Vulnerability: Spoof any Domain
Problem reported by kevind - September 22, 2017 at 10:46 AM
Known
Spammers, hackers, and phishers are exploiting SM15 (probably SM16 also) by spoofing popular domains using a null sender.  Here's a message that appears to come from @constantcontact.com. It looks legit, but it's fake when you look at the header (can't expect users to do that).
Return-Path: <>
Received: from lurch.overforcorp.com (lurch.operatbox.com [108.60.222.203]) by v15.smartermail.com with SMTP;
   Fri, 22 Sep 2017 11:17:56 -0400
Received: from localhost (127.0.0.1) by lurch.overforcorp.com id eIqp4hLQVtZazhbvcw for user@smartermail.com; Fri, 22 Sep 2017 11:18:00 -0400 (envelope-from <contact@ccm202.constantcontact.com>)
MIME-Version: 1.0
from: =?UTF-8?q?=54=69=6D=65=54=6F=52=65=66=69?=<eIqp4hLQVtZazhbvcw@ccm202.constantcontact.com>
To: user@smartermail.com
Subject: =?UTF-8?q?=52=65=2D=46=69=20=77=69=6C=6C=20=4A=75=73=74=69=66=79?=
Date: Fri, 22 Sep 2017 11:18:00 -0400
Content-Type: multipart/alternative; boundary="=_3ee2f1a39725234a7a5414f8bb61e71a"
Message-ID: <5f5d9b9522db43f2a2d6f057f13a2191@com>
X-Exim-Id: 5f5d9b9522db43f2a2d6f057f13a2191
X-SmarterMail-Spam: Null Sender, Commtouch 10 [value: Confirmed], DKIM_None, Custom Rules []
X-CTCH-RefId: str=0001.0A020204.59C524DA.0154,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=0
X-SmarterMail-TotalSpamWeight: 15
There needs to be some kind of check between the From address inside the envelope (what the user sees) and the from address on the outside of the envelope (sending mail server).  The other thing you'll notice is that this message doesn't have any SPF checking, again probably due to the null sender.  IMO, this is a serious vulnerability that needs to be addressed ASAP, very similar to these other issues:
 
Greylisting doesn't work with Null Senders
 
Spam checks don't run for Null Senders
 
If there's a checkbox somewhere that stops this, please let me know.
Thanks,
Kevin

3 Replies

Reply to Thread
3
Here's a bump since this post is 3 weeks old with no reply. It's definitely an issue with 8 votes.
 
Looks like this has been an ongoing issue, here's a post from early 2016:
 
This can also occur without using a null sender. To see an example, look at the 3rd reply in this post:
https://portal.smartertools.com/community/a89604/how-do-you-guys-handle-spear-phising.aspx
 
Just hoping it can be fixed. Thanks.
0
Matt Petty Replied
Employee Post
Just an update for anyone who sees this thread, greylisting DOES now work on null senders. I updated 2 other threads with this, I forgot to update Kevin's 3rd post about greylisting and null senders.
 
Unfortunately SPF/DMARC use the return path as part of its spam checks. Without it they cannot work. I'm not sure where to go with this since, if we don't have this info, we cannot run these checks. It would take some brainstorming to figure out what we would need to do and what other info we could use, then some re-engineering of that area. Greylisting is an exception because we use other pieces of info in the check and greylisting doesn't need all the of pieces to perform the check. My suggestion is use the now working greylisting and some of your other spam checks to help identify these spam messages until we can think of a solution to this.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
5
Matt, here's a solution that will fix the issue for local domains:
If the From address (what the user sees in webmail or Outlook) is a local domain (i.e. on the SmarterMail server), then it must match the Return-Path.  Otherwise, reject it or score it.
This would confirm that either:
  • The sending email address was authenticated with a password.
  • The sending IP address was whitelisted.
This would be a great start and would help stop the spear phishing. For example, if you got an email from Derek@SmarterTools giving you a couple extra weeks of paid vacation :) you should be 100% confident that it hasn't been spoofed. With SM15.7, you can't be sure.
 
After this, the next fix would be to block spoofing of non-local domains.
 
Thanks,
Kevin

Reply to Thread