Jason on Wed, 2 Oct 2002 11:34:12 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] spoofing


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 30 September 2002 16H:40, gabriel rosenkoetter wrote:
> On Mon, Sep 30, 2002 at 02:40:37PM -0400, Jason wrote:
> > Forged spam is a definite problem, and sometimes your email address may
> > be used as the forged sender when sent to others. This is a really big
> > problem if your email server is being used as an "open relay".
>
> Um. Those two things are completely unrelated. I can give whatever

Not completely unrelated, plus the problems are compounded when you have both 
going on at the same time, making it really difficult for others to track 
down where the email is really coming from, since they might forge email from 
alexion.com and relay it through an alexion.com email server. IMHO, 
tightening down on relays makes it easier to deal with forged from addresses. 
So, to me these two problems are intimately related.

> address I like as an argument to MAIL FROM: when I'm talking to your
> SMTP (or, really my own) server. If you want me to, I'll prove to
> you by sending email from you to you from my MX (uriel.eclipsed.net,
> go ahead and test it for relaying, it doesn't).

You don't need to prove this. I get this all the time. I'm all too well aware 
of how easy this is. That is part of the problem!

>
> Better yet, test this yourself. Set up a hotmail account, then
> telnet to port 25 of (one of) Hotmail's mail exchanger(s). For extra

Been there, done that. About 10 years ago as a matter of fact. Not with 
hotmail, of course.

> points, telnet for a shell account on a system other than where you
> actually receive mail. Issue these commands:
>
> EHLO <your local host>
> MAIL FROM: Jason <jason@nocks.com>
> RCPT TO: <account>@hotmail.com
> DATA
> Subject: whee, faked source address
>
> blah blah
> .
> QUIT
>
> Note that the mail received on Hotmail appears to be from you, even
> though it wasn't sent in the usual fashion (or from the "right"
> place). Now examine the full headers (if Hotmail even lets you do
> that), and notice that the source IP address that originally made the
> connection to Hotmails mail exchanger was, in fact logged and has,
> in fact, nothing to do with nocks.com's mail exchanger. Tracing
> things by email address is silly and useless. Tracing them by
> Recieved: headers works some times, but those are easily spoofed as
> well (they're just text in a message!). You're best off going the
> next hop back and examining log files until you get where you're
> going.
>
> > If you use fetchmail, then if there is a problem, it is most
> > likely your ISP's concern, assuming you have adequate firewall
> > protection around your local email server.
>
> No, it's most likely no one's concern. There is no reason that Art's
> mail server needs to be even remotely involved for email to appear
> to come from him. This is why we use digital encryption algorithms
> for authentication; source addresses are totally meaningless. IP
> addresses still bear a little bit of weight, but email addresses
> bear none at all.

The point was, if he has an email server configured, it's worth tightening 
down on possible use as a "relay". I'm not even getting into the whole 
validity of the actual from address. 

>
> Unless it's digitally signed, there's no way to prove a given person
> sent something that it appears they sent, and it is demonstrably
> simple to prove that faking it was possible. No court would let
> anything fly based on a source email address. (Cf, topical /.
> headline today.)

I don't think anyone was talking about going to court over anything here, I 
simply mentioned that Arthur might want to look into tightening down a server 
if he had configured one, which it doesn't look like he has.

Cheers,
Jason
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9mxHC3CryLfCgqRkRAvCEAJ42zlgqAAZhD3y3ts29SgXlKbYrQQCffgU2
xgv2cFK2BNJnKTsDdNRA1UU=
=CX6g
-----END PGP SIGNATURE-----

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug