On Mon, 06 Jan 2003 22:11:49 +0000
[EMAIL PROTECTED] wrote:
> All,
>
> Thanks for the input on this so far. To clarify, [EMAIL PROTECTED] is exactly
> right in stating that I'm trying to stop the spoofing of my domain as the
> sender to my own domain (e.g. helpdesk@xyz to johnSmith@xyz where helpdesk is
> the spoofed sender). This is not an open relay server and the spam is not (as
> far as I can tell) as a result of any viruses guessing at accounts.
>
> The primary concern is with stopping mail with my domain as the sender and my
> domain as the recipient if the sender IP is not within networks which I
> control. I don't want to give any "crackers" monitoring this mailing list any
> ideas (most likely they've thought of this already) but this makes the
> probability of someone opening up an email and executing an attachment much
> greater. In some testing me and some other guys did, it was trivial to send an
> email from an outside address with the sender spoofed to look like an internal,
> trusted source (the spoofing is very easy but knowledge of the internal account
> naming convention, etc. was a little bit more difficult to match). This would
> make it much easier for me to send an email from [EMAIL PROTECTED] requesting
> that [EMAIL PROTECTED] execute the attached file. Sure he might know not to
> execute attachments from other untrusted domains but would he not open this
> from his "own" helpdesk? The amount of knowledge to execute this attack would
> be somewhat trivial to obtain - simple Google searches would most likely return
> the email addresses for a targeted company. A very large % of typical users
> would never think to check SMTP headers - they likely don't even know what
> those are.
>
> I'm not sure that this problem can be resolved within sendmail config files but
> if anyone knows differently, please let me know.
>
> Thanks again,
>
> Jim
>
> > I think the original sender and several of the respondents may be
> > confusing 'spam with forged headers' with 'open relaying.'
> >
> > The original question was not about his relay being hijacked to send
> > spam, it was about mail coming IN to his company xyz.com for [EMAIL PROTECTED]
> > purporting to be from another sender at xyz.com when it really came from
> > somewhere else. That's NOT open relaying, that's forging headers and
> > there's not much you can do about it without breaking things (What if
> > [EMAIL PROTECTED] wants to use her xyz.com return address when she's sending
> > mail from home to [EMAIL PROTECTED] via her local ISP dialup -- Why would you
> > want to block that?) What's the difference if incoming spam has one
> > forged address or another anyway? It's still spam!
> >
> > 'Switching to Postfix', using a 'content security gateway,' or 'TLS' are
> > not going to solve this problem (forging of email headers).
> >
>
Hi,
Modern Sendmails have the concepts of milters (mail filters). Using these you can
access mail at any stage and apply a filter to it. Hit up Google with "milter
sendmail"
and you'll get plenty of information. I use Spam Assassin with a milter and it
catches ALOT
of stuff, including forged headers. There are packages out there to allow you to
write filters
in C, C++, perl, and other languages.
GB
--
GB Clark II | Roaming FreeBSD Admin
[EMAIL PROTECTED] | General Geek
CTHULU for President - Why choose the lesser of two evils?
