Re: Mail Server problem / query

From: Prashant Gawade (prashant.gawade@paladion.net)
Date: Thu Apr 14 2005 - 05:11:10 EDT


('binary' encoding is not supported, stored as-is) In-Reply-To: <20050413214455.1004.qmail@web86602.mail.ukl.yahoo.com>

hi all

I had same problem few months back. This is what I got that time.
Anyone can setup an exchange server and send spoofed mail to your organization but in this case we can always trace back using source IP.
But by default relay agent allowed relaying within same domain. There are few solutions available for this but implementation will depends upon email architecture.

1.Using Microsoft Exchange Intelligent Message Filter

This feature is only available in exchange 2003 SP1.
Many options like sender ID, Receiver ID filtering etc.
http://www.microsoft.com/exchange/downloads/2003/imf/default.mspx

2.Using Anti-spam software
Many commercial anti-spam applications available, which will drop such spoofed mail .While sending mail it will show as “queued for delivery” but actually it will not get delivered

3.Using separate SMTP gateway with authentication enabled
In IIS SMTP virtual server gateway we can apply restriction based on
        Authentication
        IP based Filtering
http://support.microsoft.com/default.aspx?scid=kb;en-us;324281

4.Sender Policy Framework (SPF) or Sender ID Framework(SIDF)
The Sender ID Framework is an e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail is sent
http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx

Prashant Vijayanand Gawade
Security Engineer
Paladion Networks
Navi Mumbai
http://www.paladion.net

>Received: (qmail 3483 invoked from network); 14 Apr 2005 01:31:09 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
> by mail.securityfocus.com with SMTP; 14 Apr 2005 01:31:09 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 90569237008; Wed, 13 Apr 2005 19:30:27 -0600 (MDT)
>Mailing-List: contact pen-test-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <pen-test.list-id.securityfocus.com>
>List-Post: <mailto:pen-test@securityfocus.com>
>List-Help: <mailto:pen-test-help@securityfocus.com>
>List-Unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:pen-test-subscribe@securityfocus.com>
>Delivered-To: mailing list pen-test@securityfocus.com
>Delivered-To: moderator for pen-test@securityfocus.com
>Received: (qmail 26340 invoked from network); 13 Apr 2005 22:08:49 -0000
>Message-ID: <20050413214455.1004.qmail@web86602.mail.ukl.yahoo.com>
>Date: Wed, 13 Apr 2005 22:44:55 +0100 (BST)
>From: Marc Davison <m_davison@talk21.com>
>Subject: Mail Server problem / query
>To: pen-test@securityfocus.com
>MIME-Version: 1.0
>Content-Type: text/plain; charset=iso-8859-1
>Content-Transfer-Encoding: 8bit
>
>Hi all, I hope you can help with this. I have been
>testing a server for open-relay and found that I could
>connect from an external machine and send mails using
>a MAIL FROM (the local domain) and a RCPT TO (the
>local domain) - now this may seem fine as internal
>users will need to send mail to other internal users
>but my query is whether there are mail servers which
>can be configured to recognise that the connection was
>an external address and therefore that the MAIL FROM
>address was invalid. eg I can send a mail from the CEO
>of the company to his own secretary asking her to copy
>his hotmail address on all future mails and to the
>secretary, this mail seems perfectly valid yet me
>(prospective attacker) outside the comapany may now
>receive loads of sensitive mails (assuming the
>secretary is the type who doesn't like to query things
>and ask questions) - thanks in advance.
>
>Send instant messages to your online friends http://uk.messenger.yahoo.com
>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:19 EDT