lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040304030942.KJHS434741.fep02-mail.bloor.is.net.cable.rogers.com@BillDell> From: broyds at rogers.com (Bill Royds) Subject: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky) Outlook 2003, Outlook Express 6. Mozilla mail etc. do recognize what host to use for sending depending on what PoP server was used to read the mail. They maintain accounts and any mail that comes in one account (its PoP3 server) goes out that accounts corresponding SMP server. For example, this is going out on my Full Disclosure account, not my Yahoo or Hotmail. The problem is that there MX entries have nothing logical to do with where an email comes from. MX is mail destination addresses. What is needed is a mail source record in DNS (MS record ?) that gives the legitimate sending hosts for that domain. If the envelope from address uses a certain domain, looking up the MS record for that domain should produce an IP list that includes the sending host. Using authenticated SMTP, this would still allow a different return address in headers since envelope from would be user who authenticated to SMTP server. But it would prevent spoofed email (although spam would still arrive, it could be tied to actual sender, allowing things like CAN-SPAM to work). -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Dave Sherohman Sent: March 3, 2004 8:29 PM To: full-disclosure@...ts.netsys.com Subject: Re: [Full-Disclosure] E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky) On Wed, Mar 03, 2004 at 04:45:57PM -0500, Lachniet, Mark wrote: > Of course on the down side, you'd have to use your email server, with > legit MX record as your smart host for all users (may be a hassle for > home offices and POP clients, maybe requiring outgoing SMTP auth, but > that's easy right?) Let us say that I have two email accounts with two different service providers who use two different mail servers. (Home/work, IM/webboards, whatever.) Let us also say that I read mail from both accounts using a single MUA in a single session, possibly providing me with a unified 'virtual inbox', possibly not. Finally, let us say that responses to messages addressed to Address_A should appear to come from Address_A and responses to messages addressed to Address_B should appear to come from Address_B. (Similar to the 'alternates' feature of mutt, if you're familiar with that.) All in all, I would say this seems like a very reasonable situation. Considering that Yahoo!'s web mail interface includes the ability to check mail on other services via POP3, I suspect that it may even be rather common. It is also utterly incompatible with your 'SMTP ident' suggestion unless MUAs (and probably MTAs as well) are modified to select from among multiple smarthosts and/or command-line sendmail based on what address the message being sent claims to come from. Your suggestion could also be easily defeated by the mega-spammers (you know - the ones with enough money to con an ISP into letting them spam without cutting them off) setting up servers with MTAs which have been modified to claim that they recognize any message-id from any domain. Just set up bogus MX records pointing at such a server, and spam (or propagate Outlook worms) to your heart's content from anywhere you want! -- The freedoms that we enjoy presently are the most important victories of the White Hats over the past several millennia, and it is vitally important that we don't give them up now, only because we are frightened. - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists