Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: FW: Mail relay question

from [Aaron Howell] Network Security [Permanent Link]
Subject: Re: FW: Mail relay question
Date: Fri, 22 Feb 2008 11:50:47 -0800 
Nick Vaernhoej wrote:

Good day,


Hello!


So, I am a little fuzzy on what it is I am trying to learn here, but:
1. Would you think 5000 emails a month with maybe 200 valid emails is normal 
in a home/family type setup?


I don't keep a close eye on my spam statistics anymore, but a quick,
off-the-cuff assessment shows:


From January 16th to January 31st, 2008 a single account on my personal

mail server received 611 messages tagged by spamassassin, and another 50
or so that got through my filters. If we extrapolate that for the month,
we get about 1300 messages for that account. This domain has been
registered for about 7 years, but has never had more than a handful of
accounts on it (same situation as you describe, myself, my family, and a
few friends have used it over the years).

It also really depends on how you use the email addresses associated
with the domain. If you go out and sign up for lots of forum accounts
and miscellaneous garbage with addresses from that domain, it's much
more likely to get targeted.


2. Is mail always accepted and relayed when the sender and recipient domain 
is the same? (This is without sender authentication configured or capability).


That depends.(TM)

Most (more likely all?) modern MTAs (and clients) support SMTP
authentication, and there is no good reason at this point not to be
using it. This would end the conversation right here, actually...

That being said, mail is generally accepted by a mail server if the
recipient is one of it's users. That is, after all, the purpose of a
mail server. A better test than connecting and sending yourself an
email, would be to connect from somewhere outside your network and try
sending some third party an email from a non-local account. Example:

user@host:/var/log# telnet mail.example.com 25
Trying 127.0.0.1...
Connected to mail.example.com.
Escape character is '^]'.
220 saturn.example.com ESMTP
ehlo otherexample.org
250-saturn.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME
mail from: example@somewhere.com
250 Ok
rcpt to: nobodyhome@otherexample.org
554 <nobodyhome@otherexample.org>: Relay access denied
quit

If that address had been accepted, then that would be an open relay.
Usually, the mail server doesn't care what the sender's domain is, it
only cares about the recipient. If the recipient isn't local, it should
check to see if it's allowed to relay mail for that domain, and if not,
reject it.


      a. If yes, what is to stop an angry neighbor on his vacation to China 
from sending a nasty email from me to my wife? (In this unsecure setup).


Spoofing email headers is trivial. Email headers should not be trusted.
Email should not be trusted, unless it's signed in some verifiable way.
If I know (or can guess) a valid address on your domain, I can send
email that appears to be from just about anywhere to that address. Don't
trust email.


      b. My gateway at home (Smoothwall using DSPAM/SEMF? mod) only accepts 
the initial HELO if followed by connecting domain name (HELO domain.com) So 
how come I can connect from domainx.com and send email from domainy.com to 
domainy.com?


If what you describe here is accurate, you are an open relay, and should
immediately take steps to rectify the problem.

To answer this question, you need a better understanding of what
HELO/EHLO are intended to do, because they don't do what you think they
do. Go here:

http://homepages.tesco.net/~J.deBoynePollard/FGA/smtp-avoid-helo.html


      c. What can I do to remove this risk?


See answer to question 2(a)...


3. Any recommendations on a free mail gateway solution?  SpamAssassin? 
ClamAV? My goal is to migrate away from Exchange 2003. I have been wanting to 
try Zimbra for mail server but would like a good mail gateway in the DMZ 
instead of hosted by the firewall.


I use postfix with spamassassin in my environment, and think it works
quite well. I also use it for clients. If you're not a *nix guy, you may
not like it as much. YMMV


Thank you and I will follow up with answers to questions for clarification.


I hope my answers were useful


-- 
Aaron Howell
nGenuity Information Services
509-396-2075 x6000

http://www.ngenuity-is.com
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: FW: Mail relay question, Ansgar -59cobalt- Wiechers
Next by Date:  RE: Mail relay question, Ric Messier
Previous by Thread:  Re: FW: Mail relay question, Ansgar -59cobalt- Wiechers
Next by Thread:  RE: Mail relay question, Ric Messier
Indexes:  [Date] [Thread] [Top] [All Lists]