RE: Sender Spoofing via SMTP

From: Matt Stovall (mstovall_at_charlestonforge.com)
Date: 11/07/05

  • Next message: Kelly Martin: "Re: sites for publishing sec related whitepapers?" 
    Date: Mon, 7 Nov 2005 09:19:49 -0500
To: <brandon.steili@gmail.com>

    Try adding a spf (sender privacy framework) entry in your DNS servers.
    It is a text entry that would go something like this "v=spf1 mx -all".
    Google for SPF and you should find a wealth of information.

    Also, definitely lock down the ability to be used as a relay.

    Even still you will probably see spoofed email addresses from your
    domain being sent to your domain.

    Matt Stovall
    Charleston Forge
    251 Industrial Park Drive
    Boone, NC 28607

    -----Original Message-----
    From: FocusHacks [mailto:focushacks@gmail.com]
    Sent: Friday, November 04, 2005 10:39 AM
    To: brandon.steili@gmail.com
    Cc: security-basics@securityfocus.com
    Subject: Re: Sender Spoofing via SMTP

    You can prevent it from happening by people using your own SMTP
    servers as a relay by disallowing relays.

    If you do not want incoming mail that has been relayed, the best bet
    is to use one of the mail relay blackhole lists. One such list is
    http://www.mail-abuse.com/

    What you get: A list of known IP Addresses that allow open relay (and
    thus, proliferation of spam)

    The Good: When you block these IP addresses, you no longer receive
    mail via any known open relays. Some spam squeaks past via open
    relays that haven't been discovered but they do not last long.

    The Bad: If someone that you want to be able to communicate with
    happens to be using a black-holed provider, you won't get the
    communication. Also, end users will typically have no idea that
    they've been blackholed unless your filtering solution has an
    auto-responder.

    The Ugly: A temporary misconfiguration and/or fresh install of the
    host OS can often lead to being blackholed. I switched plans with a
    dedicated hosting company, and got upgraded hardware and a fresh
    install of Linux with it. Within an hour (before I could get around
    to reconfiguring sendmail), I was blackholed and it took more than a
    day to clear up the issue with all the blackhole lists. There are a
    LOT of different lists that one must clear themselves from.
    Fortunately only 5 or 6 had flagged me. See http://rbls.org/

    On 3 Nov 2005 15:56:23 -0000, brandon.steili@gmail.com
    <brandon.steili@gmail.com> wrote:
    > Hi List,
    >
    > I know this is a common issue that does not seem to be well addressed,
    but I was hoping you folks could give some suggestions. (preferably for
    Exchange 2003)
    >
    > If I telnet to a system on the internet and perform the following:
    >
    > telnet target 25
    > EHLO (assuming Exchange)
    > MAIL FROM: someone
    > RCPT TO: someone_else@TargetDomain.com
    > DATA ....
    >
    > The server will happily forward my mail to the internal mailbox
    without validating anything. I did not have to authenticate, I did not
    even have to provide a real sender on the system, I could make one up.
    Again, I know this is a common issue, the question is how can I prevent
    this from happening?
    >
    > With the proliferation of social engineers / phishers, etc I would
    like to try and find a way to prevent this, not because it is a big
    problem but because it might become a big problem.
    >
    > Obviously user training can only go so far and our clients are not
    going to think twice if they recieve an email that appears to be from a
    company exec...
    >
    > Thanks!
    > 

    --
http://www.FocusHacks.com - The Ford Focus Modification Site!
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.  
Charleston Forge, 251 Industrial Park Drive, Boone, NC 28607 http://www.charlestonforge.com
  • Next message: Kelly Martin: "Re: sites for publishing sec related whitepapers?"

    Relevant Pages

    • RE: Sender Spoofing via SMTP
      ... Try adding a spf (sender privacy framework) entry in your DNS servers. ... definitely lock down the ability to be used as a relay. ... day to clear up the issue with all the blackhole lists. ...
      (Security-Basics)
    • Re: Relay addresses, storage and export
      ... MVP - Exchange ... any performance issue with a lot of listed relay IP's? ... to 2 exchange 2003 servers, so I am in the process of cleaning up junk ... there a way to export these lists into a csv or excel file, ...
      (microsoft.public.exchange.admin)
    • Re: IS MY SERVER A RELAY?
      ... The IP addresses listed in your list are authorized to relay. ... Our users are using authentication to send messages. ... that send e-mail alerts from other servers. ... this lists the same two accounts described above. ...
      (microsoft.public.exchange.admin)
    • Re: Sender Spoofing via SMTP
      ... is to use one of the mail relay blackhole lists. ... A list of known IP Addresses that allow open relay (and ... day to clear up the issue with all the blackhole lists. ...
      (Security-Basics)
    • Re: IS MY SERVER A RELAY?
      ... Most Exchange users mostly MAPI clients so the need to relay is generally ... into programs for the smtp server. ... this lists the same two accounts described above. ...
      (microsoft.public.exchange.admin)