Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1999-q4

NTBugtraq And NTSecurity Archives: Re: Blocking Spoofed Email

Re: Blocking Spoofed Email

ðÉÞÕÇÉÎ ôÉÍÕÒ äÍÉÔÒÉÅ×ÉÞ (PichuginB14S1NT.MPEI.AC.RU)
Tue, 23 Nov 1999 18:04:32 +0300

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Jeremy Collake: "Re: hard-coded windows exploits"
Previous message: Dmitri A. Doulepov: "Strange logon to FTP"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The document below is an excerpt straight from the FULL RELEASE of
Microsoft Exchange 5.5. It is the "README.DOC" 'release notes'
document.
To prevent UCE messages from being delivered to local users, you must
specify the directory where aborted messages are moved to and the
messages that will be aborted. To do this, add the following values
to the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSExchangeIMC\Parameters

Value Date Type Description

TurfDir REG_SZ Specifies the directory where aborted
messages are moved to. It is recommended that you set it to
Exchsrvr\Imcdata\Turfdir, where Exchsrvr is
the directory where
the Microsoft Exchange Server files
are located.

TurfTable REG_MULTI_SZ Specifies the messages that are aborted.

If you configure the TurfTable registry setting and you do not
specify a TurfDir value, aborted messages are permanently deleted.
Entries must be entered one per line with no extra spaces or
delimiters. They are not case-sensitive. For example, a domain
specified in the list using the following format prevents all
messages addressed from domain.com from being delivered.

#domain.com

A domain specified in the list using the following format prevents
all messages addressed from domain.com and all of its subdomains from
being delivered.

domain.com

You can specify a specific user in the list using the following
format.

userdomain.com

To apply these registry settings after they have been created or
modified, you must stop or restart the Internet Mail Service and the
Information Store service using the Services application in Control
Panel.

- -----Original Message-----
From: Resson [mailto:ressonALTAVISTA.NET]
Sent: Saturday, November 20, 1999 2:46 AM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Blocking Spoofed Email

Hi All,

MS KB "Q155683 - XFOR: Verification of FROM Address in SMTP Messages"
(http://support.microsoft.com/support/kb/articles/Q155/6/83.ASP)
refers to the ability to set up exchange to turf messages claiming to
come from a particular email domain. This is handy as it helps
prevents spoofing of internal email addresses.

According to the knowledge base you can set up the registry with the
string of the site you wish to block along these lines:

someorg.somedomain.somecountry

Having tried this recently there seems to be a problem. Namely,
whilst it blocks messages claiming to originate at the above it also
blocks messages claiming to originate from

somehost.someorg.somedomain.somecountry

Many unix hosts etc send administrative alerts along these lines, and
I don't want to throw out those messages along with ones which might
genuinely be trying to spoof internal messages.

Anybody have any experience with this? Know of a fix? Spoken to
Microsoft?

Cheers,
Resson.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>

iQA/AwUBODqCvf3lQ7oC3GyEEQLMDwCeMdfVpM9aXJ/oBbV5r25h17yGO+8An2yq
zGVhSaTcIZWG07uxSB4dC/Lp
=tAyb
-----END PGP SIGNATURE-----

Next message: Jeremy Collake: "Re: hard-coded windows exploits"
Previous message: Dmitri A. Doulepov: "Strange logon to FTP"

This archive was generated by hypermail 2.0b3 on Tue Nov 23 1999 - 09:49:00 CST