Vulnerability: Spoof any Domain
Problem reported by kevind - 9/22/2017 at 10:46 AM
Spammers, hackers, and phishers are exploiting SM15 (probably SM16 also) by spoofing popular domains using a null sender.  Here's a message that appears to come from @constantcontact.com. It looks legit, but it's fake when you look at the header (can't expect users to do that).
Return-Path: <>
Received: from lurch.overforcorp.com (lurch.operatbox.com []) by v15.smartermail.com with SMTP;
   Fri, 22 Sep 2017 11:17:56 -0400
Received: from localhost ( by lurch.overforcorp.com id eIqp4hLQVtZazhbvcw for user@smartermail.com; Fri, 22 Sep 2017 11:18:00 -0400 (envelope-from <contact@ccm202.constantcontact.com>)
MIME-Version: 1.0
from: =?UTF-8?q?=54=69=6D=65=54=6F=52=65=66=69?=<eIqp4hLQVtZazhbvcw@ccm202.constantcontact.com>
To: user@smartermail.com
Subject: =?UTF-8?q?=52=65=2D=46=69=20=77=69=6C=6C=20=4A=75=73=74=69=66=79?=
Date: Fri, 22 Sep 2017 11:18:00 -0400
Content-Type: multipart/alternative; boundary="=_3ee2f1a39725234a7a5414f8bb61e71a"
Message-ID: <5f5d9b9522db43f2a2d6f057f13a2191@com>
X-Exim-Id: 5f5d9b9522db43f2a2d6f057f13a2191
X-SmarterMail-Spam: Null Sender, Commtouch 10 [value: Confirmed], DKIM_None, Custom Rules []
X-CTCH-RefId: str=0001.0A020204.59C524DA.0154,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=0
X-SmarterMail-TotalSpamWeight: 15
There needs to be some kind of check between the From address inside the envelope (what the user sees) and the from address on the outside of the envelope (sending mail server).  The other thing you'll notice is that this message doesn't have any SPF checking, again probably due to the null sender.  IMO, this is a serious vulnerability that needs to be addressed ASAP, very similar to these other issues:
Greylisting doesn't work with Null Senders
Spam checks don't run for Null Senders
If there's a checkbox somewhere that stops this, please let me know.

5 Replies

Reply to Thread
kevind Replied
Here's a bump since this post is 3 weeks old with no reply. It's definitely an issue with 8 votes.
Looks like this has been an ongoing issue, here's a post from early 2016:
This can also occur without using a null sender. To see an example, look at the 3rd reply in this post:
Just hoping it can be fixed. Thanks.
Matt Petty Replied
Employee Post
Just an update for anyone who sees this thread, greylisting DOES now work on null senders. I updated 2 other threads with this, I forgot to update Kevin's 3rd post about greylisting and null senders.
Unfortunately SPF/DMARC use the return path as part of its spam checks. Without it they cannot work. I'm not sure where to go with this since, if we don't have this info, we cannot run these checks. It would take some brainstorming to figure out what we would need to do and what other info we could use, then some re-engineering of that area. Greylisting is an exception because we use other pieces of info in the check and greylisting doesn't need all the of pieces to perform the check. My suggestion is use the now working greylisting and some of your other spam checks to help identify these spam messages until we can think of a solution to this.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
Merle Wait Replied
Just thinking outloud.... True SPF/DMARC does use return path as part of spam check. But if is null, couldn't use the default server's MX address - to compare against the MX address sent?
Technically speaking... there should never be a null return path.. so if you force a "known" default against it; wouldn't it fail as desired?
kevind Replied
Matt, here's a solution that will fix the issue for local domains:
If the From address (what the user sees in webmail or Outlook) is a local domain (i.e. on the SmarterMail server), then it must match the Return-Path.  Otherwise, reject it or score it.
This would confirm that either:
  • The sending email address was authenticated with a password.
  • The sending IP address was whitelisted.
This would be a great start and would help stop the spear phishing. For example, if you got an email from Derek@SmarterTools giving you a couple extra weeks of paid vacation :) you should be 100% confident that it hasn't been spoofed. With SM15.7, you can't be sure.
After this, the next fix would be to block spoofing of non-local domains.
kevind Replied
Matt, certainly the greylisting for null senders might help and we appreciate the fix. But many servers don't use greylisting and it doesn't solve the problem if the server simply retries after being greylisted.

Also, this can also occur without using a null sender. To see an example, look at the 3rd reply in this post:

We're not really talking about spam anymore, but fake messages -- when the From address doesn't match the Return-Path. Take a look at the idea below as it would help, especially with spearphishing.


Reply to Thread