thks for the mailscanner tool

Alex Neuman van der Hans alex at nkpanama.com
Fri Dec 1 14:26:29 GMT 2006 

Sender spoofing within the message is something very difficult to stop 
because proper authentication wasn't part of the original e-mail 
specification everybody uses. You can always make it easier to spot by 
adding information to the header.

If you're using sendmail, you can always turn on REC_FULL_AUTH so you 
can see WHO authenticated and sent the e-mail.

I usually find the file at /usr/share/sendmail-cf/m4 called cfhead.m4, 
where there's a line that says:

define(`confRECEIVED_HEADER', `_REC_HDR_
         _REC_AUTH_$?{auth_ssf} bits=${auth_ssf}$.)
         _REC_BY_
         _REC_TLS_
         _REC_END_')

and change it so it says:

define(`confRECEIVED_HEADER', `_REC_HDR_
         _REC_FULL_AUTH_$?{auth_ssf} bits=${auth_ssf}$.)
         _REC_BY_
         _REC_TLS_
         _REC_END_')

The difference is "REC_AUTH" inserts "authenticated user" on the 
message's headers, but REC_FULL_AUTH inserts "authenticated user XXXX". 
You can check my own headers to see the difference.

You can always add
"Envelope From Header = X-%org-name%-MailScanner-From:"

...but I suspect that would also be vulnerable to spoofing.

Other methods could include using MCP with rulesets so that:
Is Definitely MCP = %mcp-dir%/mcp.rules


From:	alice at mydomain	and	From:192.168.1.3 no
From:	bob at mydomain	and	From:192.168.1.4 no
FromOrTo:	default		yes

This way (I suspect, I don't use MCP *that* much, so check first) 
"spoofed" e-mail will be dealt with using MCP.

This wouldn't be invulnerable, however, to IP address hijacking. *That* 
could be issued using a switch smart enough to care about IPs-to-MAC 
addresses, or by using ARP tricks at your sendmail box so that IP-to-MAC 
is enforced.

However, some NIC drivers allow you to spoof the MAC (and you can 
trivially do it in operating systems other than Windows.


vinay poojary wrote:
> Dear Sir,
>  
> It does not requires any username / password for the auth .The user can 
> use his own username / password and only change the email address in the 
> email client .So to stop email spoofing in u r own organistaion is 
> difficult .
>  
> can we have any option for email spoofing in mailscanner .
>  
> Regards,
> vinay poojary
> 
> */Dhawal Doshy <dhawal at netmagicsolutions.com>/* wrote:
> 
>     Martin Hepworth wrote:
>      > vinay poojary wrote:
>      >> Dear Sir,
>      >>
>      >> I am using mailscanner with sendmail.The sendmail is installed with
>      >> smtp-auth .I have no such problems with mailscanner .I am just
>      >> enjoying the mailscanner configuration .
>      >>
>      >> But presently i am facing the problem of addres spoofing .The
>     people
>      >> in my own company can change the from address and send mail to
>     anyone
>      >> via smtp auth .Is there any way i could stop these address
>     spoofing .
>      >>
>      >> Thks in advance .
>      >>
>      >> Regards,
>      >> vinay poojary
>      >
>      > Vinay
>      >
>      > 1st point of call on this is a proper Acceptable Use Policy. If
>     they use
>      > business computers for non-work things, they go the normal
>     disciplinary
>      > procedures, or even straight to dismissal under gross misconduct.
>     (never
>      > under estimate the power of HR policy!).
> 
>     i agree that this can taken up at a different level (read as
>     catbert), i
>     also think that poor passwords are also responsible for sender
>     spoofing.
>     We had a case a year back, where a "secure" SMTP server was used for
>     UBE
>     (via a korean IP), using authentication that was quite easy to guess
>     (password = username). Now we now enforce stricter passwords ;-)
> 
>     - dhawal
>     -- 
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
>     Before posting, read http://wiki.mailscanner.info/posting
> 
>     Support MailScanner development - buy the book off the website!
> 
> 
> ------------------------------------------------------------------------
> Find out what India is talking about on - Yahoo! Answers India 
> <http://us.rd.yahoo.com/mail/in/yanswers/*http://in.answers.yahoo.com/>
> Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. 
> Get it NOW 
> <http://us.rd.yahoo.com/mail/in/messengertagline/*http://in.messenger.yahoo.com> 
> 
>

More information about the MailScanner mailing list