SMTP - Internal Security
Just a quick question about how you guys setup your exchange servers (I'm using Exchange 2003 but I assume this applies to 2007 as well).Basically it seems that by default when you install Exchange, there is nothing to stop internal users sending fake emails through the SMTP server by using Telnet to connect on port 25. I have verified this by sending a fake email via telnet to one of my colleages that appeared to come from our boss (much to my amusement) and it looked completely authentic and I did that with just a standard user account so there is nothing to stop any other user from doing this.What is the recommended way to stop this? Would you normally just set the server to only allow relay from specific internal IP addresses (but then what if the user's PC is running a program that needs to be able to send emails via the SMTP server) ?ThanksChris
My blog: http://cjwdev.wordpress.com
December 14th, 2009 6:11pm
On Mon, 14-Dec-09 15:11:36 GMT, Chris128 wrote:>Just a quick question about how you guys setup your exchange servers (I'm using Exchange 2003 but I assume this applies to 2007 as well).Basically it seems that by default when you install Exchange, there is nothing to stop internal users sending fake emails through the SMTP server by using Telnet to connect on port 25.Why use telnet when any POP3/IMAP4 email client works so much better?Or just write a small script in Perl/VBS/Powershell/etc. and dispensewith the need to even have a mailbox? :-) sending a fake email via telnet to one of my colleages that appeared to come from our boss (much to my amusement) and it looked completely authentic and I did that with just a standard user account so there is nothing to stop any other user from doing this.What is the recommended way to stop this? Would you normally just set the server to only allow relay from specific internal IP addresses (but then what if the user's PC is running a program that needs to be able to send emails via the SMTP server) ?You can use the "Connection..." button on the "Access" tab of the SMTPVirtual Server's property page to limit what IP addresses will beallowed to connect to that VS. Just be sure not to cut off access fromthe rest of the world!This practice (spoofing) is really a behavioral one that bestaddressed by the HR folks.---Rich MatheisenMCSE+I, Exchange MVP---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 14th, 2009 6:26pm
Well yeah it would be better if users just didnt try to send fake emails but you could say the same about anything, accessing folders that have confidential information in them for example- of course users shouldnt try to access the foldersbut we as system admins take security measures to prevent them from being able to do it even if they wanted to.We dont say its a HR issue and that they should tell the users not to even try. I would expect there to be similar security options to preventusers from sending fake emails as well thats all.I'll take a look at the Connection button you mentioned and see if that lets me do it :)ThanksChrisMy blog: http://cjwdev.wordpress.com
December 14th, 2009 6:52pm
On Mon, 14-Dec-09 15:52:42 GMT, Chris128 wrote:>>ent users from sending fake emails as well thats all.I'll take a look at the Connection button you mentioned and see if that lets me do it :)ThanksChrisI didn't mean that you shouldn't protect your assets. I meant thatpeople will do all sorts of 'clever' things, some of which you havelittle control over. Having an Acceptable Use Policy for email (andfor the rest of your infrastructure) makes it a lot easier todischarge/discipline employees for misbehaving (and they will).---Rich MatheisenMCSE+I, Exchange MVP---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 14th, 2009 7:15pm
If the messages are submitted anonymously, the senders e-mail address will show as follow:
From: First_name Last_name [first_name.last_name@domain.com]
Exchange 2003 only resolves authenticated users e-mail address to display name like below:
From: First_name Last_name
So, even without any filtering, users can know its a spam as its not resolved to display name
Exchange 2003 does provide the ability for client-side users to recognize spoofed mail by displaying the actual SMTP address of nonauthenticated mail as opposed to the display name as it appears in the global address list (GAL). However, disabling anonymous SMTP access on all internal Exchange servers is recommended
----------Refer to <Restrict Anonymous Access to SMTP>
Resources:
How to help secure SMTP client message delivery in Exchange 2003
Securing Your Exchange Server
James Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com
December 15th, 2009 11:09am
but it wont be annonymous if it has come from an internal user will it? because they can login to the SMTP server with their normal username and password and then send the emailMy blog: http://cjwdev.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
December 15th, 2009 11:31am
Yes, you are right. If the user can login self as an authenticated user, the name will be resolved
The only way to prevent such spoof, is to set certain restriction on the network device, so the client machine cant telnet the exchange serverJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com
December 15th, 2009 1:08pm
Or, you can use TLSJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2009 4:27am