MMS26 (Feb 09)
- Re: Recent DDoS Vanja Hrustic (Feb 09)
- Re: Recent DDoS (was Ping flood? Whats the point?) Kerry Baker (Feb 09)
- Re: Recent DDoS (was Ping flood? Whats the point?) Eivind Eklund (Feb 11)
- SSH2 Exploit? Jonathan A. Zdziarski (Feb 09)
- Re: SSH2 Exploit? Alexander Kiwerski (Feb 10)