By Darren W. Miller, aka defendingthenet, CastleCops Staff Writer
April 12, 2005
|
Mail Servers:
They have their own language
There are many types and brands of
e-mail servers used on the Internet. There's Sendmail, been around
for a long time and typically used on UNIX systems, Microsoft
Exchange, a Microsoft product of course, and GroupWise, a Novell
product, just to name a few.
Regardless of the services and
options each flavor of mail server offers you, they all have one
thing in common. They must abide by the rules of the SMTP
communications standards, and in effect, speak a common language. If
you want to know more about this, read the SMTP "Request For
Comment" , or RFC located
here. |
 |
SMTP Mail Relaying and Social
Engineering
Mail Relaying: What's the
big deal?
Although not a traditional vulnerability, one
of the most common forms of SMTP misuse is email relaying, or email spoofing. This
method is routinely used by spammers to distribute their unwanted, and
unsolicited information. In many cases, they setup their own mail servers,
configured to allow mail relaying. However, if your smtp gateway is not
setup to prevent mail relay, the spammers will kindly use it. This is a very
simple procedure and in most cases is completely automated.
Social Engineering Attack
by E-mail
Another common use of email relay and spoofing
is social engineering attacks. We recently performed a security assessment
for an organizing where we were permitted to perform social engineering and
denial-of-service attacks. It turned out that this company's SMTP server was
not configured to prevent email relaying. We attached to the SMTP gateway
from the Internet, spoofed the e-mail address of one of the IT people, and
sent an e-mail to ten end-users instructing them to "Shutdown their
computers immediately because the IT team had detected a serious virus / or
worm on their computer". All ten of the users did exactly as we asked.
Imagine if we sent this e-mail to the "everyone" e-mail distribution group.
Probably would not have been a good day for the IT folks.
I want to make the point that I am writing
this article for the purpose of education and awareness. The purpose is NOT
to provide someone the information needed to abuse SMTP services.
Speaking the SMTP Language
The Basics of
Hacking an SMTP GatewayThere are a handful of methods in direct SMTP communication but for the sake
of this article we will only review a few items. These items, if the
SMTP gateway you are attached to allows mail relaying, is all that is
needed to successfully email spoof or e-mail relay.
- Our Target: "smtpmailserver.ontheinternet.com";
- Our Tool: The good ole "telnet: client;
- Our Objective: Determine if mail relay
is possible and execute it.
The following are the six commands (or
steps) we will use
to check for and execute a mail relay:
- "telnet": A communications
client used to connect to the SMTP port 25 on the target mail server;
- "helo": SMTP command used to
introduce ourselves to the SMTP server
- "mail from:": SMTP command to
identify who mail will be sent from
- "rcpt to:": SMTP command telling
the mail server who to send the e-mail too;
- "data": SMTP command that
instructs the mail server that the text typed after this command is the
body of our message;
- "(enter).(enter)": When we are
finished writing our message we will hit the (enter) button, the
period".", then another (enter) and the mail will be queued for
delivery
Action:
"telnet smtpmailserver.ontheinternet.com 25": Connect to our SMTP gateway, on port 25, using the telnet client"
Response:
"220 smtpmailserver.ontheinternet.com
Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Mon, 11 Apr
2005 11:15:50 -0400"
Result:
You successfully connected
to the Server!
Action:
"helo":
say hello to the gateway
Response:
"250 smtpmailserver.ontheinternet.com
[10.1.1.x]"
Result:
The gateway greets you!
Action:
"rcpt
to: person@targetdomain.com":
Who are we sending the e-mail to?
Response:
"250
2.1.5 person@targetdomain.com"
Result:
We are close to sending
our spoofed e-mail message!!!
Action:
"data
(then hit enter)": Tell the smtp server we are writing our message next!
Response:
"354
Start mail input; end with .":
The mail server is telling us to write our message then type "enter" a
period ".", then "enter" again
Result:
You type your message
Action:
"(Hit enter) type "." (Hit
enter)": Tell the smtp server we are finished writing our message!
Response:
"250
2.6.0
Queued mail for delivery"
Result:
The SMTP mail server has just accepted your
e-mail for delivery and has queued it for sending!
Conclusion
Automating The
Process
As you can see, this
process is pretty strait forward. Automating the process is quite simple and
can be done by writing a script in any number of languages. A script
designed to send out mass mail can do so very quickly and efficiently. If
you or your companies mail server were to be a target of email relay, it
could cause you a lot of trouble. It may even overwhelm your mail server to
the point of causing a denial-of-service attack. Effectively preventing you
from sending legitimate mail.
