Testing your mail server for impersonation or relay attacks.

Recently a friend ask me how does he knows if his mail server is vulnerable to impersonation or relay attacks. (SPAM, Phishing, etc)

First we have to think why these attacks happen. For one thing there is no authentication/authorization on the SMTP connections between servers and mostly misconfiguration. Sometime we think we did all there is to do when configuring our serves an sometime we trust what vendors say (are we suppose to?), but that the way to tragedy in security.

First how do I test if my SMTP server is vulnerable? Just try this:

  1. telnet [mail_server] 25
  2. helo
  3. mail from: impersonated_user@domain.com
  4. rcpt to: target_user@domain.com
  5. data
  6. This is a test from my self
  7. .
  8. quit

Also to see if your server rejects invalid data/messages you can set up an stmp server that is vulnerable to these attacks and SPAM/Phish yourself.  Windows Server and Linux both come with built-in SMTP server you can setup. Also you can download a tool like FreeSMTP (http://www.softstack.com/freesmtp.html) and avoid tha hasle of setting up mail services on a server.

PLEASE! be good to others don’t spam/phish anyone.

How do you defend your self from this?

  1. Authenticate user SMTP connections to your servers: This will stop an anonymous user to connect to the server if it doesn’t have an account and validates/authenticates with the server.
  2. Use SSL : This will give some protection by encrypting the connection and preventing MITM or sniffing of data. Remember to use valid certificates and to educate your users. If the attacker has privilege access to your network or the users end connection you are screwed anyway.
  3. Only relay messages for your domains.
  4. Add an SPF record in the DNS. (TXT record with SFP info) http://en.wikipedia.org/wiki/Sender_Policy_Framework
  5. Use domain keys on your DNS records a.k.a DKIM: https://en.wikipedia.org/wiki/DKIM
  6. Finally there is a standard that sorts of combines SFP and DKIM thats called DMARC that’s still in development give it a look http://dmarc.org/

Hope this helps,



Jose Quinones

Certificacions MCSA, CEH, GCIH, GPEN, RHCSA

Comments are closed.