RE: SMTP Service in private DMZ OK?
From: Steve Evans (sevans_at_foundation.sdsu.edu)
Date: 01/30/04
- Previous message: Floyd Russell: "RE: Encrypt data - SQL Server 2000"
- Maybe in reply to: A. Bluecoat: "SMTP Service in private DMZ OK?"
- Next in thread: Lawrence Brownlee: "RE: SMTP Service in private DMZ OK?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Jan 2004 15:16:01 -0800 To: <focus-ms@securityfocus.com>
Who is "that user" that you refer to?
If your talking about the mail from: address then so what?
If your talking about the rcpt to: address then so what? Would you
prefer that the SMTP service reject that address right then and there,
making it even easier to find out what a valid address is?
I've got to be missing something.
Steve Evans
SDSU Foundation
-----Original Message-----
From: Random Task [mailto:rand0m_t4sk@yahoo.com]
Sent: Tuesday, January 27, 2004 2:42 PM
To: mlyman-security@comcast.net; focus-ms@securityfocus.com
Subject: Re: SMTP Service in private DMZ OK?
--- Mike Lyman <mlyman-security@comcast.net> wrote:
> If you are talking about Window 2000 and beyond, it's locked down
> against relaying by default.
One issue I've found but not resolved yet is the ability to relay mail
to users in a domain by using a fake email address in that domain as the
From: address. Example:
>> nc mail.domain.com 25
220 mail.domain.com ready
helo
250 mail.domain.com Hello [1.2.3.4]
mail from: fake-user@domain.com
220 2.1.0 fake-user@domain.com....Sender OK rcpt to:
real-user@domain.com 220 2.1.5 real-user@domain.com
354 Start mail input; end with <CRLF>.<CRLF>
subject: blah
message
message
.
250 2.6.0 <msgid stuff> Queued mail for delivery
This message went through even though that user didn't exist. This could
allow an attacker to perform some social engineering of some sort,
whether it's through URL redirection, reply-to address, or whatever. Has
anyone seen a way to prevent this behavior in Exchange 2000/2003?
GroupWise?
Thanks.
rt
(I can respond on my real work address if you like, just request it.)
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Floyd Russell: "RE: Encrypt data - SQL Server 2000"
- Maybe in reply to: A. Bluecoat: "SMTP Service in private DMZ OK?"
- Next in thread: Lawrence Brownlee: "RE: SMTP Service in private DMZ OK?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
