In-Reply-To: <20050413214455.1004.qmail@web86602.mail.ukl.yahoo.com>
hi all
I had same problem few months back. This is what I got that time.
Anyone can setup an exchange server and send spoofed mail to your organization
but in this case we can always trace back using source IP.
But by default relay agent allowed relaying within same domain. There are few
solutions available for this but implementation will depends upon email
architecture.
1.Using Microsoft Exchange Intelligent Message Filter
This feature is only available in exchange 2003 SP1.
Many options like sender ID, Receiver ID filtering etc.
http://www.microsoft.com/exchange/downloads/2003/imf/default.mspx
2.Using Anti-spam software
Many commercial anti-spam applications available, which will drop such spoofed
mail .While sending mail it will show as ?queued for delivery? but actually it
will not get delivered
3.Using separate SMTP gateway with authentication enabled
In IIS SMTP virtual server gateway we can apply restriction based on
Authentication
IP based Filtering
http://support.microsoft.com/default.aspx?scid=kb;en-us;324281
4.Sender Policy Framework (SPF) or Sender ID Framework(SIDF)
The Sender ID Framework is an e-mail authentication technology protocol that
helps address the problem of spoofing and phishing by verifying the domain name
from which e-mail is sent
http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx
Prashant Vijayanand Gawade
Security Engineer
Paladion Networks
Navi Mumbai
http://www.paladion.net
Received: (qmail 3483 invoked from network); 14 Apr 2005 01:31:09 -0000
Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com)
(205.206.231.27)
by mail.securityfocus.com with SMTP; 14 Apr 2005 01:31:09 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 90569237008; Wed, 13 Apr 2005 19:30:27 -0600 (MDT)
Mailing-List: contact pen-test-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <pen-test.list-id.securityfocus.com>
List-Post: <mailto:pen-test@securityfocus.com>
List-Help: <mailto:pen-test-help@securityfocus.com>
List-Unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:pen-test-subscribe@securityfocus.com>
Delivered-To: mailing list pen-test@securityfocus.com
Delivered-To: moderator for pen-test@securityfocus.com
Received: (qmail 26340 invoked from network); 13 Apr 2005 22:08:49 -0000
Message-ID: <20050413214455.1004.qmail@web86602.mail.ukl.yahoo.com>
Date: Wed, 13 Apr 2005 22:44:55 +0100 (BST)
From: Marc Davison <m_davison@talk21.com>
Subject: Mail Server problem / query
To: pen-test@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Hi all, I hope you can help with this. I have been
testing a server for open-relay and found that I could
connect from an external machine and send mails using
a MAIL FROM (the local domain) and a RCPT TO (the
local domain) - now this may seem fine as internal
users will need to send mail to other internal users
but my query is whether there are mail servers which
can be configured to recognise that the connection was
an external address and therefore that the MAIL FROM
address was invalid. eg I can send a mail from the CEO
of the company to his own secretary asking her to copy
his hotmail address on all future mails and to the
secretary, this mail seems perfectly valid yet me
(prospective attacker) outside the comapany may now
receive loads of sensitive mails (assuming the
secretary is the type who doesn't like to query things
and ask questions) - thanks in advance.
Send instant messages to your online friends http://uk.messenger.yahoo.com
