SMTP Mail Forgery Vulnerability
fischste
SMTP server accepts any domain name in the HELO command. What can I do to
correct this issue?
Thanks
![Mark Arnold [MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjWfOoakncIeAwDFlTp-kGUX3hCQcyUCiH7av8m1Ynjuwi6dWQ=s40-c)
Mark Arnold [MVP]
Which report is this then?
fischste
Scout and generates a monthly vulnerability assessment report. The report
states it is a low risk vunerability because the HELO command accepts a fake
domain name. I hope this answers your question.
Ed Crowley [MVP]
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"
"fischste" <fisc...@discussions.microsoft.com> wrote in message
news:3686272A-AAAD-4824...@microsoft.com...
fischste
financial institution and has bank auditors reading these vulnerability
reports?
Ed Crowley [MVP]
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"
"fischste" <fisc...@discussions.microsoft.com> wrote in message
news:0D71D544-B04A-41B2...@microsoft.com...
Peter Lawton
You can't insist that the HELO matches the sender email domain as it often
doesn't, the SMTP RFCs aren't very strict about what a HELO can and can't
be.
What you could do is use some 3rd party software that can filter on HELO and
insist that it's RFC compliant, plus a lot of other criteria, however banks
often get very paranoid that they might be rejecting legitimate email.
As with most filtering for spam etc you can never achieve a 100% block rate
with a 0% false positive rate, it's always a balance made depending on your
circumstances. Banks usually go for 0% false positives and won't even
publish SPF/Sender ID records (which is a shame as they're the ones who
suffer from most phishing attacks.
You can probably head the auditors off if you point out that although you
can impliment very strict SMTP acceptance rules you will inevitably end up
rejecting some legitimate email ;-)
Peter Lawton
"fischste" <fisc...@discussions.microsoft.com> wrote in message
news:0D71D544-B04A-41B2...@microsoft.com...
James Chong
Good question, I'm wondering if the message from the report is really
saying that it's not validating HELO lookups rather than it's accepting
any domain name.
James Chong
fischste
The "solution" in the report states the SMTP server should check if the
information received in the HELO command is vaild. They sent the following
command to the server, "HELO Fake_Domain" and the server responded to the
command.
Pedro Leite
sorry, but i couldnt resist.
the " solution " reminded me a joke :
there was this guy on a hot air ballon, lost over a city. when he was over a
roof top, he shouted to the lady on it : " PLEASE, TELL ME WHERE I AM ?? "
she said, well, you are inside the basket of a hot air ballon, hovering at
about 150 ft over the whatever corp building, roughly at 42º 45' N and 12º
76' W.
he says, thank yooouuu very much, i bet you are a technician. you gave me a
totally technically correct answer but made me waste my time and i am no
better that before, actually, i'm even worse as i can't figure out how to
land.
hmmmmm, she says, i bet you are a manager, i gave a technically correct
answer. all the data was accurate. you didn't understand any of it. your
situation is no better that before, and somehow, it already my fault !!!!!
insist with them. if they audit, they must also give corrective feedback.
what should be the proper reply and action to fake_domain.
cheers
Pedro Leite from Portugal.
-------------------------------------------------------------
"fischste" <fisc...@discussions.microsoft.com> escreveu na mensagem
news:AAC8CBB7-0B7F-4FDD...@microsoft.com...
Peter Lawton
on HELO plus a lot more. Really excellen product, we use it for all our spam
filtering.
Peter Lawton
"fischste" <fisc...@discussions.microsoft.com> wrote in message
news:AAC8CBB7-0B7F-4FDD...@microsoft.com...