[Full-disclosure] Full-Disclosure Digest, Vol 39, Issue 25

Jesse Bacon dread.roberts at gmail.com
Mon May 12 14:01:49 BST 2008 

To get rid of spoofed internal emails you need to use iptables at your
routers and firewalls to disable SMTP (TCP25) traffic from any host other
than your dedicated mail servers.  Set a default policy of DENY for SMTP
traffic and then an ALLOW declaration for each of the mail servers in your
organization.  Additionally disable telnet login for your mail server.  The
use of a security product such as Security Blanket TM (www.trustedcs.com) on
your in-house linux machines will help as well.   As for the issue with
spoofed external e-mails using internal addresses I recommend looking for
security measures  that are  home-brewed.  For example  you could create  a
transparent gig that  contains  a  security code  and embed it in the
signature  of all e-mails originating within your infrastructure.  Then use
a simple script to check for the existence of that file upon receipt.  If
the email does not contain that file then drop before delivery.  Also you
could require PGP signatures.
-Jesse


>
> Message: 13
> Date: Mon, 12 May 2008 09:25:42 +0300
> From: "shadow floating" <nadengine at googlemail.com>
> Subject: [Full-disclosure] exchange server spam problem
> To: full-disclosure at lists.grok.org.uk
> Message-ID:
>        <5c1b7500805112325r7df9ec86gc9323621a15f0687 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I ve been recently found many supicious emails sent from the internet
> to the internal clients using the sender address as a legitimate email
> address of one of the internal users, do you know how to configure
> exchange server to stop such emails (by authenticating users before
> sending for example),....I also suffer from internal email spoofing
> that users send each other with spoofed internal emails....any help
> would do.
> thanks alot
>
>
>
> ------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> End of Full-Disclosure Digest, Vol 39, Issue 25
> ***********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080512/169c8d75/attachment.html

Full-Disclosure is hosted and sponsored by Secunia.