[BlueOnyx:21681] mailserver; possible security issue?

[Dirk Estenfeld]

Hello,

we have one customer who was victim of a CEO fraud.
Some of his employees got a message from the email address of the CEO with the order to send xx money to a specific bank account. He did :(

Now we found out that it is possible to send email with sendmail at centos/blueonyx (also other distributions) from an existing email address to an existing email address.

Example:
telnet 208.77.xx.xx 25
Trying 208.77.xx.xx...
Connected to 208.77.xx.xx
Escape character is '^]'.
220 sol ESMTP Sendmail Ready; Thu, 25 Jan 2018 06:37:59 -0500
EHLO blackpoint.de
250-sol.xxx Hello ns3.xxx [xx.xx.xx.xx], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
MAIL FROM:mstxxx at solxxx.net
250 2.1.0 mstxxx at solxxx.net... Sender ok
RCPT TO: mstxxx at solxxx.net
451 4.7.1 Greylisting in action, please come back later
RCPT TO: mstxxx at solxxx.net
250 2.1.5 mstxxx at solxxx.net... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Some content for example send money to yx
.
250 2.0.0 w0PBbxN1026335 Message accepted for delivery
QUIT
221 2.0.0 sol.xxx closing connection
Connection closed by foreign host.

Unfortunately it is not only possible from the same to the same user. It is also possible from an (at the server existing) email address to an (at the server existing) email address.

Does someone else did see something similar.
In my opinion in days with CEO fraud it is a security issue.
Do someone know how to change settings in sendmail to prevent this behaviour?

Best regards,
Dirk Estenfeld


---

blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel