Telnet to 25 and send spoofed internal email?

Telnet to 25 and send spoofed internal email? (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Server Security

Message

usual -> Telnet to 25 and send spoofed internal email? (13.Jul.2005 1:14:00 PM)
Is there a way I can stop exchange server 2003 from allowing anyone outside to telnet to port 25 and send spoofed emails to my internal domain?

a.grogan -> RE: Telnet to 25 and send spoofed internal email? (13.Jul.2005 1:19:00 PM)
Hiya, on your SMTP Virtual server - you will be able to set connection restrictions on the security tab to named IP addresses only. Hope this helps. A

usual -> RE: Telnet to 25 and send spoofed internal email? (13.Jul.2005 1:30:00 PM)
Sorry, that didn't really help. Under the virtual server there is no security tabs and the section that looks like what you may be talking about doesn't seem to be what I need. Anyone from the outside world can telnet to the exchange server on port 25, they recieve a banner and can begin to send command. They can NOT relay mail from external domains, but they CAN spoof internal emails to people in the domain. Something like HELO response MAIL FROM: user@ourinternaldomain.com response RCPT TO: user@ourinternaldomain.com response DATA type an email . queued So now anyone in the internal domain can get mail they THINK came from someone else int he company but really came from an external source.

consultOz -> RE: Telnet to 25 and send spoofed internal email? (13.Jul.2005 1:59:00 PM)
usual, Go to ESM Expand Global settings -------message Delivery Properties --------Recipient Filtering Put a check mark on --------Filter recipients who are not in the directory --------Click apply Good to read, http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/3c7bc0e9-c424-4775-8817-4e9a91d77655.mspx Good Luck, and Regards, Oz

usual -> RE: Telnet to 25 and send spoofed internal email? (18.Jul.2005 9:22:00 AM)
No dice, I guess it's just something that can not be avoided.

MadMike -> RE: Telnet to 25 and send spoofed internal email? (18.Jul.2005 1:09:00 PM)
Do you use this SMTP connection for users to send email? If no you can set a mask of *@domaininquestion.com to be blocked inbound. Its not fool proof but will stop a good part. If you are truely looking for some type of address sender/reciepent filtering i would advise you look a third party tool to put in front of exchange to do what you are looking, plus alot more. MadMike

usual -> RE: Telnet to 25 and send spoofed internal email? (18.Jul.2005 1:25:00 PM)
Thank you for the reply. I guess I was just a little confused because it seems like UNIX/Linux MTA's don't seem to be affected by this problem. Is it just an exchange thing? If I telnet to a UNIX MTA it just hangs, no display, no chance to type commands.

MadMike -> RE: Telnet to 25 and send spoofed internal email? (19.Jul.2005 12:23:00 PM)
Many MTAs do what Exchange does... Atleast the MTA should return the command codes 200 / 250 / 550 for the commands you enter Are you sure its hung? -- It may be configured not to display anything? also is there some type of firewall / IPchains on / in front of the unix host in question? MadMike

usual -> RE: Telnet to 25 and send spoofed internal email? (19.Jul.2005 12:54:00 PM)
thats what I mean though, whatever is being done to 'hide' or 'block' telneting to a unix based MTA, can it be done for an exchange MTA, it doesn't appear that it can. Any exchange server I have found just allows anyone to telnet to it. I havn't come across a unix based one that has let me yet. So it makes me curious if there is even a way for exchange to do something like this. The most i have seen done to exchange is the banner being changed.

a.grogan -> RE: Telnet to 25 and send spoofed internal email? (19.Jul.2005 7:19:00 PM)
Usual, apologies for my last post, I was not paying attention. However, I prevent Telnet access to the SMTP servers in one of my Exchange environments by configuring the Connection Control section of the access tab under the SMTP default server properties. Essentially I restrict access to only a few - required IP addresses. Connections from sources outside the assigned range are refused. Is this what you are looking for?

usual -> RE: Telnet to 25 and send spoofed internal email? (20.Jul.2005 6:45:00 AM)
I think so, and this will only block telnet? it wont block any mail from outside sources? The only change I want is to block telnet from the outside, possibly leave it open for a few internal addresses.

a.grogan -> RE: Telnet to 25 and send spoofed internal email? (20.Jul.2005 7:23:00 AM)
It will prevent outside servers from connecting to the Virtual SMTP server on port 25. In my configuration, as I know the IP address of the SMTP server that forwards mail to my domains I only allow that server to 1) Connect 2) Relay mail. - works a treat! A

usual -> RE: Telnet to 25 and send spoofed internal email? (20.Jul.2005 7:26:00 AM)
Yeah I can't do that because mail comes here from tons of smtp servers to our exchange server.

a.grogan -> RE: Telnet to 25 and send spoofed internal email? (20.Jul.2005 8:13:00 AM)
Do they connect - or simply relay mail - if they do is relay, then you can set the connection restrictions (give it a test first though). A

dhenry911 -> RE: Telnet to 25 and send spoofed internal email? (20.Jul.2005 3:45:00 PM)
Same situation in my shop. I would really like to prevent Telnet clients from connecting to port 25 on the Exchange 2003 server. Let me know if you find a solution.

jeromeng -> RE: Telnet to 25 and send spoofed internal email? (21.Jul.2005 3:08:00 AM)
I'm having the same problem in my exchange environment. I can telnet to ANY exchange mailserver at port 25 and send mail to anyuser@domain as yourboss@domain, this can be used to get sentitive info or give instructions because you will normally act on your boss' orders. Yahoo refuses telnet at port 25, hotmail lets me in, queues my mail but will not deliver it to the recipient. This is a very bad over-sight by MS.

usual -> RE: Telnet to 25 and send spoofed internal email? (21.Jul.2005 6:50:00 AM)
Well it seems pretty overlooked by the community as well. As far as letting you know when I find a solution, good luck. I've been asking all over the place for help with this issue and at best I get someone to understand what the problem is. Most people seem to shrug is off. I'm happy some more people are concerned. [ July 21, 2005, 08:00 AM: Message edited by: usual ]

dhenry911 -> RE: Telnet to 25 and send spoofed internal email? (21.Jul.2005 4:35:00 PM)
The latest version of Symantec Anti-virus (9.0) stops telnet to port 25 by default. I have not installed this product but will download an evaluation version and test.

MadMike -> RE: Telnet to 25 and send spoofed internal email? (22.Jul.2005 1:06:00 PM)
quote: Originally posted by jeromeng: I'm having the same problem in my exchange environment. I can telnet to ANY exchange mailserver at port 25 and send mail to anyuser@domain as yourboss@domain, this can be used to get sentitive info or give instructions because you will normally act on your boss' orders. Yahoo refuses telnet at port 25, hotmail lets me in, queues my mail but will not deliver it to the recipient. This is a very bad over-sight by MS. Not wanting to say you are wrong but see below: myserver:~$ telnet mx1.mail.yahoo.com 25 Trying 67.28.113.10... Connected to mta-v4.level3.mail.yahoo.com. Escape character is '^]'. 220 mta111.mail.re2.yahoo.com ESMTP YSmtp service ready The above was done from my account on my linux server If you block access to port 25 you will not get emails from outside that server (assuming it uses SMTP to recieve email)

isawader -> RE: Telnet to 25 and send spoofed internal email? (22.Jul.2005 10:15:00 PM)
So you guys think spammers can only use telnet to spoof??????! What about an actual SMTP server? It's easy to spoof addresses using any SMTP server. Blocking telnet at port 25 is a false sense of security. Besides, as MadMike said, you block port 25, you can't get any emails. Unfortunately, when IEEE came up with the specifications for SMTP protocol, we were living in a peace loving world There wasn't any scums sending spam emails. Had they envisioned that one day we will have this situation, they would've definately came up with an alternative (possibly an authentication scheme). You have two options to prevent these spoofed emails: First, you can do reverse DNS lookup on the sending MTA before accepting any emails. The drawback is that not all the companies have properly configured their reverse DNS record. So you will end up rejecting hundreds of legitimate emails as spam. Secondly, you can use SPF. It's the new form of fighting spam. [ July 22, 2005, 10:19 PM: Message edited by: isawader ]

Page: [1] 2 next > >>