• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Impersonate another email user

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering

View previous topic :: View next topic  
Author Message
wise_guy2002n
Just Arrived
Just Arrived


Joined: 14 Sep 2006
Posts: 0


Offline

PostPosted: Fri Aug 29, 2008 6:58 am    Post subject: Impersonate another email user Reply with quote

Dear all,

i have a very severe problem in my internal network in my view, i have running email server Exchange2k3 & MDaemon pro in different networks , few days ago i have observe that some of my internal users received emails from some of our internal user about some bogus messages but later the sender is never accept that this message is sent by him, user are exist in our email server, when i check the email header i have found that another our internal legitimate user impersonate the original user email address and send email to whom they want just because of they have required only smtp ip address & also very easy to know the smtp address of internal email server, that user send irritate messages next time when ever they want I have block his id but this is not a permanent solution this is very serious issue in office, i want to ask you all that if there is any resolution that only original user use their own email user name and send email, no one can impersonate another user email address and send the email to whom they want. Hope any one got my problem.

Thanks
Back to top
View user's profile Send private message Send e-mail
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Fri Aug 29, 2008 5:57 pm    Post subject: Reply with quote

You might wish to look into s/mime which allows for non-repudiation of origin (you cannot say "you" didn't send it as you are the only one with the certificate).
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Fri Aug 29, 2008 9:50 pm    Post subject: Reply with quote

That would require making S/MIME mandatory somehow, though. The vandal could always opt to send his emails without using S/MIME - an email without a signature would certainly look more spoofed, but if the point is finding out who's actually sending the offending emails it may not help.

If this is an internal problem - that is, the vandal is sending the emails from the internal smtp server, how about changing the smtp server so that it requires user+password authentication? That way, the server logs will contain the name of the user who actually sent the email. Next time the offending user sends a fake email you can look at the server logs and you will know which username sent it.

Edit: spelling


Last edited by capi on Sat Aug 30, 2008 3:22 pm; edited 1 time in total
Back to top
View user's profile Send private message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Sat Aug 30, 2008 2:56 pm    Post subject: Reply with quote

i was just about to suggest the same thing as capi. if you do not already force authentication for sending mail, you should do it ASAP. i would also suggest forcing everyone to change passwords too just in case the offending person is using someone else's password to gain access.
Back to top
View user's profile Send private message
clonmac
Just Arrived
Just Arrived


Joined: 09 Mar 2009
Posts: 0


Offline

PostPosted: Tue Apr 14, 2009 5:16 pm    Post subject: Reply with quote

In Exchange 2003, by default it requires authentication. So if requiring authentication is turned off, it must have gotten manually turned off at some point.

I agree with the others that you should require authentication to relay emails. You have a common problem with your email server being an open relay. If your internal users are able to send emails without authentication, then external users would be able to do so just as easily.

I would close off your open relay as soon as possible. Require authentication on your server. You also might want to check to see if your server is on any blacklists just to be sure your server wasn't being used to spam externally as well. Better safe than sorry.

What also could be the case is that someone (in your organization or outside of) has a virus that parsed the contacts list of the infected user. It then uses the addresses in the contacts list to spam out messages from. The virus has its own SMTP server to send emails from. In that case, your server has nothing to do with sending the incoming emails and they could originate from somewhere else.

If that is the case, then you may want to look into setting your mail server to accept incoming messages from SMTP servers that only have a valid PTR record for that IP address and domain. This can help cut down on spam messages like that.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register