0

Sorry for the long title.

My parent organisation that owns the company I work for accepts emails to be sent from test@org.com to test@org.com when connecting via port 25 telnet externally. I'm connecting from a static AWS EC2 Instance IP. I think this opens up a can of worms in the way that the organisation already gets emails from copier@org.com to other users within the business with viruses and these come through from external IP addresses, so assuming they use this exact hole to send them...

I was writing an email for a network admin at our parent organisation to send to Sophos and thought I'd show a telnet session to Sophos's mail server (telnet mx1.sophos.com 25) to show how they deny it themselves but our Sophos Email Appliance server doesn't. However this "issue" exists on their server too?

220 mx1.sophos.com ESMTP Postfix
helo mx1.sophos.com
250 mx1.sophos.com
mail from: test@sophos.com
250 2.1.0 Ok
rcpt to: support@sophos.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
test
.
250 2.0.0 Ok: queued as 084A3762F13

Surely this shouldn't be allowed as even although it isn't allowing full open relay e.g. sending to name@gmail.com. It is allowing me to spoof emails from internal sophos.com users to other internal sophos.com users, just the same as it does for my organisation?

gmail blocks this as expected:

220 mx.google.com ESMTP oi10si15453069oeb.67 - gsmtp
helo
250 mx.google.com at your service
mail from:<myemail@gmail.com>
250 2.1.0 OK oi10si15453069oeb.67 - gsmtp
rcpt to:<myemail@gmail.com>
250 2.1.5 OK oi10si15453069oeb.67 - gsmtp
data
354  Go ahead oi10si15453069oeb.67 - gsmtp
test
.
421-4.7.0 [X.X.X.X(my ip)      15] Our system has detected an unusual rate of
421-4.7.0 unsolicited mail originating from your IP address. To protect our
421-4.7.0 users from spam, mail sent from your IP address has been temporarily
421-4.7.0 rate limited. Please visit
421-4.7.0  https://support.google.com/mail/answer/81126 to review our Bulk Email
421 4.7.0 Senders Guidelines. oi10si15453069oeb.67 - gsmtp


Connection to host lost.

Am I just thinking about the whole email this in the wrong way, is this normal what Sophos allows?

Regards Liam

Liam Wheldon
  • 283
  • 2
  • 7
  • ...It looks like the line that got you a 501 is the same as the one that got you a 250, so I'm not clear on how that happened, but I think you may have discovered a legitimate flaw in their software. Of course, I don't know if they actually sent the e-mail. – Parthian Shot Feb 12 '16 at 14:50
  • Ignore that one, that's because I tried sending to test@sophos.com which doesn't exist so it denied me sendign to the user. I then sent to support@sophos.com instead which does exist. At my organisation it does send and comes through to the user. But obviously they could be doing soemthign after at Sophos internally to stop it. – Liam Wheldon Feb 12 '16 at 14:58
  • Sorry- what I was confused by was the fact that, after you got a 550 for `test@sophos.com`, you got a `501` for support@sophos.com, and then you (apparently) reissued the same command for `support@sophos.com` and that `501` turned into a `250`. – Parthian Shot Feb 12 '16 at 15:17
  • Ahh I get what you mean now! I think I used back space to correct it (within the telnet session) and that throws it out even although it looks fine. I'll remove these invalid lines as they'll confuse it for anyone else looking at it too :-) – Liam Wheldon Feb 12 '16 at 15:20

0 Answers0