5

While testing my SMTP server using a telnet session from home, I was able to generate an email using the following commands:

telnet MyEmailServer 25

HELO MyEmailServer

MAIL FROM: RandomValidEmail@mydomain.com

RCPT TO: AnotherRandomValidEmail@mydomain.com

DATA

somedata

.

QUIT

This means that anyone would be able to generate a spoofed email, say from my manager's email to my email, asking me to click on some dodgy website.

Is this a misconfiguration in my email server which I can somehow fix, or is it the normal way that SMTP works ?

Community
  • 1
lisa17
  • 1,958
  • 7
  • 21
  • 43
  • Canonical (I think) and ursinely funny: https://security.stackexchange.com/questions/9487/how-can-paypal-spoof-emails-so-easily-to-say-it-comes-from-someone-else – dave_thompson_085 Apr 28 '17 at 06:10

3 Answers3

3

From your point of view, the situation is even worse. MAIL FROM: and RCPT TO: are only used for the enveloppe addresses, that is the address of the actual sender and the address of the recipients. Those addresses can be controlled by the server, for example either the source or the recipients addresses can be required to be a local valid address.

But what is later shown in the recipient's mailer is the header addresses. So your example could go one step further. Disclaimer: this is just an example - NEVER SEND THAT TO A MAIL ADDRESS THAT IS NOT YOURS

telnet MyEmailServer 25
HELO MyEmailServer
MAIL FROM: RandomValidEmail@mydomain.com
RCPT TO: AnotherRandomValidEmail@mydomain.com
DATA
From: Donald.Trump@WhiteHouse.gov
To: AnotherRandomValidEmail@mydomain.com
Subject: Promotion as personal secretary of the US president

Hi,
... rest of message ...
.
QUIT

And AnotherRandomValidAddress will receive a message that looks like coming from what you have put in the From: header field. Ok some filters could now exist and reject this message of mark it as possibly forged, but you should try it on your favourite smtp server. But once again please only use your own address for the recipient!

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
2

Is this a misconfiguration in my email server which I can somehow fix, or is it the normal way that SMTP works ?

Both. First, this is how SMTP protocol works. The SMTP protocol itself does not include any kind of policy which mails should be accepted or not but only defines how the mails get transmitted. But you should add such policy to your mail server, typically something like:

  • do not relay any mails, i.e. don't accept mails which come from an external sender and have an external recipient
  • only accept mails with a sender claiming to be from your domain with proper authentication (SMTP protocol supports authentication)
  • only accept mails for which an account exists
  • check sender against black lists and SPF
  • ...
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
2

SMTP by design has no authentication. Viewing the email headers can provide you with more information like what IP the email was sent from.

Things like SPF, DKIM, and DMARC can help with email validation.

bigC5012
  • 143
  • 7