K.Sattar@cs.exeter.ac.uk (Khalid Sattar) (11/06/90)
I have just realised that anyone on our machine which is a Pyramid running IDA sendmail 5.61 (or any of the suns in the campus running sun standard 4.0.3 supplied sendmail) that it is possible to forge a message to make it appears as if it came from someone else. This is because sendmail allows the forger to change From, and Sender fields. Looking at the delivered mail I cannot find any tell tales that would reveal the identity of the forger. How can I stop this? extra info: The sendmail.cf does not contain the forger in its trused list of users. The sendmail is setuid to root and the default user in the .cf file is 16 (mailer) and group is daemon password file entry for mailer mailer:DISABLED:16:1:Mailer:/:/bin/false Relevent bits of my sendmail.cf ############################################################ # # General configuration information # ############################################################ DVUK-2.1 ########################## ### Special macros ### ########################## # my name DnPOSTMASTER # UNIX header format DlFrom $g $d remote from $U # delimiter (operator) characters (note '~' has been added) Do.:%@!^=/[]~ # format of a total name Dq$?x$x <$g>$|$g$. # SMTP login message De$j Sendmail $v/$V ready at $b ################### ### Options ### ################### # location of alias file OA/usr/lib/aliases # default delivery mode (deliver in background) Odbackground # mail to me too (needed for multihost sites) Om # (don't) connect to "expensive" mailers #Oc # automatically do newaliases when aliases.dbm out of date #OD # temporary file mode OF0644 # default GID Og1 # location of help file OH/usr/lib/sendmail.hf # log level OL9 # default messages to old style Oo # Cc my postmaster on error replies I generate #OP`'POSTMASTER # queue directory OQ/usr/spool/mqueue # read timeout -- violates protocols Or30m # status file OS/usr/lib/sendmail.st # queue up everything before starting transmission # Os # default timeout interval OT3d # time zone names (V6 only) # OtGMT,BST # default UID Ou16 # wizard's password OWz3GvK.dPUxieQ # load averages at which to start queuing/refuse connections Ox6 OX8 # penalty per recipient Oy1000 # memory-poor environmenet OY # boost for high-priority messages #Oz1800 # generic names database OKG/usr/local/admin/sendmail/tabs/generic.names # penalty for being retried #OZ0 ############################### ### Message precedences ### ############################### Pfirst-class=0 Pspecial-delivery=100 Pjunk=-100 ######################### ### Trusted users ### ######################### Troot Tdaemon Tmailer Tuucp Tmail ############################# ### Format of headers ### ############################# H?F?From: $q H?D?Date: $a H?M?Message-Id: <$p.$t@$j> H?F?Resent-From: $q H?D?Resent-Date: $b H?M?Resent-Message-Id: <$p.$t@$j> HSubject: HReceived: $?sfrom $s by $j; $b$. HVia: $?S$S; $b$ : : Mlocal, P=/bin/mail, F=lsmFD, S=20, R=20, A=mail -r $f -d $u Mbinmail, P=/bin/mail, F=lsmFD, S=20, R=20, A=mail -r $f -d $u Mprog, P=/bin/sh, F=nlsFD, S=20, R=20, A=sh -c $u : Mether, P=[IPC], F=nsmFDMuXC, S=21, R=21, A=IPC $h
ehrlich@cs.psu.edu (Dan Ehrlich) (11/07/90)
In article <25249.9011061356@expya.cs.exeter.ac.uk> K.Sattar@cs.exeter.ac.uk (Khalid Sattar) writes:
Khalid> Original-Sender: admin@cs.exeter.ac.uk
Khalid> I have just realised that anyone on our machine which is a Pyramid
Khalid> running IDA sendmail 5.61 (or any of the suns in the campus running
Khalid> sun standard 4.0.3 supplied sendmail) that it is possible to forge a
Khalid> message to make it appears as if it came from someone else. This is
Khalid> because sendmail allows the forger to change From, and Sender fields.
Khalid> Looking at the delivered mail I cannot find any tell tales that would
Khalid> reveal the identity of the forger. How can I stop this?
Khalid> extra info:
Khalid> The sendmail.cf does not contain the forger in its trused list of
Khalid> users. The sendmail is setuid to root and the default user in the .cf
Khalid> file is 16 (mailer) and group is daemon
Khalid> password file entry for mailer
Khalid> mailer:DISABLED:16:1:Mailer:/:/bin/false
Khalid> Relevent bits of my sendmail.cf
Anyone with a copy of the RFCs that describe SMTP and a unix box that runs
a SMTP delivery agent can forge mail. Just telnet up to the SMTP port.
What to do next is left as an exercise for the reader. ;-)
--
Dan Ehrlich - Sr. Systems Programmer - Penn State Computer Science
<ehrlich@cs.psu.edu>/Voice: +1 814 863 1142/FAX: +1 814 865 3176rickert@mp.cs.niu.edu (Neil Rickert) (11/07/90)
In article <25249.9011061356@expya.cs.exeter.ac.uk> K.Sattar@cs.exeter.ac.uk (Khalid Sattar) writes: >I have just realised that anyone on our machine which is a Pyramid >running IDA sendmail 5.61 (or any of the suns in the campus running >sun standard 4.0.3 supplied sendmail) that it is possible to forge a >message to make it appears as if it came from someone else. This is >because sendmail allows the forger to change From, and Sender fields. >Looking at the delivered mail I cannot find any tell tales that would >reveal the identity of the forger. How can I stop this? > Actually this is simplistic. The real sender appears on the Unix 'From ' line in your mailbox, or in the envelope information in mail sent to other hosts. Sendmail is quite careful about the envelope sender, but makes no effort at all to authenticate the header addresses. Still, as many know, forging the envelope sender is pretty easy. But why be so alarmed about it. Anyone can put any sender name they like on a piece of paper add a stamp and drop it in the mail. Or anyone can make a phone call and claim to be whoever they like - worse still, although the telephone companies have reasonably effective authentication methods available, the ACLU is suing in court to prohibit their implementation. If you come up with a good way of preventing forgeries, expect a law suit claiming you are invading peoples right to maintain their privacy by forging someone else's name and address on the email. In the meantime, you can always personally hand deliver the message. If you and the recipient know each other this is a reasonably effective method of authentication. Even this is not completely foolproof, or else there would be no CIA and no KGB. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115. +1-815-753-6940
jch@dyfed.rdg.dec.com (John Haxby) (11/08/90)
Proof against forging is somewhat difficult with sendmail -- the best way is to use encryption, preferably double public key encryption (you know, the thing whereby you encrypt with your own private key and then the intended recipients public key and the recipient uses your public key and his private key to decrypt the message). X.400 '88 has the infra-structure to support secure mail and digital signatures, proof of posting and all that junk. The only snag with all of this is that it relies rather heavily on public key or private key encryption and both forms can be cracked open with sufficient mips -- people have be factoring products of large primes for a while now, cracking DES passwords is easy by comparison. -- ------- John Haxby, Definitively Wrong. Digital <jch@wessex.rdg.dec.com> Reading, England <...!ukc!wessex!jch>