| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: John.Airey at rnib.org.uk (John.Airey@...b.org.uk) Subject: E-mail spoofing countermeasures (Was: Backd oor not recognized by Kaspersky) > -----Original Message----- > From: Bill Royds [mailto:broyds@...ers.com] > Sent: 04 March 2004 03:08 > To: 'Dave Sherohman' > Cc: full-disclosure@...ts.netsys.com > Subject: RE: [Full-Disclosure] E-mail spoofing countermeasures (Was: > Backdoor not recognized by Kaspersky) > > > Outlook 2003, Outlook Express 6. Mozilla mail etc. do > recognize what host to > use for sending depending on what PoP server was used to read > the mail. They > maintain accounts and any mail that comes in one account (its > PoP3 server) > goes out that accounts corresponding SMP server. For example, > this is going > out on my Full Disclosure account, not my Yahoo or Hotmail. > The problem is that there MX entries have nothing logical to > do with where > an email comes from. MX is mail destination addresses. > What is needed is a mail source record in DNS (MS record ?) > that gives the > legitimate sending hosts for that domain. If the envelope > from address uses > a certain domain, looking up the MS record for that domain > should produce an > IP list that includes the sending host. > Using authenticated SMTP, this would still allow a different return > address in headers since envelope from would be user who > authenticated to > SMTP server. But it would prevent spoofed email (although > spam would still > arrive, it could be tied to actual sender, allowing things > like CAN-SPAM to > work). > I can see at least two problems with this "solution". First, errors with DNS configurations are common. I see "lame server" errors regularly, and at the moment even our own ISP doesn't have reverse DNS records for our IP addresses on its name servers (and I am hassling them constantly to fix it). Second, this "trusted" server will undoubtedly accept email from any internal host so it won't take long for a virus to find it (they are usually mail.domain-name or smtp.domain-name). A better solution would be to only allow one (or two) mail servers from your organisation to be able to talk to port 25 on another server (egress filtering), without another change to the DNS standard. This still has the same drawback as the second one mentioned above. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@...b.org.uk Why do so many people who call themselves christians use the name of Jesus Christ as a swear word? - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk
Powered by blists - more mailing lists