Update, in case anyone cares.
'Security' company doesn't know the difference between 'MAIL FROM:' and
'From:'. Not only do they not run their own mail server (supposedly to
'prevent any attacks from that vector'), their ISP's mail server
actually creates a From: header from the Return-Path: if the From:
header is left out. Not that I have intimate knowledge of all mail
servers, but I've never heard of that.
So after going through all this, they now believe qmail "doesn't work
like the rest of the internet". Of course, they'll still continue to
verify 'spoofing' by testing via MAIL FROM: (because, supposedly,
everyone else passes) - not realizing they will never have an accurate
result. It's pretty much a given that From: will exist, negating their
test entirely.
I guess I learned today anyone can do pen testing, as long as you find
enough scripts posted on websites.
Just thought I'd finish this 'thread' in case anyone was wondering or
comes across it again.
Rick
Rick Romero wrote:
Hi All,
I have an auditor who is telling me that allowing non-SMTP-AUTHd clients
to use a valid local user in MAIL FROM: is a potential spoof, and a
security vulnerability.
I just can't fathom how that is.
As I understand it, MAIL FROM is only used for returning undeliverable
mail. So, yes, I'm sure we've all been joe-jobbed, but he's talking
about on my own server. Since I'm using tcpserver, I really have total
control over what would be a 'local joe-job'.
Supposedly it'll be in the pen-test report, but I haven't even been
given a theoretical on how this is an issue.
Can anyone else come up with one?
Rick
