[19880] in bugtraq
Re: MailSweeper for SMTP Security Problem
daemon@ATHENA.MIT.EDU (Hugo van der Kooij)
Wed Mar 28 00:30:44 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0103271957240.22645-100000@hvdkooij.xs4all.nl>
Date: Tue, 27 Mar 2001 20:04:05 +0200
Reply-To: Hugo van der Kooij <hvdkooij@VANDERKOOIJ.ORG>
From: Hugo van der Kooij <hvdkooij@VANDERKOOIJ.ORG>
X-To: Russ Hayward <bug@EUNOS.DEMON.CO.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <000501c0b685$389d1c60$6291989e@inet0002>
On Tue, 27 Mar 2001, Russ Hayward wrote:
> There appears to be vulnerability with Mail Sweeper for SMTP email by
> Content Technologies.
> (Tested on Version 4.19, others may be vulnerable)
>
> My test system is -
>
> Windows NT 4 Service Pack 5
> MailSweeper for SMTP version 4.1.9
Version number 4.1_9 is assumed here.
> I have two separate incoming and outgoing policies scenarios, I trust (!) my
> users and allow all
> internal users to send what they like (no restrictions) but restrict
> incoming emails with
> virus checks, text analysis, exe file checks etc.. etc..
>
> The Incoming scenario applies to this address list *@* --> *@mydomain.com
> and the Outgoing Scenario applies to *@mydomain.com --> *@*
>
> The SMTP relay restrictions ensure that only mail destined for the local
> domain are forwarded.
>
> The problem occurs when an attacker spoofs an email so the sender appears to
> be a user within my
> domain i.e. JoeBloggs@mydomain.com and the recipient is the intended victim
> i.e. user@mydomain.com
>
> MailSweeper will apply the OUTGOING scenario (i.e. nothing) and forwards the
> mail internally to the
> intended victim. This email could contain any content.
The problem here is not in the software but the configuration. Outgoing
mail should be restricted to the internal mailserver(s) and a properly
configured systems passes al the email relay tests.
I've installed about half a dozen systems with mailsweeper and none of
them allow relaying. All of them have been tested externally for all
variants of email relay including bangpath variants.
Some were tested by the ISP as well as one was installed in a rush to stop
an email relaying problem that is present in v3 of the MailSweeper for
SMTP product and can not be fixed in the configuration.
Hugo.
--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland
hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/
Alle email is gebonden aan de regels beschreven op mijn homepage.
All email send to me is bound to the rules described on my homepage.
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
