Re: Mail Server problem / query

• Previous message: Clement Dupuis: "RE: Fingerprinting Firewall"
• Maybe in reply to: Marc Davison: "Mail Server problem / query"
• Next in thread: Joe_Wulf: "RE: Mail Server problem / query"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 14 Apr 2005 09:11:10 -0000
To: pen-test@securityfocus.com

hi all

I had same problem few months back. This is what I got that time.
Anyone can setup an exchange server and send spoofed mail to your organization but in this case we can always trace back using source IP.
But by default relay agent allowed relaying within same domain. There are few solutions available for this but implementation will depends upon email architecture.

1.Using Microsoft Exchange Intelligent Message Filter

This feature is only available in exchange 2003 SP1.
Many options like sender ID, Receiver ID filtering etc.
http://www.microsoft.com/exchange/downloads/2003/imf/default.mspx

2.Using Anti-spam software
Many commercial anti-spam applications available, which will drop such spoofed mail .While sending mail it will show as “queued for delivery” but actually it will not get delivered

3.Using separate SMTP gateway with authentication enabled
In IIS SMTP virtual server gateway we can apply restriction based on
        Authentication
        IP based Filtering
http://support.microsoft.com/default.aspx?scid=kb;en-us;324281

4.Sender Policy Framework (SPF) or Sender ID Framework(SIDF)
The Sender ID Framework is an e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail is sent
http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx

Prashant Vijayanand Gawade
Security Engineer
Paladion Networks
Navi Mumbai
http://www.paladion.net

>Received: (qmail 3483 invoked from network); 14 Apr 2005 01:31:09 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
> by mail.securityfocus.com with SMTP; 14 Apr 2005 01:31:09 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 90569237008; Wed, 13 Apr 2005 19:30:27 -0600 (MDT)
>Mailing-List: contact pen-test-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <pen-test.list-id.securityfocus.com>
>List-Post: <mailto:pen-test@securityfocus.com>
>List-Help: <mailto:pen-test-help@securityfocus.com>
>List-Unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:pen-test-subscribe@securityfocus.com>
>Delivered-To: mailing list pen-test@securityfocus.com
>Delivered-To: moderator for pen-test@securityfocus.com
>Received: (qmail 26340 invoked from network); 13 Apr 2005 22:08:49 -0000
>Message-ID: <20050413214455.1004.qmail@web86602.mail.ukl.yahoo.com>
>Date: Wed, 13 Apr 2005 22:44:55 +0100 (BST)
>From: Marc Davison <m_davison@talk21.com>
>Subject: Mail Server problem / query
>To: pen-test@securityfocus.com
>MIME-Version: 1.0
>Content-Type: text/plain; charset=iso-8859-1
>Content-Transfer-Encoding: 8bit
>
>Hi all, I hope you can help with this. I have been
>testing a server for open-relay and found that I could
>connect from an external machine and send mails using
>a MAIL FROM (the local domain) and a RCPT TO (the
>local domain) - now this may seem fine as internal
>users will need to send mail to other internal users
>but my query is whether there are mail servers which
>can be configured to recognise that the connection was
>an external address and therefore that the MAIL FROM
>address was invalid. eg I can send a mail from the CEO
>of the company to his own secretary asking her to copy
>his hotmail address on all future mails and to the
>secretary, this mail seems perfectly valid yet me
>(prospective attacker) outside the comapany may now
>receive loads of sensitive mails (assuming the
>secretary is the type who doesn't like to query things
>and ask questions) - thanks in advance.
>
>Send instant messages to your online friends http://uk.messenger.yahoo.com
>

• Previous message: Clement Dupuis: "RE: Fingerprinting Firewall"
• Maybe in reply to: Marc Davison: "Mail Server problem / query"
• Next in thread: Joe_Wulf: "RE: Mail Server problem / query"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Help! Being Used As A Relay ... "You mention that Open Relay occurs when my Exchange server accepts emails ... mails where neither the SENDER nor the RECIPIENT "domain" is LOCAL to your ... (microsoft.public.exchange.admin) NDRs for internal clients only? ... In Exchange System Manager go to the global settings ... There is a tab in there called Sender Filtering. ... to the forged e-mail server and has no where to go...... ... you want NDRs sent to people from the outside who ... (microsoft.public.windows.server.sbs) Re: Space-Storage-Degradation ... If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. ... I am running an "archiving" server -that is, ... End users are using their Exchange Mailbox as a document ... (microsoft.public.exchange2000.admin) Re: Emails Not being delivered ... > external emails cannot deliver to the recipients on your SBS 2003 Server. ... > a global POP3 mailbox or individual user POP3 mailboxes? ... the sender was also able to send to one of our POP3 ... > email on Exchange Server side or client Outlook side. ... (microsoft.public.windows.server.sbs) Re: SQL server wont connect to Exchange server ... Microsoft Small Business Server Support ... When I make a connection between my SQL and Exchange ... I get the same error when I try to run a query ... (microsoft.public.exchange.connectivity)