can one "spoof" a mail header?
Results 1 to 7 of 7

Thread: can one "spoof" a mail header?

  1. #1
    Senior Member
    Join Date
    Jul 2002
    Posts
    106

    Question can one "spoof" a mail header?

    not sure if this can even be done, but can someone basicly spoof a mail header? my isp just called me and said that they had around 100 complaints from people saying that they recieved spam from one of my ip's (a box mananged by one of our developers). this is odd becuase at the firewall only port 80 is open to this box, and smtp(which is installed) is shutdown and is not allowing mail relay anyway???

    i'm going through log files now, but any insights would be helpful.
    just making some minor adjustments to your system....

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Yes. If you can spoof an IP address you can spoof an email message. I will not go into details.

    I would recommend you review all of you configuration to make sure that you did not miss anything. You said SMTP is down, so I highly doubt it is an open relay, but you should search the web about how to close an open SMTP relay for your particular SMTP daemon.

    Normally when an ISP looks at at SPAM message they review the headers to make sure that it was not spoofed. I would ask to see the headers so that you can verify they are valid.

  3. #3
    The short answer.....yes it is possible but I have a question for you.
    On your server since only port 80 is open, I assume it is a web server. Correct?
    Are you running FormMail on your server? If so, there are serveral exploits where FormMail.pl can be used to spam from the server. This will cause all returns to point to your web server. Post here and let me know if I am on the right track.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Yes, not only is it possible, it isn't that difficult and there are plenty of tools available to do it.

    Here is where I answered a similar question.

    http://www.antionline.com/showthread...431#post560431

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Senior Member
    Join Date
    Jul 2002
    Posts
    106
    well the box is sitting in my dmz and running Win2k w/ IIS 5. i do not have any other mail client programs installed on this machine.
    just making some minor adjustments to your system....

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Might consider downloading iislockd. It is a tool provided by microsoft that goes through your IIS configuration and locks it down. There are several samples that are provided with IIS default installs that have many well known vulnerabilities, some of which can be used to relay mail.

    There is also the M$ baseline security analyzer that will go through and analyze this stuff as well.

    I would highly recommend looking into these.

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Senior Member
    Join Date
    Jul 2002
    Posts
    167
    I'm sure you've already checked this but make sure your not running an exploitable version of formmail.pl.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides