RE: SMTP Service in private DMZ OK?

From: Kevin E. Casey (kcasey_at_nanoweb.com)
Date: 01/30/04

  • Next message: Bruce Martins: "RE: SMTP Service in private DMZ OK?" 
    Date: Fri, 30 Jan 2004 15:28:16 -0500
To: <focus-ms@securityfocus.com>

    I believe he meant the mail from: fake-user@domain.com

    The SMTP protocol does not support a function whereby the receiving SMTP
    server queries the sending server for the validity of a user-name. In
    fact, since relaying was built into the SMTP protocol from the get-go in
    order to support a severely damaged network (as in the case of a nuclear
    attack), they made the RFC clearly in favor of permitting delivery of
    the messages (as opposed to a DENY-everything-PERMIT-a-little kind of
    thinking that most secure systems now use). Since most servers (other
    than perhaps the first) in a relay chain would not have the information
    necessary to support a user validation mechanism (and if it did, the
    network would be flooded with verification requests), it didn't make
    sense to the founding fathers of the SMTP protocol.

    And while you're building the wish list, too bad the HELO command isn't
    used for anything other than diddley. You can HELO my***.com (insert
    your bogus domain/bull*** IP address here) to practically every SMTP
    server and it will still permit you to send email into that server.

    Its really time that we security professionals get off our butts and
    craft a new, email protocol, secure from the ground up, that makes it
    impossible for people to submit mail to server without a proof of who
    they are and what they are doing and allows owners of the mail server to
    take positive control over what is permitted to be sent. The US govt
    only permits mail carriers to place mail in our mailboxes. We too
    should have a protocol that controls who and what can place email into
    our email boxes.

    Virus, backdoors, DDOS attacks... Most of these choose email as their
    initial vector because it is so easy to fake the origin of the attack,
    to relay it through multiple countries/legal boundaries, and because the
    badly run SMTP servers out there are geared to relay the junk like so
    many little firehoses spraying the payload across the net...

    Imagine a world in which an email that arrives in your inbox contains a
    completely, 100% verified audit trail of where it originated and who
    sent it. Might be a bit orwellian, but sending email to my inbox is a
    privelege--not some deity-given right. I'd love to know the phone
    number of the jerks who keep sending me their pitches for cure-alls...
    I've got a nice little auto-dialer I'd love to unleash on their home
    phones at 3am.

    Any one out there up for a rewrite of SMTP? (And then the challenge of
    convincing the rest of the world to abandon SMTP forever?)

    -----Original Message-----
    From: Steve Evans [mailto:sevans@foundation.sdsu.edu]
    Sent: Thursday, January 29, 2004 6:16 PM
    To: focus-ms@securityfocus.com
    Subject: RE: SMTP Service in private DMZ OK?

    Who is "that user" that you refer to?

    If your talking about the mail from: address then so what?

    If your talking about the rcpt to: address then so what? Would you
    prefer that the SMTP service reject that address right then and there,
    making it even easier to find out what a valid address is?

    I've got to be missing something.

    Steve Evans
    SDSU Foundation

    -----Original Message-----
    From: Random Task [mailto:rand0m_t4sk@yahoo.com]
    Sent: Tuesday, January 27, 2004 2:42 PM
    To: mlyman-security@comcast.net; focus-ms@securityfocus.com
    Subject: Re: SMTP Service in private DMZ OK?

    --- Mike Lyman <mlyman-security@comcast.net> wrote:
    > If you are talking about Window 2000 and beyond, it's locked down
    > against relaying by default.

    One issue I've found but not resolved yet is the ability to relay mail
    to users in a domain by using a fake email address in that domain as the
    From: address. Example:

    >> nc mail.domain.com 25
    220 mail.domain.com ready
    helo
    250 mail.domain.com Hello [1.2.3.4]
    mail from: fake-user@domain.com
    220 2.1.0 fake-user@domain.com....Sender OK rcpt to:
    real-user@domain.com 220 2.1.5 real-user@domain.com
    354 Start mail input; end with <CRLF>.<CRLF>
    subject: blah
    message
    message
    .
    250 2.6.0 <msgid stuff> Queued mail for delivery

    This message went through even though that user didn't exist. This could
    allow an attacker to perform some social engineering of some sort,
    whether it's through URL redirection, reply-to address, or whatever. Has
    anyone seen a way to prevent this behavior in Exchange 2000/2003?
    GroupWise?

    Thanks.
    rt
    (I can respond on my real work address if you like, just request it.)

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free web site building tool. Try it!
    http://webhosting.yahoo.com/ps/sb/

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Bruce Martins: "RE: SMTP Service in private DMZ OK?"
    • Quantcast