lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040304030942.KJHS434741.fep02-mail.bloor.is.net.cable.rogers.com@BillDell>
From: broyds at rogers.com (Bill Royds)
Subject: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)

Outlook 2003, Outlook Express 6. Mozilla mail etc. do recognize what host to
use for sending depending on what PoP server was used to read the mail. They
maintain accounts and any mail that comes in one account (its PoP3 server)
goes out that accounts corresponding SMP server. For example, this is going
out on my Full Disclosure account, not my Yahoo or Hotmail.
The problem is that there MX entries have nothing logical to do with where
an email comes from. MX is mail destination addresses. 
What is needed is a mail source record in DNS (MS record ?) that gives the
legitimate  sending hosts for that domain. If the envelope from address uses
a certain domain, looking up the MS record for that domain should produce an
IP  list that includes the sending host. 
  Using authenticated SMTP, this would still allow a different return
address in headers since envelope from would be user who authenticated to
SMTP server. But it  would prevent spoofed email (although spam would still
arrive, it could be tied to actual sender, allowing things like CAN-SPAM to
work).

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Dave Sherohman
Sent: March 3, 2004 8:29 PM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] E-mail spoofing countermeasures (Was:
Backdoor not recognized by Kaspersky)

On Wed, Mar 03, 2004 at 04:45:57PM -0500, Lachniet, Mark wrote:
> Of course on the down side, you'd have to use your email server, with
> legit MX record as your smart host for all users (may be a hassle for
> home offices and POP clients, maybe requiring outgoing SMTP auth, but
> that's easy right?)

Let us say that I have two email accounts with two different service
providers who use two different mail servers.  (Home/work,
IM/webboards, whatever.)  Let us also say that I read mail from both
accounts using a single MUA in a single session, possibly providing
me with a unified 'virtual inbox', possibly not.  Finally, let us say
that responses to messages addressed to Address_A should appear to
come from Address_A and responses to messages addressed to Address_B
should appear to come from Address_B.  (Similar to the 'alternates'
feature of mutt, if you're familiar with that.)

All in all, I would say this seems like a very reasonable situation.
Considering that Yahoo!'s web mail interface includes the ability to
check mail on other services via POP3, I suspect that it may even be
rather common.

It is also utterly incompatible with your 'SMTP ident' suggestion
unless MUAs (and probably MTAs as well) are modified to select from
among multiple smarthosts and/or command-line sendmail based on what
address the message being sent claims to come from.

Your suggestion could also be easily defeated by the mega-spammers
(you know - the ones with enough money to con an ISP into letting
them spam without cutting them off) setting up servers with MTAs
which have been modified to claim that they recognize any
message-id from any domain.  Just set up bogus MX records pointing at
such a server, and spam (or propagate Outlook worms) to your heart's
content from anywhere you want!

-- 
The freedoms that we enjoy presently are the most important victories of the
White Hats over the past several millennia, and it is vitally important that
we don't give them up now, only because we are frightened.
  - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists