Impersonate another email user

Networking/Security Forums -> Physical Security and Social Engineering

Author: wise_guy2002n PostPosted: Fri Aug 29, 2008 6:58 am    Post subject: Impersonate another email user
Dear all,

i have a very severe problem in my internal network in my view, i have running email server Exchange2k3 & MDaemon pro in different networks , few days ago i have observe that some of my internal users received emails from some of our internal user about some bogus messages but later the sender is never accept that this message is sent by him, user are exist in our email server, when i check the email header i have found that another our internal legitimate user impersonate the original user email address and send email to whom they want just because of they have required only smtp ip address & also very easy to know the smtp address of internal email server, that user send irritate messages next time when ever they want I have block his id but this is not a permanent solution this is very serious issue in office, i want to ask you all that if there is any resolution that only original user use their own email user name and send email, no one can impersonate another user email address and send the email to whom they want. Hope any one got my problem.


Author: PhiBerLocation: Your MBR PostPosted: Fri Aug 29, 2008 5:57 pm    Post subject:
You might wish to look into s/mime which allows for non-repudiation of origin (you cannot say "you" didn't send it as you are the only one with the certificate).

Author: capiLocation: Portugal PostPosted: Fri Aug 29, 2008 9:50 pm    Post subject:
That would require making S/MIME mandatory somehow, though. The vandal could always opt to send his emails without using S/MIME - an email without a signature would certainly look more spoofed, but if the point is finding out who's actually sending the offending emails it may not help.

If this is an internal problem - that is, the vandal is sending the emails from the internal smtp server, how about changing the smtp server so that it requires user+password authentication? That way, the server logs will contain the name of the user who actually sent the email. Next time the offending user sends a fake email you can look at the server logs and you will know which username sent it.

Edit: spelling

Last edited by capi on Sat Aug 30, 2008 3:22 pm; edited 1 time in total

Author: moondoggie PostPosted: Sat Aug 30, 2008 2:56 pm    Post subject:
i was just about to suggest the same thing as capi. if you do not already force authentication for sending mail, you should do it ASAP. i would also suggest forcing everyone to change passwords too just in case the offending person is using someone else's password to gain access.

Author: clonmac PostPosted: Tue Apr 14, 2009 5:16 pm    Post subject:
In Exchange 2003, by default it requires authentication. So if requiring authentication is turned off, it must have gotten manually turned off at some point.

I agree with the others that you should require authentication to relay emails. You have a common problem with your email server being an open relay. If your internal users are able to send emails without authentication, then external users would be able to do so just as easily.

I would close off your open relay as soon as possible. Require authentication on your server. You also might want to check to see if your server is on any blacklists just to be sure your server wasn't being used to spam externally as well. Better safe than sorry.

What also could be the case is that someone (in your organization or outside of) has a virus that parsed the contacts list of the infected user. It then uses the addresses in the contacts list to spam out messages from. The virus has its own SMTP server to send emails from. In that case, your server has nothing to do with sending the incoming emails and they could originate from somewhere else.

If that is the case, then you may want to look into setting your mail server to accept incoming messages from SMTP servers that only have a valid PTR record for that IP address and domain. This can help cut down on spam messages like that.

Networking/Security Forums -> Physical Security and Social Engineering

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group