can one "spoof" a mail header?

Printable View

August 23rd, 2002, 03:06 PM
ol jeb

can one "spoof" a mail header?

not sure if this can even be done, but can someone basicly spoof a mail header? my isp just called me and said that they had around 100 complaints from people saying that they recieved spam from one of my ip's (a box mananged by one of our developers). this is odd becuase at the firewall only port 80 is open to this box, and smtp(which is installed) is shutdown and is not allowing mail relay anyway???

i'm going through log files now, but any insights would be helpful.
August 23rd, 2002, 03:24 PM
mohaughn

Yes. If you can spoof an IP address you can spoof an email message. I will not go into details.

I would recommend you review all of you configuration to make sure that you did not miss anything. You said SMTP is down, so I highly doubt it is an open relay, but you should search the web about how to close an open SMTP relay for your particular SMTP daemon.

Normally when an ISP looks at at SPAM message they review the headers to make sure that it was not spoofed. I would ask to see the headers so that you can verify they are valid.
August 23rd, 2002, 03:25 PM
Infiltrator

The short answer.....yes it is possible but I have a question for you.
On your server since only port 80 is open, I assume it is a web server. Correct?
Are you running FormMail on your server? If so, there are serveral exploits where FormMail.pl can be used to spam from the server. This will cause all returns to point to your web server. Post here and let me know if I am on the right track.
August 23rd, 2002, 03:25 PM
nebulus200

Yes, not only is it possible, it isn't that difficult and there are plenty of tools available to do it.

Here is where I answered a similar question.

http://www.antionline.com/showthread...431#post560431

Neb
August 23rd, 2002, 03:45 PM
ol jeb

well the box is sitting in my dmz and running Win2k w/ IIS 5. i do not have any other mail client programs installed on this machine.
August 23rd, 2002, 04:08 PM
nebulus200

Might consider downloading iislockd. It is a tool provided by microsoft that goes through your IIS configuration and locks it down. There are several samples that are provided with IIS default installs that have many well known vulnerabilities, some of which can be used to relay mail.

There is also the M$ baseline security analyzer that will go through and analyze this stuff as well.

I would highly recommend looking into these.

Neb
August 23rd, 2002, 04:55 PM
detoxsmurf

I'm sure you've already checked this but make sure your not running an exploitable version of formmail.pl.