Incoming gateways are sending delivery failures and spoofed messages to proper recipients for emails that had been spoofed from remote SMTP servers
Problem reported by Webio - December 14, 2018 at 5:01 AM
Submitted
Hello,

I'm wondering if anyone else is experiencing similar issue.

My environment is using SM v15 as main mail server, 2x v15 as outgoing gateways (probably will update them to v16 soon) and 3x v16 as incoming gateways.

Incoming gateways are set as "Domain Forward" gateway mode with enabled SmaterMail GatewayMode and User Verification set to "Web Service".

I have two scenarios:

Scenario 1:

Remote SMTP server is sending email which has in SMTP banner my client email address and also in message content FROM and TO are set to the same email address.

This scenario is producing System Administrator Delivery Failure bounce message which is (now funny thing) being forwarded to my client.

Could not deliver message to the following recipient(s):

Failed Recipient: CLIENTEMAILADDRESS
Reason: Remote host said: 550 Authentication is required for relay


   -- The header and top 20 lines of the message follows --

From: hrycek <CLIENTEMAILADDRESS>
To: CLIENTEMAILADDRESS
Cc: 
Bcc: 
Date: Fri, 14 Dec 2018 11:36:14 +0000
Subject: Here is the subject

This is the body in plain text for non-HTML mail clients
Of course client is calling or sending ticket that he didn't send anything to himself and asks WTF.

Here you have SMTP connection log:

2018.12.14 12:34:26 [REMOTESMTPIPADDRESS][64179800] rsp: 220 MYINCOMINGGATEWAY
2018.12.14 12:34:26 [REMOTESMTPIPADDRESS][64179800] connected at 2018-12-14 12:34:26
2018.12.14 12:34:26 [REMOTESMTPIPADDRESS][64179800] cmd: EHLO REMOTESMTPBANNERNAME
2018.12.14 12:34:26 [REMOTESMTPIPADDRESS][64179800] rsp: 250-MYINCOMINGGATEWAY Hello [REMOTESMTPIPADDRESS]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
2018.12.14 12:34:26 [REMOTESMTPIPADDRESS][64179800] cmd: STARTTLS
2018.12.14 12:34:26 [REMOTESMTPIPADDRESS][64179800] rsp: 220 Start TLS negotiation
2018.12.14 12:34:26 [REMOTESMTPIPADDRESS][64179800] cmd: EHLO REMOTESMTPBANNERNAME
2018.12.14 12:34:26 [REMOTESMTPIPADDRESS][64179800] rsp: 250-MYINCOMINGGATEWAY Hello [REMOTESMTPIPADDRESS]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
2018.12.14 12:34:26 [REMOTESMTPIPADDRESS][64179800] cmd: MAIL FROM:<CLIENTEMAILADDRESS> SIZE=1038 BODY=8BITMIME
2018.12.14 12:34:26 [REMOTESMTPIPADDRESS][64179800] senderEmail(1): CLIENTEMAILADDRESS parsed using: <CLIENTEMAILADDRESS>
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] rsp: 250 OK <CLIENTEMAILADDRESS> Sender ok
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] cmd: RCPT TO:<CLIENTEMAILADDRESS>
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] rsp: 250 OK <CLIENTEMAILADDRESS> Recipient ok
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] cmd: DATA
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] Performing PTR host name lookup for REMOTESMTPIPADDRESS
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] PTR host name for REMOTESMTPIPADDRESS resolved as REMOTESMTPBANNERNAME
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] senderEmail(2): CLIENTEMAILADDRESS parsed using: somename <CLIENTEMAILADDRESS>
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] rsp: 250 OK
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] Received message size: 1119 bytes
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] Successfully wrote to the HDR file. (SPOOLPATH\SubSpool3\-1223099881355.hdr)
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] Data transfer succeeded, writing mail to -1223099881355.eml (MessageID: <uH6u3H1mqFf7O0tblkW6EINVnMk6sMPJC4yvBwyAaQ@mbp>)
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] cmd: QUIT
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] rsp: 221 Service closing transmission channel
2018.12.14 12:34:49 [REMOTESMTPIPADDRESS][64179800] disconnected at 2018-12-14 12:34:49
Scenario 2

Remote SMTP server is sending email where in SMTP connection is providing some fake non local email address but in message content there is FROM and TO set to my client address.

This scenario is producing message which is being passed to main SM server to my client mailbox which looks like it has been sent from himself to himself.

2018.12.14 12:37:37 [REMOTESMTPIPADDRESS][17581568] rsp: 220 MYINCOMINGGATEWAY
2018.12.14 12:37:37 [REMOTESMTPIPADDRESS][17581568] connected at 2018-12-14 12:37:37
2018.12.14 12:37:37 [REMOTESMTPIPADDRESS][17581568] cmd: EHLO REMOTESMTPBANNERNAME
2018.12.14 12:37:37 [REMOTESMTPIPADDRESS][17581568] rsp: 250-MYINCOMINGGATEWAY Hello [REMOTESMTPIPADDRESS]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
2018.12.14 12:37:37 [REMOTESMTPIPADDRESS][17581568] cmd: STARTTLS
2018.12.14 12:37:37 [REMOTESMTPIPADDRESS][17581568] rsp: 220 Start TLS negotiation
2018.12.14 12:37:37 [REMOTESMTPIPADDRESS][17581568] cmd: EHLO REMOTESMTPBANNERNAME
2018.12.14 12:37:37 [REMOTESMTPIPADDRESS][17581568] rsp: 250-MYINCOMINGGATEWAY Hello [REMOTESMTPIPADDRESS]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
2018.12.14 12:37:37 [REMOTESMTPIPADDRESS][17581568] cmd: MAIL FROM:<FAKEEMAILADDRESS> SIZE=1038 BODY=8BITMIME
2018.12.14 12:37:37 [REMOTESMTPIPADDRESS][17581568] senderEmail(1): FAKEEMAILADDRESS parsed using: <FAKEEMAILADDRESS>
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] rsp: 250 OK <FAKEEMAILADDRESS> Sender ok
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] cmd: RCPT TO:<CLIENTEMAILADDRESS>
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] rsp: 250 OK <CLIENTEMAILADDRESS> Recipient ok
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] cmd: DATA
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] Performing PTR host name lookup for REMOTESMTPIPADDRESS
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] PTR host name for REMOTESMTPIPADDRESS resolved as REMOTESMTPBANNERNAME
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] senderEmail(2): CLIENTEMAILADDRESS parsed using: somename <CLIENTEMAILADDRESS>
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] rsp: 250 OK
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] Received message size: 1119 bytes
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] Successfully wrote to the HDR file. (SPOOLPATH\SubSpool2\-1223099881424.hdr)
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] Data transfer succeeded, writing mail to -1223099881424.eml (MessageID: <G9qcqe9bcs5FiiGUJt123yPyeb86tEqQlM6pHY2u4s@mbp>)
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] cmd: QUIT
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] rsp: 221 Service closing transmission channel
2018.12.14 12:37:49 [REMOTESMTPIPADDRESS][17581568] disconnected at 2018-12-14 12:37:49
Example PHP script which is using phpMailer lib:

require 'vendor/autoload.php';

use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;

$mail = new PHPMailer(true);
try {
    $mail->SMTPDebug = 2;
    $mail->isSMTP();
    $mail->Host = 'REMOTESMTPHOST';
    $mail->SMTPAuth = true;
    $mail->Username = 'USERNAME';
    $mail->Password = 'PASSWORD';
    $mail->SMTPSecure = 'tls';
    $mail->Port = 587;

    $mail->Sender = 'FAKEEMAILADDRESS';

    $mail->setFrom('CLIENTEMAILADDRESS', 'somename');
    $mail->addAddress('CLIENTEMAILADDRESS');

    $mail->isHTML(true);                                  
    $mail->Subject = 'Here is the subject';
    $mail->Body    = 'This is the HTML message body <b>in bold!</b>';
    $mail->AltBody = 'This is the body in plain text for non-HTML mail clients';

    $mail->send();
    echo 'Message has been sent';
} catch (Exception $e) {
    echo 'Message could not be sent. Mailer Error: ', $mail->ErrorInfo;
}
My question here is shouldn't this two SMTP connections to be disconnected right away they where made because of Incoming Gateway User Verification using WebService? IMHO User Verification should be made and if main SmarterMail instance holds CLIENTEMAILADDRESS then ANY remote deliveries for this email adress which is present in any field (SMTP FROM, content FROM or TO) should be rejected right away without making any bounce messages?

I've updated my incoming gateways to v16 exactly because of:

"Changed: SMTP and Delivery processes now utilize the From address in email headers if it is provided; provides better spoofing protection "

position present in changelog but it somehow is not being applied in any way during incoming connections when SM is being used as Incoming gateway.

Thanks

1 Reply

Reply to Thread
0
Webio Replied
Issue has been submitted as support ticket since no one responded.

Reply to Thread