email spoofing
Alex Neuman
alex at nkpanama.com
Thu Jun 14 01:51:28 IST 2007
Res wrote:
>
> Lazy? WTF is the point of smtp auth for your own lan...
> I abandoned smtp-auth years ago because too many customers can use it
> to get you blacklisted (deliberate spam) it was more of a hassle then
> thats its worth, if they are not on our network they can use their own
> ISP's smtp and not ours.
>
> I will always allow all of our IP ranges for relay on the
> cust-out-smtp's as there is nothing at all wrong with doing so, so
> long as you don't add in IP ranges that aren't your own, and since no
> network competently setup routes RFC1918 addresses, its moot point.
>
>
The F point, to use your own terms, is to avoid (read: make it more
difficult to happen) spam zombies spewing stuff out of your network and
getting you blacklisted. Most spam zombies will not authenticate -
therefore, the e-mail won't leave your network. This, combined with a
firewall policy that only allows port 25 traffic on your own servers can
mitigate a spam zombie problem before it begins.
That and using other ports like 587 (for SMTP+AUTH with optional TLS) or
465 (SMTPS) will also allow your users to bypass such filtering at other
locations.
You can also tell sendmail (and probably postfix and other MTA's) to
include the *who authenticated* information (look for REC_FULL_AUTH
instead of REC_AUTH in the cf files) so you can tell who sent the e-mail
more surely. For example, in your setup nothing prevents a person from
spoofing another user's known (or guessed at) IP address and sending an
e-mail purporting to be someone else. If you force people to
authenticate, you get a header like:
Received: from mini.local (nkcenter [201.226.170.130])
(user=alex mech=PLAIN bits=0)
by nkpanama.com (8.14.0/8.14.0) with ESMTP id l5DNf4nd026079
for <mailscanner at lists.mailscanner.info>;
Wed, 13 Jun 2007 18:41:33 -0500
... which at least tells you the user who sent the e-mail did so using
the "alex" account and knows the password for it.
I know that *anything* is circumventable in one way or another - and
that's what I meant by *lazy*. I believe the UK expression is "I can't
be bothered to...", in this case, set up SMTP AUTH so that spoofing
becomes just a bit more difficult.
That, along with checking for valid recipients using milter-ahead or an
LDAP lookup, and proper SPF records, for example, makes it even more
difficult for spoofing and backscatter to occur.
More information about the MailScanner
mailing list