Autor: Pol Padrisa Datum: To: Exim-users Betreff: [exim] FAKE SENDERS
Hello,
We are having some mail-from rewriting spam / phishing problems and it
also happens in all mail servers we checked. The point is that the
attacker uses 2 different accounts, the first one must be from an
existing domain (if domaincheck is enabled) and with no-spf record the
second one can be a faked / invented non existent (or existent) domain.
The attacker uses the first address to pass throw domain validation (the
domain exists) and SPF checks (the domain has no record so SPF result is
'neutral'). After opening a smtp connection in the DATA command the
attacker rewrites the From address to whatever he wants.
Let's see an example:
telnet 209.85.229.27 25
EHLO gmail.com
250-mx.google.com at your service, [87.216.180.248]
250-SIZE 35651584
250-8BITMIME
250 ENHANCEDSTATUSCODES
MAIL FROM:<sender@???> (ANY VALID DOMAIN WITH NO SPF
RECORD - 1st ACCOUNT)
250 2.1.0 OK w4si8042957weq.167
RCPT TO:<recipient@???> (ANY VALID USER IN SERVER)
250 2.1.5 OK w4si8042957weq.167
DATA
354 Go ahead w4si8042957weq.167
From: "Account Administrator" <info@???> (2n and FAKE
ACCOUNT)
To: Whateverspammerlikes@whatever
Hello, Your account has been disabled, daba daba daba, click the link to
enter your new password daba daba daba...
Your Bank Services Master
.
250 2.0.0 OK 1280756452 w4si8042957weq.167
QUIT
221 2.0.0 closing connection w4si8042957weq.167
Connection closed by foreign host.
This thing happens in our servers and in all smtp servers we have
checked. We only gave gmail to simplify the schema but it would work in
our servers too.
How can we prevent users to rewrite the From: part of the message during
the DATA transaction in exim?