[Vulnerability] Local Domains Being Spoofed
Problem reported by Scott Forsythe - April 14, 2016 at 7:14 AM
Being Fixed
Hello,
 
A SmarterMail customer of ours received a phishing message with the "From:" address matching a co-worker at their domain (ex. From: user1@domain.com, To: user2@domain.com).
 
We have "Enable domain's SMTP auth setting for local deliveries" checked so if the "MAIL FROM:" is a local domain, SMTP auth is required. The message came through because in the SMTP session the "MAIL FROM:" was a non-local email address (ex. user3@spamdomain.com).
 
How do you stop messages where the "MAIL FROM:" does not match the message header "From"?
 
Thanks,
Scott
 
 

27 Replies

Reply to Thread
0
DMARC
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
2
Thanks Bruce. I'm looking for a global SmarterMail setting to handle this.With DMARC, I'm assuming we would need update each of our customer's DNS records.
 
Thanks,
Scott
0
Yes. DMARC DNS entries are required for each hosted domain, and DKIM Security key MUST be generated in SmarterMail. See my post at: https://portal.chicagonettech.com/kb/a116/why-am-i-having-problems-getting-my-e-mail-delivered.aspx for more information. Item # 12 discusses DMARC.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
3
Just following up on this post as we're seeing an increase in domain/email spoofing by spammers. Also, seems like there have been more posts about it here in the community.
 
So I'm wondering if there's a rule or setting in SmarterMail to check the 'from address' in message header to see if it's the same domain as the recipient. If so, it should require additional checks like SMTP Auth or SPF.
 
Another nice check would be the 'from address' in message header vs. the one in the Mail From. If it doesn't match, add points to the spam score.
 
Let me know if I'm missing something here. Thanks,
Kevin
3
SmarterTools -- can we get this switched to Under Consideration or Planned? It seems like a simple request, should be easy to implement, and would reduce spam to the Inbox. Thanks!
0
It's already a feature in SmarterMail ENTERPRISE - require auth match for :e-mail address or domain.  We enforce the entire e-mail address - no exceptions.  No match, no pass.
 
Comcast does that for all of their network customers at the level III network level.  If the SENT FROM and REPLY TO doesn't match, it simply doesn't get delivered.
 
The settings below also enforce TLS encryption of all SMTP clients - eliminating plain test passwords.
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
3
With the increase in ransomware and other malicious messages with spoofed local senders it's more critical to get these messages stopped. Google and Outlook.com will flag these type of messages so it can be done. Please vote up this post to indicate there is demand.
1
Von-Austin See Replied
Employee Post
Greetings,
 
This is something that we are considering a feature request and not a bug at this time.
 
We do have the request logged, and we will be implementing similar protection that Outlook and Gmail offer in which the message will be flagged indicating it may not be who the From header states its from. There are some legitimate cases when this is done (such as with Google's calendaring system) that we need to take into consideration so these will ultimate not be blocked outright, but made more visible to the end user. 
 
The feature is still in the early process of planning and I cannot offer an ETA unfortunately. 
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
7
This is really a problem.  Just had a client complain about getting a "Wire Transfer" message from their "boss".
 
I already had all of Bruce's settings implemented from above, but to no avail.
 
In the Header, The "From" address is the real Boss address, but the "Return-Path" and "Reply-To" are different.
 
None of the email addresses or domains are "Trusted Senders" globally, at the site level, or the user level.
 
Why in the world world this be delivered?
 
6
This problem needs to be addressed ASAP.  Just saw a message where Stevie@e-street.com received a message from TheBoss@e-street.com. The From address "TheBoss@e-street.com" looked totally legit. Only when you look at the header can you see it came from the outside and TheBoss was spoofed!
 
All the security settings discussed above (SMTP Auth, etc.) are in place. The real Boss never sent the message. Furthermore, no authentication was done on the message when it came in, even though the From domain exists on the server. Using 15.x.
1
Are you sure that this is really a "spoof" and not a situation where the "reply-to" address is different than the actual sender address, which is permitted, for better or worse.
5
This also still happens in v16 and we really need to figure out a solution to this problem.  The spammers / spoofers have gone low-tech with this - writing extremely personalized messages which are very hard for the average person to catch until it's too late.  The spammers are customizing the signature / salutation in the messages for goodness sake.
 
When you look at the headers of the original message there's mis-matches in the from, return-path, reply-to, etc.  At a minimum, if we can't block these from incoming due to legitimate uses then there needs to be a large warning banner injected into the message itself (not the UI of SmarterMail webmail because the messages aren't always viewed there).
4
This is the kind of issue that ST should weigh in on, in this forum, and quickly.
7
FWIW, they did weigh in on this back in July 2016 saying it would be extremely valuable to check the from address against MAIL FROM: in the SMTP session. Then again in Oct. 2016 saying it wasn't a bug, but would add it to the feature request list with no ETA.
 
If anyone knows the addresses of the SM programmers, we could exploit this vulnerability to send them an email from Tim@smartertools.com saying that this issue is critical and needs to fixed ASAP.  :)  JJ
 
Seriously, we need to at least provide some mechanism to warn users that the message is from someone at the local domain, but was not authenticated and could be fraudulent. Technically, I would prefer that these messages be rejected as rarely do you allow others to send using your domain.
 
If you do use a service like Constant Contact that's allowed to send as your domain, then it should be whitelisted or entered as global trusted sender. It's a little extra work, but will protect your users. See this highly-rated (20 votes) idea to make the management of trusted senders easier:
 
5
So it's been like 3 weeks and there's no official response to this vulnerability. This is definitely a problem, not a feature request. Summary:
When you receive an email from someone on your own domain, SmarterMail needs to do some kind of verification or authentication.
Or at least warn the recipient that the message is fake.
Would opening a ticket help?
5
"So it's been like 3 weeks and we don't have any official response on this vulnerability. " Didn't you mean to say 3 Years?
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
4
I wanted to use X-SmarterMail-Authenticated-As header to detect and filter fake emails. But there is a bug in SmarterMail:
 
https://portal.smartertools.com/community/a89812/bug-x-smartermail-authenticated-as-header-is-missing.aspx
 
I am really surprised this important issue is not fixed for 3 years. Instead SM developers are busy making nice UI of the SM 16. We need the mail server working properly first. And only when it works then we may need some UI bells and whistles. SM Team, please reconsider your priorities.
5
Fix Spam, Fix SPAM, FIX SPAM .....   Earth to SmaterMail Are you listening?
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
5
Had something similar happen today where the "Return Path" was used in the SMTP transaction, and the "From" header was used in the delivery spam checks. The Return Path was some .com.br address, but the From address was using our CEO's address. So the email got right through and skipped spool checks because it is a "trusted sender".

Christopher

4
How about this one -- a user receive spam sent from their own email address! All protection/security settings are enabled:
  • Authentication required for all outgoing mail.
  • Nether the user nor the domain is entered as a trusted sender.
Here's the header:
Return-Path: <dfgfde4n@mbw-a.com>
Received: from mbw-a.com (ohone.plasurvey.net [162.248.4.130]) by mail.smartermail15.net with SMTP;
   Thu, 26 Oct 2017 08:00:30 -0400
Received: from localhost (127.0.0.1) by mbw-a.com id hqofec16lt0h for <user@smartermail15.net>; Thu, 26 Oct 2017 07:40:18 -0400 (envelope-from <dfgfde4n@mbw-a.com>)
MIME-Version: 1.0
Date: Thu, 26 Oct 2017 07:40:18 -0400
From: User <user@smartermail15.net><dfgfde4n@mbw-a.com>
To: user@smartermail15.net
Subject:  Reverse Mortgage Pitfalls..
Content-Type: text/html;
Message-ID: <56b5a34c82a24a7ca6334971b70dbea8@com>
X-Exim-Id: 56b5a34c82a24a7ca6334971b70dbea8
The header has 2 From addresses, but webmail only shows the 1st one.
 
It's not good that this totally fraudulent message is presented to the user. If the From address is a local domain, it needs to be authenticated!
0
I'm trying to get DKIM working to try to stop this, has anyone had any success with that?
4
Our users enjoy receiving spam from themselves.  NOT REALLY!  Check out this header:
Return-Path: <>
Received: from waterpath.info (waterpath.info [80.211.161.27]) by mail.server.net with SMTP;
   Wed, 8 Nov 2017 16:47:01 -0500
Received: from waterpath.info (80.211.161.27) by waterpath.info id 0jDy9EPHf2fb for <mary@server.net>; Wed, 08 Nov 2017 20:41:58 +0000 (envelope-from <>
MIME-Version: 1.0
From: AmazingCreditScores <mary@server.net>
Subject: Get_,your_,free_,credit_,scores_,today_,with_,free_,trial_,
To: mary@server.net
Sender: <IFWRK@waterpath.info>
Message-ID: <2lGzwV3XecrHeWxoqWnUBVZu019.4881606134915040124@waterpath.info>
Content-Type: multipart/alternative; boundary="----=_NextPart_BFE_1DE9_08A320EA.1A30A4C1"
Date: Wed, 08 Nov 2017 20:41:58 +0000
Can we PLEASE fix this???
 
There is no reason that mail From a local user should be able to sail through the system with no authentication!!!
 
Fix: If the From address is a local domain on the server, then this must exist in header:
X-SmarterMail-TotalSpamWeight: 0 (Authenticated)
or the From address must match the Return-Path. Otherwise, reject the message.
 
Thank you.
4
OK, so another week goes by and no official reply...  Looks like the last reply from ST was over a year ago in Oct. 2016.
 
Not trying to be mean, but there are other trivial issues in this forum that get immediate replies. This is a significant issue that affects all customers and IMO is more important than group chat, etc.
Phishing attacks in 2017 have increased significantly, with 36% of companies reporting attacks – up from 26% last year. 17% of companies experienced ransomware attacks – up from 14% – and financial fraud increased from 7% to 12%. Business email compromise scams are also increasing, up from 5% to 9% in the past 12 months.    -- SpamTitan.com
And a recent study found that more gmail account compromises come from phishing attacks vs. 3rd party data breaches:
We find that the risk of a full email takeover depends significantly on how attackers first acquire a victim’s (re-used) credentials. Using Google as a case study, we observe only 7% of victims in third party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims.     -- nakedsecurity.sophos.com
Would like to know if a fix for this a) under consideration, b) in progress, or c) will never be worked on, so we can plan our future. Thanks.
2
Derek Curtis Replied
Employee Post
Sorry, I thought someone had left a recent reply to this thread. Yes, better spoof protection is one of the more important things we'll be working on. It's VERY high on the list of items to work on, so a solution is coming. Once more info is available, we'll let you know.
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
2
Will Ver15 get the fix or will we have to wait for Ver17?
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Matt Petty Replied
Employee Post
Hello,
 
We have started development on this issue. It is requiring multiple days of evaluation and there is a hefty amount of SMTP and delivery related code moving around for this. This will be in SmarterMail 17.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
4
Not really a great answer.
 
This should be in V15 because V16's interface is not ready for production, in my opinion, and that of many others.
 

Reply to Thread