Re: Sender Spoofing via SMTP

[Tomasz Nidecki <tonid () hakin9 org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Saturday, November 5, 2005, 6:06:49 AM, brandon wrote:

> The server is configured with 2 SMTP virtual servers (VS), each
> one on port 25, one VS for each address. 192.168.1.10 (VS1) is
> internet facing the second 192.168.1.11 (VS2) will connect to the
> internal server(s). All traffic from the internet would be sent to
> smtp.foo.com, which intern would come to the 192.168.1.10 address.
> We allow anonymous connections to this VS, but perform reverse DNS
> lookups on incoming messages, and also apply a sender filter for
> *.foo.com that way even though we are not stopping the outside from
> connecting via telnet, they cannot spoof an internal address (since
> we are filtering that) and they cannot spoof a bogus domain since we
> look for that too. Exchange 2003 already prevents relaying to
> external domains as previously suggested, thanks for making me check
> though! The second VS could now be configured to speak only to the
> backend server(s) and ignore all other traffic from other systems
> (ie client desktops).

Well, the setup will save you some spoofing, but:

* your roaming users will not be able to send mail from their company
accounts to your local users, because they'll be treated the same way
as if someone was spoofing your local domain.

* most spam comes from existant domains, such as yahoo.com, msn.com,
hotmail.com. Your setup will not eliminate that. Nothing will
eliminate that spoofing taking place, as you cannot use SPF if you
want your mailserver to function properly.

> Hostname (internal DNS) - exch1.foo.com - internal IP address 192.168.2.10
> Any and all internal SMTP Virtual servers get configured slightly
> differently. These Virtual servers do not require the filter, no
> reverse DNS lookup and should be configured to require Integrated
> Windows authentication, which will prevent anyone from conecting via
> Telnet to the internal exchange boxes and sending a spoofed email --
> Insert spoofed pink slip from the boss email here -- since once they
> try to do anything beyond a EHLO the connection gets dropped.

Duh. Why so complicated? Let people inside the company to use any mail
client they want. What if they don't have a client which allows the
usage of Integrated Windows authentication?

Use SMTP AUTH instead.

> Does this sound like a pretty safe exchange setup besides the
> obvious 3rd party AV and things of that nature?

Seems quite safe, but does not address many problems as I mentioned:

1. you might be safe from someone from the outside spoofing your
domain, but you'll be making life hell for your roaming users.

Solution: use SMTP AUTH or POP BEFORE SMTP on your external mail
server. If the user authenticates, treat him exactly the way you treat
internal users.

2. your internal users will be forced to Internal Windows
authentication. What if someone works on a Linux box inside your
company? No mail?...

Solution: use SMTP AUTH or POP BEFORE SMTP on your internal mail
server and require this from ALL users. Use a mail server such that
places the authentication info in the Received: headers, so you can
see who was the real person who sent the email, independent of what's
in their Return-Path: [MAIL FROM] and From: headers.

- --
Tomasz Nidecki, Sekr. Redakcji / Managing Editor
hakin9 magazine            http://www.hakin9.org
mailto:tonid () hakin9 org      jid:tonid () tonid net

Do you know what "hacker" means?
http://www.catb.org/~esr/faqs/hacker-howto.html

Czy wiesz, co znaczy slowo "haker"?
http://www.jtz.org.pl/Inne/hacker-howto-pl.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUAQ3CGK0R7PdagQ735AQGJ2wP+Mx9wdaOzun9elxPuafIGl8OyU1oh2dlD
SGkHBb27q2B0U1/VRmcjLt4XZgBx1IuJ4ajtaGrNIqmAKfi8gRSPQfmxlLm0kz0d
e+Tiv0emn4KeKnS56nileGq3Rak4OQ+bob4hLRSwdHEe2LMhb/D0t5qOlx40AhHY
dAAws+Z6mUM=
=0rai
-----END PGP SIGNATURE-----