-2

I use Zimbra as my office email server. Recently, an intern at my company showed that he could use my email id (without hacking into my account) to send emails to anyone in the company using the Zimbra mail server domain in place of localhost using this code http://www.tutorialspoint.com/jsp/jsp_sending_email.htm

I was surprised that a commercial mail server did not have a means to prevent this.

Given the easy availability of this code, I assume this problem is well known and mail servers would have rules to check for this.

Does SMTP allow this to happen and nothing can be done to stop it? Would i be able to write some code to constantly monitor the server for such packets which come from such emails? (Am assuming such mails would have a different kind of packet header) and i would be able to monitor it since it is local and probably does not go through the internet.

Anything the IT support dept would be able to do to stop such emails (technologically; not by threats)

Nav
  • 19
  • 1
  • 1
  • 3
    `Anything the IT support dept would be to do` - Are you not the IT support Dept? If not go ask them. While you are at it spend some time reading about email. – Zoredache Mar 19 '15 at 17:15
  • No i am not an IT support person. I already spoke to them and they only seem to know how to stop those mails by blacklisting them. Shouldnt there be a way that the mail server can force the jsp prpgram to send an account password to be able to send an email? – Nav Mar 19 '15 at 17:28

1 Answers1

2

Most MTA software (including Microsoft Exchange) will allow you to forge the From header in an email message. Also, SMTP itself is a protocol, like HTTP, so it would not be able to prevent it. Email spoofing is certainly nothing groundbreaking or new - I'd highly recommend the Wikipedia article on Email spoofing for more detail.

Forging the From header is how most "service" emails work - for example emails sent from system@example.com where the "system" user doesn't actually exist - the same goes for the commonly-used noreply@example.com address to send all "Reply" email into a black hole.

This is because, as Ericrobert alluded to, SMTP wasn't specifically designed with security in mind. If you're concerned about unauthorised access, you can turn on SMTP authentication so that each connection to your server needs to provide a username and password.

However, SMTP authentication does not prevent joe.bloggs@example.com authenticating and sending an email as kate.bloggs@example.com, and would also need to be enabled carefully. Incoming email will need to be relayed unauthenticated.

A typical solution to this is to use port 25 as an unauthenticated closed relay (i.e. the server will only accept email for your domain) and port 587 for authenticated connections, however your intern would still be able to use their script on port 25.

Craig Watson
  • 9,370
  • 3
  • 30
  • 46
  • Apparently the mods didn't like my answer. Here's a link to the answer I was referencing that should give some insight.http://serverfault.com/a/415564/148296 – Ericrobert Mar 19 '15 at 19:09
  • Thank you Ericrobert. That is exactly what i was looking for. Wonder why the mods removed a correct answer ... – Nav Mar 20 '15 at 01:08
  • @Craig: At least with JSP/Java, it doesn't seem possible to spoof an email id after authenticating with the server. You're referring to some other language? – Nav Apr 05 '15 at 20:06
  • @Nav it's possible in any language, you just rewrite the From header. Source: https://javamail.java.net/nonav/docs/api/javax/mail/internet/InternetAddress.html – Craig Watson Apr 09 '15 at 20:46