Relay is Allowing messages from me to me.

Discussions on webmail and the Professional version.
A. C.

Post by A. C. » Mon Nov 17, 2003 2:02 pm

RBogan,

You wrote:
One day...as merk was checking his email...he noticed he was receiving mail from himself. He opened his inbox...and guess what? He had mail from "merk@clueless.com". WOW. As Merk knew he didn't send this email to himself...he became puzzled. Off he went to ME's forum in search of assistance.
And someone trying to be helpful without (like RBogan) being insulting, told him that it's simply because the FROM address was being spoofed.

With all due respect, I don't think you understand at all how SMTP works. Nothing in this thread to date has addressed the simple fact that FROM addresses (among other fields) can be easily spoofed, so sending someone an email that appears to be from themselves is trivially easy, and does not require some elaborate explanation of a theoretical bug in ME's relay settings.

If you have a given mail server running MailEnable, and relaying is enabled ONLY for authenticated users, then here's what happens:
  • - Any mail sent to that mail server which is addressed to a domain that is local to that mailserver will be delivered, without any authentication requirement. This is the most likely scenario for what the original poster is describing, with the added bit that the spammer is spoofing the FROM address to look like their mail is sent from the recipient's own address.

    - Any mail sent to that mail server which is addressed to a non-local domain will require relay, and hence will require authentication. It doesn't matter at all what is in the FROM address field, as long as "Allow relay for local sender addresses" is not checked.
That's it. Those are the potential scenarios, assuming the relay settings I've described. So ask yourself which is more likely:
  • - That someone has sent mail to the original poster with the FROM address spoofed so it looks like they sent it to themselves, and their mail server accepted it because all incoming mail to local domains is accepted. OR:

    - That there's a bug in the relay authentication for MailEnable, and some spammer is using it to send people mail from their own mailservers that looks like it's coming from their own address.

imagin
Posts: 20
Joined: Thu Jan 09, 2003 6:36 pm

I see what you are getting at.

Post by imagin » Mon Nov 17, 2003 4:52 pm

Thanks for your response Guys,

I had decided to sit down and diagram this out so you could understand what I am asking, but during the diagram process I realized that you are right. This is not a relay or authentication issue. Simply because it's dealing with incoming mail only. They never did send it from my server. They just sent it to appear as if it was from my own email address. So... now that I understand what is happening I have fit the whole explanation into a simple IF Statement.

The Explanation:
---------------------------------------------

Code: Select all

On Receive (via SMTP)
       If "From" (email address) is a Local Account...
              Then verify that it was sent from that Local Account owner (*)
              If Not sent from the account owner then delete (cause it's a Spammer).
       Elseif "From" (email address) is not Local...
              Just Let it through (cause it's and outsider).
* You can verify the sender by checking to see if, when it was sent, the user was authenticated on our server. Or possibly by some messageID that is transmitted, verifying that the same messageID was generated by an authorized sender.

I'm told this is possible by using the pickup event in the MTA. I'm going to do a few tests and get back with you.

Please let me know what you think.

rich@thefoz

Post by rich@thefoz » Mon Nov 17, 2003 4:57 pm

hehe..

cassius
Posts: 338
Joined: Tue Mar 11, 2003 2:29 pm
Location: Indianapolis, IN

Post by cassius » Wed Nov 19, 2003 3:31 pm

I haven't posted in a while, because... well, mainly because I didn't want to deal with RBogan telling me I didn't know what I was talking about on nearly every issue. But when he's giving out misinformation...

Let me put it very simply for all of you who are no doubt very confused about this whole issue after all this arguing.

In the same way that every other reputable mail server follows the smtp protocol --

***** MailEnable does not distinguish between a mail ORIGINATING on your server addressed to a local user, and an incoming mail from a FOREIGN server addressed to a local user on your domain. *****

This is because of the way SMTP works. When a spammer connects to your server and sends a mail from anyone@anywhere.com to user@yourdomain.com -- they make an smtp connection, say the from and to addresses, send the body data, and disconnect. This works for any from address, whether it's user@yourdomain.com or bgates@msn.com, as explained by the other way to receive mail (not local):

When a legitimate user sends an e-mail from anyone@anywhere.com through THEIR e-mail server to user@yourdomain.com, guess what THEIR e-mail server does? It then makes an SMTP connection to YOUR server, says the from and to addresses, sends the body data, and disconnects.

IT IS THE EXACT SAME PROCESS.
MAILENABLE HAS NO WAY TO TELL IF AN SMTP CONNECTION IS COMING FROM AN E-MAIL CLIENT (like outlook) OR FROM AN E-MAIL SERVER.

If a message comes in through the SMTP connector and is addresses to someone in your domain, it WILL be allowed. If you try to prevent one of the above situations, you're going to prevent the other one as well -- net result, you get no e-mail from the internet.

If that's what you were WANTING, then you could set up an intranet server, which is why some people suggested that.

There's no way to distinguish between the two situations, unless you specify IPs that are allowed to use the SMTP service. And if you do that with security in mind, you're going to deny by default except for exception IPs, with the same result -- no e-mail from the internet.

That is why all of this has NOTHING to do with relaying. Nada. Zilch. Relaying is talking about who is allowed to use YOUR server to send to OTHER servers.

Bottom line for those who skipped the details -- Any smtp connection to your server that is trying to send mail to a local user will be allowed, period. That is the way e-mail is designed to work.

That is why this is NOT a bug in MailEnable. Every other e-mail server I know of functions in the same way, because the functionality is DEFINED in the smtp protocol/RFC.

Thanks, please drive through =)

~Cassius

David Payer

Re: I see what you are getting at.

Post by David Payer » Wed Nov 19, 2003 4:40 pm

imagin wrote: If "From" (email address) is a Local Account...
Then verify that it was sent from that Local Account owner (*)
[/code]
* You can verify the sender by checking to see if, when it was sent, the user was authenticated on our server. Or possibly by some messageID that is transmitted, verifying that the same messageID was generated by an authorized sender.
This isn't what you said you wanted though. You wanted someone from your domain to be able to SEND mail from anywhere on the net (which would arrive on your server relayed through the SMTP server they were using on their ISP connection at home or at another location).

If you want them to be able to do that, their mail will NOT be authenticated as it is sent to your server, but it WILL be recieved because that is the nature of SMTP.

Again, it appears more and more that you do NOT want an Internet server, you want the qualities of an INTRANET server and MailEnable can be setup that way if you desrie.

If you ONLY want people to send mail to you by setting up your mailenable as their smtp server, that can be done easily. You will NOT be able to accept mail from other Internet servers though as that could not be authenticated. So your users could use any net connection but they could NOT use the email server of that connection, they could ONLY use your connecition.

If interested, I will (repeat) how to do that.

David Payer

David Payer

wow you didn't read this guy

Post by David Payer » Wed Nov 19, 2003 4:46 pm

Dude...honestly...what's so hard about this? OF COURSE AUTHENTICATING APPLIES TO OUTGOING EMAIL...

The user is AUTHENTICATING (or exploiting) to send email OUT from the server...........TO THE SERVER........as the same account is sending email (an action that REQUIRES AUTHENTICATION) to itself.....(an action that DOES NOT require authentication).
RB: this whole thing was about the original poster RECEIVING mail to his account from someone using his address as the reply to address.

He NEVER SAID someone was sending mail out from his server. He stated that he as upset for the "security breach" because he RECEIVED mail addressed to a valid account simply becuase it came from someone saying they were that same account.

This whole issue was about recieving mail addressed to a valid account, not about relaying mail through the server.

David P.

Slicer101
Posts: 95
Joined: Fri Jun 27, 2003 9:26 pm
Location: Houston, TX

Post by Slicer101 » Mon Nov 24, 2003 4:04 pm

Oh My :D

I have this same issue and the way that I am addressing it si to simply go through the log files and find the IP Address of the worthless idiot that is doing this and adding them to my local DNS blacklist. I have seen the comment that there is no header informaion and this is not true. Everyone of the e-mails like this has a time and date on it. I only need to go to that location in the log files and look for something to me from me and there is the IP address of the A-Hole. Bang, he is blocked.

Yes, it is a pain. But that is all part of being an Admin. Whenever someone comes out with something that works, someone is also going to find a way to get around it. No matter what. I do feel that this is a bug of sorts, but i also feel that the ME guys will find a way to fix it. It is just going to take a little time. I did nto see this till the 1.13 release, so I am looking foward to the next release to possibly plug the hole back up.

Everyone take a deep breath, let it out, chug that beer and relax.

Later

Slicer

whiteknight
Posts: 19
Joined: Tue Nov 18, 2003 6:17 am
Location: Singapore
Contact:

Here is what I gathered from my logs

Post by whiteknight » Tue Dec 02, 2003 10:17 am

Hi!
I noticed that many of you have this problem, and so do I.
After examining the logs I have found this consistency.

1) Everytime the message with the FROM field outside of the local domains, the connection requires authentication.

2) When the message with the FROM field in the local domains, and the TO field also in the local domains, the connection DOES NOT require authentication.

3) I still have not found an occurrence with the FROM field in the local domain and the TO field outside of the local domains.

I would find that item 2 is not very consistent with the settings of the program as there is also a setting to allow relay for local users, which fits that description. I would expect that if I choose authentication required, then only local ip connections does not require authentication, but all remote ips require authentication regardless of the sender and recipient. I will highlight this to mailenable support to confirm this.

I hope that the information is useful

Terrence
White Knight

imagin
Posts: 20
Joined: Thu Jan 09, 2003 6:36 pm

I have also found...

Post by imagin » Tue Dec 02, 2003 5:36 pm

I have also found that the actual message file itself contains 2 or more "Received: from" in the header if it's from an outside (non local) user. It only shows 1 "Received: from" if it's sent from a valid local user.

I'm working on developing a simple (fast) filter for the MTA pickup event that will stop this sending to self from self problem.

I'm not promising anything yet, because testing is crucial, but if anyone sees any discrepancy to what I'm finding, please let me know.

30 minds are greater than 1!

RBogan
Posts: 73
Joined: Mon Jul 07, 2003 5:26 am

Post by RBogan » Tue Dec 02, 2003 7:15 pm

Oh...but guys...that's the way SMTP is "supposed to work"...

(rolls eyes in a big way - again)

I hope the couple of you that actually understand this issue are able to

1) Convince someone "important" there is a bug.

2) Motivate that "important" person towards fixing it.

Thanks for the valuable input!

imagin
Posts: 20
Joined: Thu Jan 09, 2003 6:36 pm

Smiles

Post by imagin » Tue Dec 02, 2003 8:51 pm

RBogan,

Relax... We know how SMTP servers are supposed to work.

I'm only gonna stop messages that are sent "to a local user from that local user email address" If it was not sent by that local user.

I'm sure you will agree that 100% of any email messages sent to a local user from his own address (without himself sending it) is 100% spam.

I'm still going to allow message sent to himself from himself by himself go through. Also... any other inbound mail will come through.

Also... note: That we know this is NOT a BUG, but it's not a desired feature of SMTP so we are simply resolving this issue.

Oh.. and "I've been testing my code for a week now and have had wonderful success." All systems are running as they should be. (all thumbs up)

Does this help you understand?

RBogan
Posts: 73
Joined: Mon Jul 07, 2003 5:26 am

Post by RBogan » Tue Dec 02, 2003 10:50 pm

Well...all I know is remote (and foreign to the server) users should not be able to auth to the SMTP server as a local user and send mail from "artificial" local accounts to legitimate local accounts.

My servers are not open relays...yet they continue to allow open relaying. I'd call this a pretty serious bug. I understand the rather "dumb" nature of SMTP servers...unless of course, you make them smarter with security policies, authentication methods, and/or add-on plugins.

If ME was perfect...I would never be able to auth to "your server" and spoof local addresses in order to spam your users. Especially if you have a closed relay system requiring authentication to send outgoing email. Of course, we're almost completely ignoring the fact that disallowing local relaying doesn't prevent this activity either. It's almost as if there's no real security process within ME.

On "paper"...I'm as shutdown as I can functionally be...while not making it incredibly difficult on my domains and domain users to send and receive email...yet...somehow...jackasses that like to spam have no problem busting ME security precautions.

BTW...I'm constantly adding ip addresses to the "do not allow" list...but it gets old that these jackasses constantly get in to begin with. Once manually added to the list...they no longer offend the server...but my point is.....they shouldn't be ABLE to do this to begin with.

*sigh*

RBogan
Posts: 73
Joined: Mon Jul 07, 2003 5:26 am

Re: Smiles

Post by RBogan » Tue Dec 02, 2003 10:54 pm

imagin wrote:RBogan,

Relax... We know how SMTP servers are supposed to work.

I'm only gonna stop messages that are sent "to a local user from that local user email address" If it was not sent by that local user.

I'm sure you will agree that 100% of any email messages sent to a local user from his own address (without himself sending it) is 100% spam.

I'm still going to allow message sent to himself from himself by himself go through. Also... any other inbound mail will come through.

Also... note: That we know this is NOT a BUG, but it's not a desired feature of SMTP so we are simply resolving this issue.

Oh.. and "I've been testing my code for a week now and have had wonderful success." All systems are running as they should be. (all thumbs up)

Does this help you understand?
Gonna try to break this down for you...so you'll understand MY POINT...

I should always be able to send email from myself...TO MYSELF on my ME servers. That's a DESIRED...and LEGITIMATE function of not only ME, but any SMTP server. Only focusing on this fact is to completely miss my point, problems, and BUGS I'm talking about.

I should NOT be able to auth to YOUR server...and send email FROM YOU...TO YOU. That's what's happening...that's the bug. Period. I don't know your password...I shouldn't be able to auth against your server to send mail to local *OR* remote users.

Got it now?

merk
Posts: 412
Joined: Sun Oct 12, 2003 2:50 pm

Re: Smiles

Post by merk » Tue Dec 02, 2003 11:39 pm

RBogan wrote:Gonna try to break this down for you...so you'll understand MY POINT...

I should always be able to send email from myself...TO MYSELF on my ME servers. That's a DESIRED...and LEGITIMATE function of not only ME, but any SMTP server. Only focusing on this fact is to completely miss my point, problems, and BUGS I'm talking about.

I should NOT be able to auth to YOUR server...and send email FROM YOU...TO YOU. That's what's happening...that's the bug. Period. I don't know your password...I shouldn't be able to auth against your server to send mail to local *OR* remote users.

Got it now?
No one had authenticated in this case though. They only authenticate when they try to use your smtp server to send email to a user that is not on your smtp server ... to some other domain out on the net. The 'bug' you keep complaining about is a 'bug' that every single smtp server on the net has.

It seems like it should be something that could be easily changed so that if someone tries to send email as a local user even to another local user that it should require authentication ... but that would only work if they connect directly to your smtp server. It would not work if they used another smtp server to send the mail.

RBogan
Posts: 73
Joined: Mon Jul 07, 2003 5:26 am

Re: Smiles

Post by RBogan » Tue Dec 02, 2003 11:47 pm

merk wrote:
RBogan wrote:Gonna try to break this down for you...so you'll understand MY POINT...

I should always be able to send email from myself...TO MYSELF on my ME servers. That's a DESIRED...and LEGITIMATE function of not only ME, but any SMTP server. Only focusing on this fact is to completely miss my point, problems, and BUGS I'm talking about.

I should NOT be able to auth to YOUR server...and send email FROM YOU...TO YOU. That's what's happening...that's the bug. Period. I don't know your password...I shouldn't be able to auth against your server to send mail to local *OR* remote users.

Got it now?
No one had authenticated in this case though. They only authenticate when they try to use your smtp server to send email to a user that is not on your smtp server ... to some other domain out on the net. The 'bug' you keep complaining about is a 'bug' that every single smtp server on the net has.

It seems like it should be something that could be easily changed so that if someone tries to send email as a local user even to another local user that it should require authentication ... but that would only work if they connect directly to your smtp server. It would not work if they used another smtp server to send the mail.
Yes...I've been saying that I have had this problem........

I GET EMAIL FROM USERS ON MY SMTP SERVER TO ACCOUNTS THAT ARE NOT SERVED BY MY SMTP SERVER.

FOR INSTANCE...YET AGAIN...A FOREIGN USER AUTHS TO MY SMTP SERVER TO SEND MAIL TO MY ISP ADDRESS. THIS SHOULD NOT BE ABLE TO HAPPEN.

Post Reply