OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: HELO / MAIL FROM vs client
From: Leif Nixon (nixonlysator.liu.se)
Date: Tue Jul 04 2000 - 09:43:26 CDT

Gert-Jan Looy <gjsiemens.nl> writes:

> Leif Nixon wrote:
> >
> > Gert-Jan Looy <gjsiemens.nl> writes:
> >
> > > I like your second proposal, rejecting all mail from siemens.nl
> > > which does not come from our internal mail server.
> >
>
> There are some of our users with private accounts, but that mail is not
> handled by our server...

OK, let's say one of your users (your boss, say) uses his dial-up
internet access at home to send a mail to gjsiemens.nl, and uses his
siemens.nl address as sender address, which is quite natural. That
mail will be relayed by his ISP's mail server to your primary MX,
sgn2.siemens.nl. If you implemented your restrictions that mail would
be rejected by sgn2. Is that really what you want?

> Someone witin our company was *really* upset when he was conflicted
> with an email that some had received from him, which he didnot write
> himself, but was kind of a practical joke.

That's how it is. SMTP is basically an insecure protocol, and you must
make your users aware that sender addresses are easily forged by anyone.

> So... I'am supposed to do something about that...

You can't. Even if you blocked incoming siemens.nl sender addresses at
sgn2, there's nothing to stop Joe Nastyguy from sending insulting mails
with forged siemens.nl sender addresses to all of your customers.

> Any options much appreciated!

Educate your users. The only way to prevent mail forgery is signing
your mail cryptographically. 

-- 
Leif Nixon      Sysadm/developer       Ericsson SoftLab AB
----------------------------------------------------------
E-mail: nixonsoftlab.ericsson.se   Phone: +46 13 23 57 61
----------------------------------------------------------