[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Secure SMTP server used for spam relay
Francis Lachance wrote: > > Hi, > > It seems our CheckPoint FW-1 was used to relay spam mail, here are the > details. > > CheckPoint FW-1 4.1 SP6 on NT 4 > > We have no DMZ so our mail server is on the internal segment and have only > two valid address available to us (one for the fw external interface and one > for the router). > We have a little mail server inside used by only a few users.The FW-1 SMTP > Security Server is enabled and I have the following rules for SMTP: > >From Any to firewall smtp(incoming) accept > >From mailserver to Any smtp(outgoing) accept > The incoming resource states that the sender can be anybody (*) but the > recipients has to be in our domain (*@ourdomain.com) > The outgoing resource states that the sender has to be in our domain > (*@ourdomain.com) and the recipients can be anybody. > > The security group found out that spammers were using the firewall to relay > mail by changing the sender to be [email protected]. I don't understand. To get anything into the firewall, it has to have a destination of ourdomain.com, or it has to come from your internal mail server. How does setting the sender to ourdomain.com allow external machines (not your mail server) to relay through the firewall? > Since we only have a few users I changed the incoming resource to state that > the recipients can only be specific users > ({user1,user2,user3}@ourdomain.com). OK. Personally, I'd rather let my end MTA handle this than the firewall MTA. > Same thing for the outgoing resource the sender has to match a valid user to > send. The sender field in SMTP can be set arbitrarily. This is just a little security by obscurity. > After these changes I feeled we were ok but the security group stated that > we were still vulnerable to spammers and therefore had to disable our smtp > service. What they do is they run the chkspam perl script > (http://vancouver-webpages.com/pub/chkspam) against our firewall external > interface and get the following results: > 220 CheckPoint Firewall-1 secure SMTP server > requires HELO: NO OK, who cares. > allows VRFY username verification: YES Yes, the firewall _always_ responds to _any_ VRFY with a 250. This result is meaningless. > allows EXPN forwarding expansion: NO > allows bogus From: header: YES An MTA shouldn't care about the From: in the mail data. > allows simple mail relaying: YES Obviously. This is what it is there for. It relays your mail to your internal mailserver. > may allow UUCP mail relaying: NO > allows other mail relaying: NO This is what's really important here and it passes these rather simplt checks. -- Crist J. Clark [email protected] Globalstar CommunicationsThe information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|