Eric,
It is possible to send multiple emails with one "connect / disconnect" session even to different recipients and from different "MAIL FROM" addresses. Only the original connect and the final quit will be logged.
Two ways to minimize the spoofing problem:
1. Enforce reverse DNS lookups on the connecting IP address.
2. RBL subscriptions, for what those are worth.
Another option (not necessarily recommended) is to force the "from" domain to match the reverse lookup completed on the connecting IP address. This will break many email attempts from legitimate sources because the SMTP servers don't necessarily belong to the sending domain (MX gateway services, for instances).
Is that the question you are asking?
HTH,
Grant
-----Original Message-----
From: Eric Kahklen [mailto:eric@kahklen.com]
Sent: Wednesday, July 21, 2004 11:08 AM
To: suse-security@suse.com
Subject: [suse-security] Email Spoofing
We are using Suse 9.0 Professional. I am getting email that is claiming
to be from my domain and the Posfix logs confirm it is from an outside
IP. After searching the logs, I figured out where the connection
initiated, and then the regular smtp traffic proceeded with the spoofed
email address (user@mydomain.com) to my real users email address
realusers@mydomain.com). The unique identifiers helped me correspond
the traffic. There were two other email sessions that based on their
unique identifier did not have the full smtp process. For example, this
is all that is entered in the logs for the unique process. I usually
see a connect and disconnect process before and after this and the
random character user does not exisit! BTW, this is a mail gateway for
Exchange.
Any ideas??
Jul 20 11:54:59 gateway postfix/smtp[10247]: 649E6AD30:
to=
I¹d take a look at this URL:
http://www.unixwiz.net/techtips/postfix-HELO.html
I had the same problem and now I¹m rejecting a ton of these (approximately
50% of inbound mail is associated like this).
Tom
From: "Sturgis, Grant"
Hi *, Tom Fox schrieb:
I¹d take a look at this URL:
1. Enforce reverse DNS lookups on the connecting IP address.
And Block almost any road warrior using dialup.
2. RBL subscriptions, for what those are worth.
Oh, Block the Rest ;-)
Another option (not necessarily recommended) is to force the "from" domain to match the reverse lookup completed on the connecting IP address. This will break many email attempts from legitimate sources because the SMTP servers don't necessarily belong to the sending domain (MX gateway services, for instances).
Right.
-----Original Message----- From: Eric Kahklen [mailto:eric@kahklen.com] Sent: Wednesday, July 21, 2004 11:08 AM To: suse-security@suse.com Subject: [suse-security] Email Spoofing
We are using Suse 9.0 Professional. I am getting email that is claiming to be from my domain and the Posfix logs confirm it is from an outside IP.
Oh, why don`t you just block incomming SMTP Traffic if the from: claims to be inside. This is easy to configure. Use ssl encrypted and accounted SMTP for allowed users. (Road-Warriors) You just need two IP, or two Ports and two instances of postfix. And you are RFC conform. Greetings Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Hubertus Wagenhäuser -------------------------------------------------------- Nachricht von: dirk.schreiner@tria.de Nachricht an: tom@tremor.com, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
participants (3)
-
Dirk Schreiner
-
Sturgis, Grant
-
Tom Fox