[BlueOnyx:21685] Re: mailserver; possible security issue?
Fungal Style
wayin at hotmail.com
Thu Jan 25 09:21:27 -05 2018
Dirk,
Good to see I am not the only one thinking SPF.
I note that your test, if I read it right, you are logging in via telnet as if you were a mail client, you are authenticating to start with.
So you are saying, as an example….
The fake user is logging in as user at company.com and then saying the sender email address is ceo at company.com ?
Also you are saying is you have selected to enable “Enable SMTP Auth” in the basic tab of “Email”? If so my understanding would be the user would need to authenticate in order to be able to send an email which they could say have an email client to log in with the credentials for the username of (to use the above example):
user
Entering the password etc, but configure the email client to say the email is from ceo at company.com and not user at company.com (which was used to authenticate for sending email), is this what you mean?
The question would be then if the above is true then as to if the email originated from your (in this case, your customer’s) mail server, and if so they may have a compromised email account as you needed to log in to send email.
Hope that makes as much sense as I think it does as it is nearly 1:#0am here… ☺
Regards
Brian
On 26/1/18, 1:06 am, "Blueonyx on behalf of Ken Hohhof" <blueonyx-bounces at mail.blueonyx.it on behalf of khohhof at kwom.com> wrote:
Dirk, I am not understanding the issue. Mailservers will generally accept messages from anyone for a local mailbox, that is their purpose.
Is the issue that the mailserver is accepting external mail from a sender address at a domain local to the mailserver? Maybe you are wanting something like SPF to specify the official mailserver for that domain and force all senders to authenticate and relay via the official mailserver?
Or is the issue that the CEO was fired and his/her email address deleted, yet the mailserver accepted messages from a sender address at a local domain that it should have known was an invalid user at that domain? If I handle mail for a domain, and I receive a message purporting to be from a user at that domain, yet there is no such user (or alias) at that domain, maybe the SMTP session should fail as soon as I receive the sender data.
-----Original Message-----
From: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Dirk Estenfeld
Sent: Thursday, January 25, 2018 7:19 AM
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Subject: [BlueOnyx:21683] Re: mailserver; possible security issue?
Hello Brian,
thank you for your email.
Yes, I am aware of this. But in this case some of your suggestions are not applicable.
For example for an official mailserver it makes no sense to limit the ip address for port 25.
Yes smtp_auth is enabled at the server of course. But you can try. It is not working if you use an email address which is existing at the server and the recipient address also.
I did also try with an exchange server and this was working. Also with a sendmail at freebsd. So it seems to be a more or less general "feature" which in my opinion is a security issue in our days.
Best regards
Dirk
---
blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel
Tel.: +49 6101 65788 20
Fax: +49 6101 65788 99
eMail: dirk.estenfeld at blackpoint.de
Vertretungsberechtigt Dirk Estenfeld und Mario Di Rienzo HRB 50093 Frankfurt am Main USt.-IdNr. de210106871
CRM on Demand – eine gute Idee
Besuchen Sie uns im Internet unter https://eur01.safelinks.protection.outlook.com/?url=www.blackpoint.de&data=02%7C01%7C%7C36366dc2b29c42658b1008d563fcc589%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636524859652034695&sdata=bWIlht1JFRmSyh6wn%2FkIkGqRKVCQK1pnRXIUtBt21Ms%3D&reserved=0 Problemlos Domains registrieren: https://eur01.safelinks.protection.outlook.com/?url=www.edns.de&data=02%7C01%7C%7C36366dc2b29c42658b1008d563fcc589%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636524859652034695&sdata=4Efqsh0RIXt0N2WfDz07Snpn%2F6ER5J6bDvvEoeszuIo%3D&reserved=0 Einfach und günstig Daten sichern: https://eur01.safelinks.protection.outlook.com/?url=www.back2web.de&data=02%7C01%7C%7C36366dc2b29c42658b1008d563fcc589%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636524859652034695&sdata=vGRCVMYcBo7w52dupmwceIktkBKNYBV0bNe6lVEwZQY%3D&reserved=0 Mitglied im:
Confidentiality Notice:
This e-mail message, including any attachments,is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
-----Ursprüngliche Nachricht-----
Von: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] Im Auftrag von Fungal Style
Gesendet: Donnerstag, 25. Januar 2018 13:55
An: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Betreff: [BlueOnyx:21682] Re: mailserver; possible security issue?
Hi Dirk,
Well, there are often a few things that can be done, although normally you need to also consider email is one of the (if not the) most insecure methods of communication.
Simple things which some you may have enabled already include:
- Limiting the IP ranges that can send email (of course can be spoofed, but it requires more work from the scammer side)
- Authenticated sending (to ensure they do not send via your server, if they do then look for the account being exploited)
- SPF records can help a little too I believe (have nto played too much with them)
Note: I am no expert myself but the above should get you pointed in the right direction to start with.
I am sure there are other ways to harden the security like with RBLs, SPAM filetering such as SPAM ASSASIN, etc. I suppose some geo blocking may also help, which would go more hand in hand with the initial comment on limiting the IP ranges.
As always, staff training on cyber threats in invaluable.
Hope this helps for the future.
I suspect someone with more knowledge will reply also soon enough, but thought this may provide a little light reading to start with.
Regards
Brian
On 25/1/18, 11:07 pm, "Blueonyx on behalf of Dirk Estenfeld" <blueonyx-bounces at mail.blueonyx.it on behalf of dirk.estenfeld at blackpoint.de> wrote:
Hello,
we have one customer who was victim of a CEO fraud.
Some of his employees got a message from the email address of the CEO with the order to send xx money to a specific bank account. He did :(
Now we found out that it is possible to send email with sendmail at centos/blueonyx (also other distributions) from an existing email address to an existing email address.
Example:
telnet 208.77.xx.xx 25
Trying 208.77.xx.xx...
Connected to 208.77.xx.xx
Escape character is '^]'.
220 sol ESMTP Sendmail Ready; Thu, 25 Jan 2018 06:37:59 -0500
EHLO blackpoint.de
250-sol.xxx Hello ns3.xxx [xx.xx.xx.xx], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
MAIL FROM:mstxxx at solxxx.net
250 2.1.0 mstxxx at solxxx.net... Sender ok
RCPT TO: mstxxx at solxxx.net
451 4.7.1 Greylisting in action, please come back later
RCPT TO: mstxxx at solxxx.net
250 2.1.5 mstxxx at solxxx.net... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Some content for example send money to yx
.
250 2.0.0 w0PBbxN1026335 Message accepted for delivery
QUIT
221 2.0.0 sol.xxx closing connection
Connection closed by foreign host.
Unfortunately it is not only possible from the same to the same user. It is also possible from an (at the server existing) email address to an (at the server existing) email address.
Does someone else did see something similar.
In my opinion in days with CEO fraud it is a security issue.
Do someone know how to change settings in sendmail to prevent this behaviour?
Best regards,
Dirk Estenfeld
---
blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.blueonyx.it%2Fmailman%2Flistinfo%2Fblueonyx&data=02%7C01%7C%7C56e10a12e452489a42a508d563ec26b1%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636524788260239525&sdata=tl8seiVBMOO9wh%2FP4m26lvJXDYDddKjSdZI9UsY29DE%3D&reserved=0
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.blueonyx.it%2Fmailman%2Flistinfo%2Fblueonyx&data=02%7C01%7C%7C36366dc2b29c42658b1008d563fcc589%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636524859652034695&sdata=soBUgsasZESh3HSkL6QPB3VyDjzGSFs8y%2FqsSKseLNo%3D&reserved=0
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.blueonyx.it%2Fmailman%2Flistinfo%2Fblueonyx&data=02%7C01%7C%7C36366dc2b29c42658b1008d563fcc589%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636524859652034695&sdata=soBUgsasZESh3HSkL6QPB3VyDjzGSFs8y%2FqsSKseLNo%3D&reserved=0
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.blueonyx.it%2Fmailman%2Flistinfo%2Fblueonyx&data=02%7C01%7C%7C36366dc2b29c42658b1008d563fcc589%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636524859652034695&sdata=soBUgsasZESh3HSkL6QPB3VyDjzGSFs8y%2FqsSKseLNo%3D&reserved=0
More information about the Blueonyx
mailing list