RE: E-mail spoofing countermeasures (Was: Backd oor not recognized by Kaspersky)

[John.Airey () rnib org uk]

> -----Original Message-----
> From: Bill Royds [mailto:broyds () rogers com]
> Sent: 04 March 2004 03:08
> To: 'Dave Sherohman'
> Cc: full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] E-mail spoofing countermeasures (Was:
> Backdoor not recognized by Kaspersky)
>
>
> Outlook 2003, Outlook Express 6. Mozilla mail etc. do 
> recognize what host to
> use for sending depending on what PoP server was used to read 
> the mail. They
> maintain accounts and any mail that comes in one account (its 
> PoP3 server)
> goes out that accounts corresponding SMP server. For example, 
> this is going
> out on my Full Disclosure account, not my Yahoo or Hotmail.
> The problem is that there MX entries have nothing logical to 
> do with where
> an email comes from. MX is mail destination addresses. 
> What is needed is a mail source record in DNS (MS record ?) 
> that gives the
> legitimate  sending hosts for that domain. If the envelope 
> from address uses
> a certain domain, looking up the MS record for that domain 
> should produce an
> IP  list that includes the sending host. 
>   Using authenticated SMTP, this would still allow a different return
> address in headers since envelope from would be user who 
> authenticated to
> SMTP server. But it  would prevent spoofed email (although 
> spam would still
> arrive, it could be tied to actual sender, allowing things 
> like CAN-SPAM to
> work).

I can see at least two problems with this "solution". 
First, errors with DNS configurations are common. I see "lame server" errors
regularly, and at the moment even our own ISP doesn't have reverse DNS
records for our IP addresses on its name servers (and I am hassling them
constantly to fix it).

Second, this "trusted" server will undoubtedly accept email from any
internal host so it won't take long for a virus to find it (they are usually
mail.domain-name or smtp.domain-name). 

A better solution would be to only allow one (or two) mail servers from your
organisation to be able to talk to port 25 on another server (egress
filtering), without another change to the DNS standard. This still has the
same drawback as the second one mentioned above.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk 

Why do so many people who call themselves christians use the name of Jesus
Christ as a swear word?

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html