X-Junk-Score: 0 [] X-Cloudmark-Score: 0 [] Return-Path: Received: from [67.96.163.3] (HELO visionresearch.com) by mail.stalker.com (CommuniGate Pro SMTP 5.2.14) with ESMTPS id 54231342 for CGatePro@mail.stalker.com; Fri, 26 Jun 2009 10:30:43 -0700 Received-SPF: pass receiver=mail.stalker.com; client-ip=67.96.163.3; envelope-from=david.modoski@visionresearch.com X-ExtScanner: Niversoft's FindAttachments (free) X-Virus-Scanned: PASSED, no viruses found Received: from [10.18.66.20] (account david.modoski@visionresearch.com) by visionresearch.com (CommuniGate Pro IMAP 5.1.16) with XMIT id 18975116 for CGatePro@mail.stalker.com; Fri, 26 Jun 2009 13:29:42 -0400 Subject: RE: Sending FROM accounts in domain even with authentication enabled Date: Fri, 26 Jun 2009 13:29:41 -0400 Message-Id: In-Reply-To: MIME-Version: 1.0 Thread-Topic: Sending FROM accounts in domain even with authentication enabled Priority: Normal Importance: normal X-MSMail-Priority: normal X-Priority: 3 Sensitivity: Normal Thread-Index: Acn2g7AVIFgNH/wTRtWkdwe+lemPZA== From: "David Modoski" To: "CommuniGate Pro Discussions" X-MAPI-LastModified: Fri, 26 Jun 2009 13:29:41 -0400 X-Mailer: CommuniGate Pro MAPI Connector 1.51.15.1/1.51.16.4 Content-Type: multipart/alternative; boundary="----_=_NextPart_21659_00012044.00010466" ------_=_NextPart_21659_00012044.00010466 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Good point. I never realized that. I thought that the From:/To: fields were= populated from the MAIL FROM and RCPT TO entries that are passed to the ma= il server. From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Beh= alf Of Nicolas Hatier Sent: June 26, 2009 12:01 PM To: CommuniGate Pro Discussions Subject: Re: Sending FROM accounts in domain even with authentication enabl= ed "MAIL FROM" is an SMTP command, not a mail header... The DATA portion of th= e SMTP transaction is usually left mostly unmodified in its way to the clie= nt. Some additional headers are added (Return-Path, which corresponds to th= e MAIL FROM smtp command, Received, and other headers added by content filt= ers). You should never rely on the From header to programmatically determine wher= e a message comes from, always on the Return-Path. The Form is easily forge= d. The Return-path too, but at least it can't be forged to an internal addr= ess when SMTP Auth is enabled. One notable exception is when using a content filter such as DKIM/DomainKey= s. DomainKeys will read the reported "From" address, and verify if the mess= age signature matches the "From domain" public key. And if there is no sign= ature, it will verify whether or not the "From domain" publicly announces i= t always sign messages. Using such a filter is another step against imperso= nation, which is what you currently seem to aim. Best regards Nicolas Hatier David Modoski wrote: Nevermind, I figured out the reason though not sure if there's a way to pre= vent it. Apparently you can issue the "MAIL FROM:" command with an outside email add= ress and then later in the transaction after issuing the DATA command you c= an insert a FROM: within the data portion which appears to over-ride the "M= AIL FROM:" in the header. The only indication is in the long header where t= he "Return Path" is set to the real email address submitted. -----Original Message----- From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Beh= alf Of David Modoski Sent: June 26, 2009 9:27 AM To: CommuniGate Pro Discussions Subject: Re: Sending FROM accounts in domain even with authentication enabl= ed I understand that concept. However, this does not apply to email originatin= g from our server. I can require that all of OUR users authenticate before = they are allowed to submit email (any other domain on the Internet can subm= it email without authentication). This does work because as I stated when I= connect to the SMTP port and send the FROM command with an account within = our domain I immediately get a notification that the account requires authe= ntication before submitting email. I don't understand how the spammers appe= ar to be bypassing this. I'll need to check out the server logs to see if I= can find any additional information. The exact error message when using a CGP domain account 575 david.modoski@mydomain.com sender requires authentication -----Original Message----- From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Beh= alf Of Lyle Giese Sent: June 26, 2009 8:21 AM To: CommuniGate Pro Discussions Subject: Re: Sending FROM accounts in domain even with authentication enabl= ed David Modoski wrote: We have authentication enabled for all of our CGP accounts for sending email. This requires that the account holder authenticate to the server before submitting mail. I've tested by connecting to the SMTP port and using a FROM address within our domain (I'm informed by the server that this account needs to authenticate before sending mail). However, I've just started receiving SPAM that is address FROM an email account within the domain. Anyone have any ideas how that might be getting through? Thanks, Dave This requirement is for relaying email, not sending email. You may say what's the difference? Relaying means the email will be relayed/sent to another email server. Sending can include email for here. If you required Authenication for all email, you will be unable to get email from the world as other mail servers won't be able to send email to your domains. Lyle Giese LCR Computer Services, Inc. -- Nicolas Hatier < nicolas.hatier@niver= soft.com> Niversoft id=E9es logicielles - http://www.nive= rsoft.com ------_=_NextPart_21659_00012044.00010466 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Good point. I never realized that. I thought that the From:/= To: fields were populated from the MAIL FROM and RCPT TO entries that are passe= d to the mail server.

 

 

From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Behalf Of Nicolas Hatier
Sent: June 26, 2009 12:01 PM
To: CommuniGate Pro Discussions
Subject: Re: Sending FROM accounts in domain even with authenticatio= n enabled

 


"MAIL FROM" is an SMTP command, not a mail header... The DATA por= tion of the SMTP transaction is usually left mostly unmodified in its way to the client. Some additional headers are added (Return-Path, which corresponds t= o the MAIL FROM smtp command, Received, and other headers added by content filters).

You should never rely on the From header to programmatically determine wher= e a message comes from, always on the Return-Path. The Form is easily forged. T= he Return-path too, but at least it can't be forged to an internal address whe= n SMTP Auth is enabled.

One notable exception is when using a content filter such as DKIM/DomainKey= s. DomainKeys will read the reported "From" address, and verify if t= he message signature matches the "From domain" public key. And if th= ere is no signature, it will verify whether or not the "From domain" publicly announces it always sign messages. Using such a filter is another = step against impersonation, which is what you currently seem to aim.

Best regards
Nicolas Hatier

David Modoski wrote: 

Nevermind, I figured out the reason though not sure if there's a way t=
o prevent it.
 
Apparently y=
ou can issue the "MAIL FROM:" command with an outside email addre=
ss and then later in the transaction after issuing the DATA command you can=
 insert a FROM: within the data portion which appears to over-ride the &quo=
t;MAIL FROM:" in the header. The only indication is in the long header=
 where the "Return Path" is set to the real email address submitt=
ed.
 
-----Original Message-=
----
From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com<=
/a>] On Behalf Of David Modoski
Sent: June 26, 2009 9:=
27 AM
To: CommuniGate Pro Discussions
= 
Subject: Re: Sending FROM accounts in domain even with authentication =
enabled
 
I understand that =
concept. However, this does not apply to email originating from our server.=
 I can require that all of OUR users authenticate before they are allowed t=
o submit email (any other domain on the Internet can submit email without a=
uthentication). This does work because as I stated when I connect to the SM=
TP port and send the FROM command with an account within our domain I immed=
iately get a notification that the account requires authentication before s=
ubmitting email. I don't understand how the spammers appear to be bypassing=
 this. I'll need to check out the server logs to see if I can find any addi=
tional information.
 
The ex=
act error message when using a CGP domain account
 
575 david.modoski@mydomain.com s=
ender requires authentication
 
<= pre>-----Original Message-----
From: CommuniGate Pro D=
iscussions [mailto:CGatePro@mail.stalker.com<=
/a>] On Behalf Of Lyle Giese
Sent: June 26, 2009 8:21 =
AM
To: CommuniGate Pro Discussions
Subject: Re: Sending FROM accounts in domain even with authentication ena= bled
 
David Modoski wrote:<=
o:p>
=A0 
We have aut=
hentication enabled for all of our CGP accounts for sending
email. This requires that the account holder authenticate to the=

server before submitting mail. I've tested by connecting t=
o the SMTP
port and using a FROM address within our do=
main (I'm informed by the
server that this account nee=
ds to authenticate before sending mail).
However, I've=
 just started receiving SPAM that is address FROM an
e=
mail account within the domain. Anyone have any ideas how that might
be getting through?
 
Thanks,
Dave
 =

=A0=A0=A0 
This requirement is for relaying email, not sending email. You may say=

what's the difference? Relaying means the email will =
be relayed/sent to
another email server. Sending can i=
nclude email for here.
 
If =
you required Authenication for all email, you will be unable to get
email from the world as other mail servers won't be able to s=
end email
to your domains.
&=
nbsp;
Lyle Giese
LCR Computer Services=
, Inc.
 
 
=A0 



 
------_=_NextPart_21659_00012044.00010466--