lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: John.Airey at (
Subject: E-mail spoofing countermeasures (Was: Backd
	oor not recognized by Kaspersky)

> -----Original Message-----
> From: Bill Royds []
> Sent: 04 March 2004 03:08
> To: 'Dave Sherohman'
> Cc:
> Subject: RE: [Full-Disclosure] E-mail spoofing countermeasures (Was:
> Backdoor not recognized by Kaspersky)
> Outlook 2003, Outlook Express 6. Mozilla mail etc. do 
> recognize what host to
> use for sending depending on what PoP server was used to read 
> the mail. They
> maintain accounts and any mail that comes in one account (its 
> PoP3 server)
> goes out that accounts corresponding SMP server. For example, 
> this is going
> out on my Full Disclosure account, not my Yahoo or Hotmail.
> The problem is that there MX entries have nothing logical to 
> do with where
> an email comes from. MX is mail destination addresses. 
> What is needed is a mail source record in DNS (MS record ?) 
> that gives the
> legitimate  sending hosts for that domain. If the envelope 
> from address uses
> a certain domain, looking up the MS record for that domain 
> should produce an
> IP  list that includes the sending host. 
>   Using authenticated SMTP, this would still allow a different return
> address in headers since envelope from would be user who 
> authenticated to
> SMTP server. But it  would prevent spoofed email (although 
> spam would still
> arrive, it could be tied to actual sender, allowing things 
> like CAN-SPAM to
> work).

I can see at least two problems with this "solution". 
First, errors with DNS configurations are common. I see "lame server" errors
regularly, and at the moment even our own ISP doesn't have reverse DNS
records for our IP addresses on its name servers (and I am hassling them
constantly to fix it).

Second, this "trusted" server will undoubtedly accept email from any
internal host so it won't take long for a virus to find it (they are usually
mail.domain-name or smtp.domain-name). 

A better solution would be to only allow one (or two) mail servers from your
organisation to be able to talk to port 25 on another server (egress
filtering), without another change to the DNS standard. This still has the
same drawback as the second one mentioned above.

John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 

Why do so many people who call themselves christians use the name of Jesus
Christ as a swear word?


NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 


Powered by blists - more mailing lists