Announcement

Collapse
No announcement yet.

spoofing internal senders exploit?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • spoofing internal senders exploit?

    I found this issue a while back in 2003, and never really followed up on it, but it does at least appear to be there in 2010. While anonymous relay is turned of, and I have verifed the server is not an open relay, I can, apparently relay for an internal user w/o authenticating. Here is an example.

    My domain is xyz.com, and internally I am xyz.local

    if I attempt to send to another domain, from another domain, it is blocked.
    if I attempt to send to someone at xyz.com with a "from" address also at xyz.com(on the internet facing smtp connector), it works, and the recipiant receives a message that appears to be from someone else inside the organization, but is in reality someone on the outside spoofing. A coworker of mine years ago demonstrated this the following way. Again, this is the internet facing SMTP virtual server(was exchange 2003 at the time), so no authentication, and no anonymous relay.

    He sent a message, that appeared to be from my boss, saying "you are fired"

    Now, he told me he was doing this, but the point is that I recieved a message that appeared to be from my boss, when in fact an anonymous sent the message. Is this due to a misconfiguration, or a "known issue"? My guess would be some sort of sender filtering on the receive connector, and blocking anyone that claims to be from your domain. Any input would be welcomed.

    Also, is it a good idea to turn off smtp tarpitting?

  • #2
    Re: spoofing internal senders exploit?

    That's not relaying, that's how SMTP works. You're sending email to a user who's domain the SMTP server is authoratative for, it doesn't matter who the sender is. The SMTP server needs to accept email for the domain it's authoratative for regardless of who the sender is, even if the sender address is from the authoratative domain.

    Relaying is sending an email to a domain that the SMTP server is not authoratative for, which is not what your test is doing.
    Last edited by joeqwerty; 4th February 2011, 14:43.

    Comment


    • #3
      Re: spoofing internal senders exploit?

      Just seems like a weakness if you will, if it is that easy to forge a message from one internal user to another using your internet facing connector. Is there a way to put a filter on it, since, at least the way I am looking at it, internal users should not be sending mail to the same receive connector you use for receiving internet email. Generally they would be using a mapi client, activesync, OWA, or an authenticated receive connector.

      Comment


      • #4
        Re: spoofing internal senders exploit?

        Hi!

        In SMTP connector you can allow IP`s that can send mail.
        Configure resto of clients to use MAPI only.
        Problem solved.
        If you have network in which anyone can send mail via port 25 (and not with mapi only) is this great security risk...

        Comment


        • #5
          Re: spoofing internal senders exploit?

          Most spam is spoofed. This is no different.
          SMTP email is plain text, which simply displays the sender address. There is no authentication that the sender is genuine. That is why email cannot be trusted on its own.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: spoofing internal senders exploit?

            first of all, thanks for all your replies.

            with regards to IP filtering, that will only prevent internal users from connecting. port 25 has to be open to the internet or else I cannot receive internet email period.

            I know that its easy to spoof email. I was just curious if there is some way to at least block inbound mail on a per connector basis if the sender is claiming to be from your domain. So, for exmaple, if your domain is xyz.com, anyone attempting to send you a message using your internet facing connector claiming to be from xyz.com would be blocked, since the only people who should have a sender domain of xyz.com are connecting via mapi, or an authenticated SMTP connector.

            Comment


            • #7
              Re: spoofing internal senders exploit?

              There is nothing you can do to stop spoofing. If there was, then spam wouldn't be the problem it is. End of story.

              Antispam software could deal with some of it, but that isn't something that should be depended on.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: spoofing internal senders exploit?

                After i did some digging, I think I found an answer: sender filtering. I am somewhat suprised it hasnt been mentioned.

                What I will attempt to do is block any sender that matches my domain(both internal and external) on the internet facing receive connector. so, if my domain is xyz.com, and xyz.local, and I use sender filtering to set those both as blocked senders, then anyone attempting to send an unauthenticated email message claiming to be from either of those two domains should get blocked correct? Also, am I correct in assuming this will not impact users from being to send from inside my organization to users outside?

                Again just to clarrify I am not looking for a solution to stop ALL spoofed email, just prevent someone on the outside from forging a message claiming to be from an internal user going to an internal user.

                Comment


                • #9
                  Re: spoofing internal senders exploit?

                  Sender Filtering isn't often recommended because it can cause problems.
                  Some "send this page to a friend" will put the from field as the sender, if you have third party applications, devices etc, those can be using an internal domain as the sender as well. If you do deploy it, it has to be done with some care.

                  Simon.
                  --
                  Simon Butler
                  Exchange MVP

                  Blog: http://blog.sembee.co.uk/
                  More Exchange Content: http://exchange.sembee.info/
                  Exchange Resources List: http://exbpa.com/
                  In the UK? Hire me: http://www.sembee.co.uk/

                  Sembee is a registered trademark, used here with permission.

                  Comment


                  • #10
                    Re: spoofing internal senders exploit?

                    I do understand that part. I havent been able to find if there is a way to apply it to only a specific receive connector. The reading Ive done implies its an all or nothing thing. Any info on if it can be done per connector?

                    Also, do you think internal signing using an internal CA would be a decent way to go for authenticating internal email, so at least when you receive an email from a coworker, you know it really was from them?

                    Comment

                    Working...
                    X