Re: [Exim] SMTP Spoofing - Preventing Local Relaying

Top Page
Delete this message
Reply to this message
Author: Tim Jackson
Date:  
To: exim-users
Subject: Re: [Exim] SMTP Spoofing - Preventing Local Relaying
On Tue, 04 Mar 2003 06:01:04 -0500 Craig wrote:

> Yep, you're correct, I'm a bit lost.. I've only been using Exim for
> maybe 6-7 weeks and I'm still getting accustomed to the differences
> between it and the Sendmail systems


OK. However, bear in mind that this discussion seems to be (mostly) about
the way mail works in general, rather than anything specific to Exim.

> So if I use RBL checking on my Exim setup -and Joe spammer at
> mail.emailbargains.net wanted to send a 1000 pieces of spam to
> postmaster@??? or user@??? - he could do so regardless
> of anything I do to try and stop him..<?>


No, that's not correct. In fact, a fair amount of spam is direct-to-MX
spam (i.e. not sent via an ISP's smarthost) and it's perfectly possible to
stop it through a number of methods.

> If I'm using RBL checking and
> Joe tries to send his spam to my box from SMTP mail.emailbargains.net,
> it gets rejected at RCPT because mail.emailbargains.net shows up in
> spamhaus.org.
> --BUT-- Joe can get around any checks by simply setting his SMTP to
> myserver.com -then my system will accept his spam and hand it off to any
> domain/user on the server that he knows exists on the box


I assume you are implying here in this second case that Joe Spammer is
sending it direct from some DSL line, rather than actually from
mail.emailbargains.net. In that case, you're right that if you're just
blocking on SBL, unless his DSL line is listed in Spamhaus, Exim won't
stop that spam. But neither would Sendmail or any other mail server in a
similar configuration. Which is why you then use different ways of
blocking. You might, for example, use a dialup DNSBL of some sort, or just
blacklist his domain (if it's consistent across spams).

The bottom line Craig is that you're trying to draw a simple distinction
which doesn't exist and which NO mail server (including Exim or Sendmail)
can draw, that is between:

a) spammer on DSL line with "outgoing SMTP" in a traditional mail client
set to your server

b) some new, colocated spamming server doing direct-to-MX spamming

There simply isn't any fundamental difference at an SMTP protocol level
between these. To your mailserver (be it Sendmail or Exim), it is just a
remote host trying to deliver mail. I must contend that if you think your
Sendmail installations (or any other server installs) are somehow
distinguishing between these without any kind of blocklist checking,
differences in strictness of rules or unusual ACL-type rules (e.g.
detecting subtleties such as HELO names), then you are mistaken.

(It could be, for example, that Joe Spammer is sending from an invalid
domain, and you have sender verification enabled in Sendmail but not in
Exim - this could cause the result you are seeing, but your interpretation
of it as Exim doing some non-existent kind of "local relaying" is wrong).

Quite simply, all this talk of "local relaying" and your server "handing
off mails to local domains" is meaningless, whatever software you're
running.

> Joe doesn't need a valid user-id or password from
> any domain on my system -the MTA will accept his spam and deliver it to
> any local domain that he addresses it to, if he knows it's on the box -
> he simply uses myserver.com as his SMTP server..


You're still missing the point. Assuming you have one server being an MX
for domainA.com, domainB.com etc., there is NO DIFFERENCE between Joe
Spammer using Outlook with "outgoing e-mail" set to that server, and some
random mailserver trying to deliver legitimate mail. If Joe Spammer had to
enter a username/password, how would ANY server in the world actually
deliver mail to your users? How would your server know when it was Joe
Spammer connecting and when it was some other mailserver (without using
some kind of IP-based blocking, as Suresh suggested)?

This is not "spoofing" or "relaying" in any sense.

> If I tried to do this with my Sendmail boxes -send mail
> using sendmail.myserver.com to domains housed on the sendmail box, I
> won't get very far.


I don't believe you, for the reasons outlined above. If you believe this
is not the case, then I think you have some key option (e.g. sender
verification) in Exim and Sendmail configured differently, and you are
misinterpreting the results of having that option set/unset.

To summarise: Exim can block everything your Sendmail server did (and
probably more besides if configured suitably). If you don't
believe/understand this, then I believe you still haven't *really*
understood what we're talking about.


Tim