[BlueOnyx:21686] Re: mailserver; possible security issue?

Thu Jan 25 09:23:54 -05 2018

Hi,
Unfortunately this isn't a technical question. Mail-spoofing will occur
whatever you try to do and this exploits the most basic function of a
mail-server which is the reason this works on all servers.
It's actually a policy problem and no one should do payments based on
only a single e-mail. It is that simple.Without a text (mobile-phone),
internal memo (not e-mail) and/or phone-call confirming the payments
don't make them!Sure, regular invoices can be paid, but check them as
well for validity.
Best regards,
Rickard

On Thu, 2018-01-25 at 11:58 +0000, Dirk Estenfeld wrote:
> Hello,
> 
> we have one customer who was victim of a CEO fraud.
> Some of his employees got a message from the email address of the CEO
> with the order to send xx money to a specific bank account. He did :(
> 
> Now we found out that it is possible to send email with sendmail at
> centos/blueonyx (also other distributions) from an existing email
> address to an existing email address.
> 
> Example:
> telnet 208.77.xx.xx 25
> Trying 208.77.xx.xx...
> Connected to 208.77.xx.xx
> Escape character is '^]'.
> 220 sol ESMTP Sendmail Ready; Thu, 25 Jan 2018 06:37:59 -0500
> EHLO blackpoint.de
> 250-sol.xxx Hello ns3.xxx [xx.xx.xx.xx], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-ETRN
> 250-AUTH LOGIN PLAIN
> 250-STARTTLS
> 250-DELIVERBY
> 250 HELP
> MAIL FROM:mstxxx at solxxx.net
> 250 2.1.0 mstxxx at solxxx.net... Sender ok
> RCPT TO: mstxxx at solxxx.net
> 451 4.7.1 Greylisting in action, please come back later
> RCPT TO: mstxxx at solxxx.net
> 250 2.1.5 mstxxx at solxxx.net... Recipient ok
> DATA
> 354 Enter mail, end with "." on a line by itself
> Some content for example send money to yx
> .
> 250 2.0.0 w0PBbxN1026335 Message accepted for delivery
> QUIT
> 221 2.0.0 sol.xxx closing connection
> Connection closed by foreign host.
> 
> Unfortunately it is not only possible from the same to the same user.
> It is also possible from an (at the server existing) email address to
> an (at the server existing) email address.
> 
> Does someone else did see something similar.
> In my opinion in days with CEO fraud it is a security issue.
> Do someone know how to change settings in sendmail to prevent this
> behaviour?
> 
> Best regards,
> Dirk Estenfeld
> 
> 
> ---
> 
> blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel
> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
-- 
Bluapp AB
Rickard Osser
CTO
Solberga Ängsväg 3
125 44 Älvsjö
Sweden

Web: http://www.bluapp.com
Mail: rickard.osser at bluapp.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20180125/b31c2180/attachment.html>