ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: TECH-OMISSION: Security vulnerability - Malicious DSN attacks

2004-08-31 09:48:13
from [Daryl Odnert] [Permanent Link] 
Chris Haynes wrote:

Normally, only MTAs that are operated by (or trusted by) V for outbound
SMTP mail processing would be configured this way.  Therefore, the

attack

is only likely to occur if it can be launched from an IP address that
normally submits mail from V to P.


I'm very sorry, I just don't understand this point.
Dues it change in the light of my comments / draft amendments above?


My point is that the vulnerability your are describing presumes the
existence of an MTA (which you've labeled P) with several
assumptions made about the behavior of that MTA.  You need to make it
clear what those assumptions are so that others can fairly assess the
risks.

One of the assumptions you have made is that P is normally willing
to accept a message where the SMTP sender is V and the recipient is R.
Let's assume that V and R are distinct domains.  Nearly every MTAs in
use today has configuration controls to prevent "open relaying".  These
controls limit the IP addresses from which mail will be accepted for
relaying to outside domains.  Most MTAs will perform the open relaying
check immediately after the RCPT command or immediately after the end
of the message DATA is received.  The message is rejected during the
SMTP conversation if the combination of (client IP address, sender
address, recipient address) is unacceptable to the MTA.

Assuming the MTA at P is not configured as an open relay and that IP
address spoofing is not involved, the only way that P will accept a
message with a sender address in V and recipient in domain R is if
the SMTP client is one that P believes is "owned by" V - that is, it
normally sends mail to P on behalf of V.

To put it in simple terms, you cannot launch this type of attack
against V using P using unless one of the following is true:

(1) P is an open relay.

(2) The attack messages are sent to P from an IP address that
normally sends mail for domain V.

(3) IP address spoofing is used to make it look like the attack
message is coming from an IP address that normally sends mail for
domain V.

Do you agree?  If so, then I think this is important to mention
because it significantly reduces the risk level associated with
the vulnerability you're writing about; one cannot easily launch
this type of attack from anywhere on the Internet.

Regards,
Daryl Odnert
Tumbleweed Communications
Redwood City, California
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Unencumbered Checking (was Re: DEPLOY: SPF/Sender ID support in Courier), Yakov Shafranovich
Next by Date:  Re: Unencumbered Checking (was Re: DEPLOY: SPF/Sender ID support in Courier), Paul Iadonisi
Previous by Thread:  DEPLOY: Prior Art for Sender-ID (was Re: DEPLOY: SPF/Sender ID support in Courier.), Yakov Shafranovich
Next by Thread:  RE: TECH-OMISSION: Security vulnerability - Malicious DSNattacks, terry
Indexes:  [Date] [Thread] [Top] [All Lists]