[19949] in bugtraq
Re: MailSweeper for SMTP Security Problem
daemon@ATHENA.MIT.EDU (Jonathan Williams)
Fri Mar 30 06:51:15 2001
Message-ID: <20010329172857.14137.qmail@securityfocus.com>
Date: Thu, 29 Mar 2001 17:28:57 -0000
Reply-To: jon.williams@BALTIMORE.COM
From: Jonathan Williams <jon.williams@BALTIMORE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Russ,
Thanks for bringing this up – as some of the
responses in this mailing list have noted, the main
issue here is one of configuration, but you’ve
highlighted an important area of policy –what do you
with apparently internal e-mail received at the internet
gateway.
The “problem” that you list is that, by default, internal
mail (that is mail apparently sent by an internal
sender to an internal recipient) follows a policy folder
called Outbound. The default Inbound and Outbound
policy folders cover
*@* to *@mydomain.com
and
*@mydomain.com to *@*
respectively. With only these two policies, an e-mail
from mydomain.com to mydomain.com could quite
legitimately follow either of these policies.
In the case you mention, the Outbound policy does
no content security and therefore will not pick up any
threats or items against the company policy. From
our experience very few customers have this sort of
configuration.
To handle Internal e-mail differently, simply create a
new policy folder with an appropriate name,
say “Internal”, and set the route to (in your example)
From: *@mydomain To: *@mydomain.com.
You may then apply whatever policy is appropriate.
In essence, the issues you highlight are
a) the need for a policy for internal-internal e-
mail
b) the necessity for an appropriate policy on
outbound e-mail
To put this is perspective, some customers routinely
block internal relaying by MAILsweeper by creating
the internal folder (as listed above) and then using a
Classifier scenario (with or without additional content
security) to quarantine or delete the message (with or
without informing recipient and/or sender). For other
customers routing mail through the system in this
manner is perfectly normal (i.e. external ISP-
connected laptop users on the road).
Even those customers who do not handle internal
mail differently scan both Inbound and Outbound e-
mail for threats even if they may routinely skip other
content security analysis.
In summary:
In practice this “problem” is due to configuration and
deployment issues and is unlikely to be exploitable in
the real world. Customers concerned about how
apparently internal e-mail is handled may use the
method described above or can deploy a content
security solution on their internal mail servers as well.
Jon Williams
Product Manager
Baltimore Technologies
> There appears to be vulnerability with Mail Sweeper
for SMTP email by
> Content Technologies.
> (Tested on Version 4.19, others may be vulnerable)
