Discussion:
[OT] Re: Can source and IP in email header be spoofed and how to mitigate
(too old to reply)
David Benfell
2016-07-28 03:48:58 UTC
Permalink
Our headquarter's email server auto-forward emails over to our
Can source (ie smtp.zzzbank.com.au <http://smtp.zzzbank.com.au> &
srvm02.zzzbank.com.au <http://srvm02.zzzbank.com.au> below)
& the IP addresses be spoofed?
Yes. If you are concerned about this and you control the domain in
question, you probably should put legitimate sending servers on their
own subnet and limit SMTP traffic accordingly.

I get into trouble whenever I try to mess with firewalls myself, but I
believe it would then be possible to reject spoofed IP addresses because
they would be on the wrong interface.
--
David Benfell, Ph.D.
***@parts-unknown.org
Roger Goh
2016-07-28 09:07:39 UTC
Permalink
If the IP address is spoofed, how does firewall rejects it?

In the case of MS Exchange, will implementing something like
SPF (Sender Policy Framework) and Sender ID filtering help?


Sun
Our headquarter's email server auto-forward emails over to our
Can source (ie smtp.zzzbank.com.au & srvm02.zzzbank.com.au below)
& the IP addresses be spoofed?
Yes. If you are concerned about this and you control the domain in
question, you probably should put legitimate sending servers on their own
subnet and limit SMTP traffic accordingly.
I get into trouble whenever I try to mess with firewalls myself, but I
believe it would then be possible to reject spoofed IP addresses because
they would be on the wrong interface.
--
Benny Pedersen
2016-07-28 11:18:42 UTC
Permalink
Post by Roger Goh
If the IP address is spoofed, how does firewall rejects it?
In the case of MS Exchange, will implementing something like
SPF (Sender Policy Framework) and Sender ID filtering help?
no, if postfix see local sender domains on port 25 it should reject it

all else will fail

ips does not mater

Sender-ID is depricated, dont added it, but if you like spf could help
if added to each sender domain carefully
Allen Coates
2016-07-28 11:27:39 UTC
Permalink
It can also be done with access lists in smtpd_mumble_restrictions:

a Accept (by remote host IP address) ALL your legitimate servers;
b Reject everything else claiming to be one of your servers

EXAMPLE

main.cf:
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:$config_directory/access/own-server_access,
check_helo_access hash:$config_directory/access/helo_access,

own-server_access:
### List *ALL* your own servers by IP address
1.2.3.4 OK
5.6.7.8 OK

helo_access:
### Your *REAL* hosts have already been accepted...
1.2.3.4 reject
5.6.7.8 reject
example.com reject


It works well enough for me...

Allen C
Post by Benny Pedersen
Post by Roger Goh
If the IP address is spoofed, how does firewall rejects it?
In the case of MS Exchange, will implementing something like
SPF (Sender Policy Framework) and Sender ID filtering help?
no, if postfix see local sender domains on port 25 it should reject it
all else will fail
ips does not mater
Sender-ID is depricated, dont added it, but if you like spf could help
if added to each sender domain carefully
Bill Cole
2016-07-28 13:19:41 UTC
Permalink
Our headquarter's email server auto-forward emails over to our
Can source (ie smtp.zzzbank.com.au & srvm02.zzzbank.com.au below)
& the IP addresses be spoofed?
Received: from smtp.zzzbank.com.au (10.98.2.87) by
ZZZWVEXC01ZZ.bbb.com.au
(10.9.95.37) with zzzzz SMTP Server (TLS) id 24.3.271.0; Wed, 20 Jul
2016
17:07:22 +0800
Received: from pps.reinject (srvm02.zzzbank.com.au [127.0.0.1]) by
srvz02.zzzbank.com.au (8.15.0.59/8.15.0.59) with ESMTPS id
u6K97Jk3033821
The answer is dependent on your network architecture and what exactly
you mean by "spoofed."

Received headers can be arbitrarily forged, as are the above examples,
BUT since they are added by each MTA handling the message, forgeries are
not hard to detect because they always are below the chronologically
final Received header, added by your own MTA and presumably trustworthy
to the degree of reflecting how your MTA received the message. When a
forgery fails to get the format of a Received header correct (as above)
it is also easily detected.

If you are asking whether an SMTP session can be run over a connection
where the client side is spoofing an IP address, the *general* answer is
NO. IP address spoofing is trivial for UDP-based protocols like DNS
because UDP doesn't depend on the machines involved being able to carry
on a multi-step synchronized reliable conversation. Because SMTP runs on
top of TCP, the initial connection, before any data is exchanged,
requires a 3-packet exchange by which both ends prove that they are
receiving each others' packets correctly. many years ago, it was
possible to spoof that exchange because systems commonly used very
predictable packet sequence numbers, however that flaw was recognized
and corrected in the early 90's. It remains possible to actually hijack
an IP address by compromising the specific routers that handle the path
between the target machine and the hijacker, but that is a non-trivial
project and by its nature prevents normal communication between the
target system and the hijacking victim system (that is: the rightful
holder of the spoofed IP,) so it is hard to hide such a hijack if the
target and victim normally communicate with each other.

A special case where "spoofing" becomes easier for SMTP is when the
spoofed machine and the spoofing target communicate through a firewall
that uses a form of NAT that makes the target see all communications as
coming from an IP held by the firewall. In that case, the security and
proper configuration of the firewall and its neighboring routers is
critical.
Viktor Dukhovni
2016-07-28 14:01:54 UTC
Permalink
Can source (ie smtp.zzzbank.com.au & srvm02.zzzbank.com.au below)
& the IP addresses be spoofed?
Your question is not sufficiently clearly stated.
Received: from smtp.zzzbank.com.au (10.98.2.87) by ZZZWVEXC01ZZ.bbb.com.au
(10.9.95.37) with zzzzz SMTP Server (TLS) id 24.3.271.0; Wed, 20 Jul 2016
17:07:22 +0800
Received: from pps.reinject (srvm02.zzzbank.com.au [127.0.0.1]) by
srvz02.zzzbank.com.au (8.15.0.59/8.15.0.59) with ESMTPS id u6K97Jk3033821
When "ZZZWVEXC01ZZ.bbb.com.au" is receiving the inbound email, the source
IP address can only be "spoofed" by an "on-path" man-in-the-middle attacker,
able to intercept network packets directed to "10.98.2.87", and thus maintain
a TCP session for the transmission of email.

Absent DNSSEC, the same MITM attacker may be able to forge DNS replies (if
also "on path" between the receiving SMTP server and the nameservers it
uses to resolve "10.in-addr.arpa" and "zzzbank.com.au".

On the other hand, anyone can create a message in which the above "Received:"
headers appear. What a forger can't easily do is ensure that such headers
are the topmost trace headers. When the forger transmits the message, the
nexthop receiving system will record the forger's network address as the
sending system in the topmost trace header. If that origin is not trustworthy,
then you can't believe the validity of any trace headers it sends.
--
Viktor.
Roger Goh
2016-07-28 16:11:43 UTC
Permalink
Sorry, let me elaborate a bit :

We plan to have an interim setup where emails sent to us & HQ (in
another country)
has a global format ie ***@xxx.com.

Currently emails sent to our HQ are in the form ***@xxx.com.au & to
us are in
the form ***@xxx.com.nz.

So the plan (which is an interim measure as we'll plan to merge our email server
to HQ's email server/LDAP at a later stage) is :
when there are emails sent to .com that are meant for us (in nz), they
will be sent to
to our HQ's Proofpoint (which scan for malware, spam, rules) before these emails
are being rerouted from our HQ's ProofPoint to our email server via
public Internet
(as we don't have a point to point WAN link with our HQ) without going through
our (nz) ProofPoint.


Our local Proofpoint won't scan for malware, spam, rules for these
forwarded emails
from our HQ's ProofPoint. Our local ProofPoint will only scan for
emails sent to us
Post by Viktor Dukhovni
Can source (ie smtp.zzzbank.com.au & srvm02.zzzbank.com.au below)
& the IP addresses be spoofed?
Your question is not sufficiently clearly stated.
Received: from smtp.zzzbank.com.au (10.98.2.87) by
ZZZWVEXC01ZZ.bbb.com.au
(10.9.95.37) with zzzzz SMTP Server (TLS) id 24.3.271.0; Wed, 20 Jul
2016
17:07:22 +0800
Received: from pps.reinject (srvm02.zzzbank.com.au [127.0.0.1]) by
srvz02.zzzbank.com.au (8.15.0.59/8.15.0.59) with ESMTPS id
u6K97Jk3033821
When "ZZZWVEXC01ZZ.bbb.com.au" is receiving the inbound email, the source
IP address can only be "spoofed" by an "on-path" man-in-the-middle
attacker,
able to intercept network packets directed to "10.98.2.87", and thus
maintain
a TCP session for the transmission of email.
Absent DNSSEC, the same MITM attacker may be able to forge DNS replies (if
also "on path" between the receiving SMTP server and the nameservers it
uses to resolve "10.in-addr.arpa" and "zzzbank.com.au".
On the other hand, anyone can create a message in which the above
"Received:"
headers appear. What a forger can't easily do is ensure that such headers
are the topmost trace headers. When the forger transmits the message, the
nexthop receiving system will record the forger's network address as the
sending system in the topmost trace header. If that origin is not
trustworthy,
then you can't believe the validity of any trace headers it sends.
--
Viktor.
Roger Goh
2016-07-29 07:29:41 UTC
Permalink
Just a last post from me:

is there any chance that a whitelisted IP address (whitelisted on
our local email server for the remote to forward email to us as we
plan to permit Tcp25 incoming for this whitelisted IP while the
rest of the emails have to go to our ProofPoint) could have
been spoofed?

If there's such a possiblity, can list a few URLs/links that
illustrate & explain such spoofing?

I hear conflicting internal suggestions
Ralph Seichter
2016-07-29 09:57:06 UTC
Permalink
is there any chance that a whitelisted IP address [...] could have
been spoofed?
Yes. Search for "IP address spoofing" in the search engine of your
choice and you will find what you are looking for.

-Ralph
Bill Cole
2016-07-29 13:50:34 UTC
Permalink
Post by Ralph Seichter
is there any chance that a whitelisted IP address [...] could have
been spoofed?
Yes. Search for "IP address spoofing" in the search engine of your
choice and you will find what you are looking for.
By that standard, we are ruled by a disguised race of alien
lizard-people. (Really, Google it...)

Spoofing the IP address used by a running system for TCP sessions is
*possible* but it requires very specific complex compromises targeting
the network paths between the spoofed system and the system(s) being
targeted by the deception. It requires specific points of vulnerability
which are relatively easy to avoid. It is not the sort of attack that
can be done by any script kiddie with a kit (unlike IP address spoofing
as a component of DDoS and reflection/amplification attacks.) This means
that to assess your actual risk (or determine the likelihood that
spoofing was involved in a specific incident) you need to look at much
more than the technical possibility, you need to weigh the value of the
attack relative to the difficulty of mounting it. That obviously is out
of scope for this or any other public forum, as it has nothing to do
with Postfix and requires specific knowledge of your business that
should probably not be public.

HOWEVER, in general when someone suggests that a Received header in a
piece of email describes an incident of IP spoofing, they are wrong.
This is because it is very rare for IP spoofing to be the simplest or
most likely explanation. For example, since you have 2 systems involved
in a SMTP transaction and the primary records of that are a Received
header and system logs, all an attacker needs to do in order to mimic IP
spoofing is to compromise one system or the other, preferably the SMTP
client. That's likely to be easier for an attacker to execute, harder to
detect in progress, and simpler for an attacker to clean up afterwards
to prevent tracking. In order to conclude that an incident was the
result of IP spoofing one must eliminate the other possibilities such as
client compromise, because it's easier to take over most machines than
it is to impersonate them while they remain online.

And if one wants to remove the potential for IP spoofing of SMTP between
a specific pair of machines across the Internet, this can be done with a
simple encrypted tunnel between them: a trivial degenerate VPN with 2
nodes and strictly controlled access on both ends.
Ralph Seichter
2016-07-29 16:07:19 UTC
Permalink
Post by Bill Cole
Post by Ralph Seichter
is there any chance that a whitelisted IP address [...] could
have been spoofed?
Yes. Search for "IP address spoofing" in the search engine of your
choice and you will find what you are looking for.
By that standard, we are ruled by a disguised race of alien
lizard-people. (Really, Google it...)
Roger's question was clear. "Is there any chance that a whitelisted IP
address [...] could have been spoofed?". The answer is yes. Based on the
information available, everybody can make up his/her own mind about how
feasible this attack vector is, about the potential value of their
respective IT infrastructure as a target, and about the potential damage
inflicted. For myself and my customers, I don't rely on IP addresses,
but use strong encryption and authentication, as many others here on
this list are likely to do to a similar degree.

In any case, this subject is better suited for a networking related
mailing list then it is for the Postfix ML.

-Ralph
Viktor Dukhovni
2016-07-29 16:12:44 UTC
Permalink
Post by Ralph Seichter
Post by Bill Cole
Post by Ralph Seichter
is there any chance that a whitelisted IP address [...] could
have been spoofed?
Yes. Search for "IP address spoofing" in the search engine of your
choice and you will find what you are looking for.
By that standard, we are ruled by a disguised race of alien
lizard-people. (Really, Google it...)
Roger's question was clear. "Is there any chance that a whitelisted IP
address [...] could have been spoofed?". The answer is yes.
And yet in practice Bill is right. IP spoofing by spammers and virus
authors is not a realistic attack vector. Attackers who can manipulate
BGP routes and mount MiTM attacks on TCP are likely nation-state actors.

IP spoofing is the least of your worries when defending against
sophisticated targeted attacks by nation states.
--
Viktor.
Ralph Seichter
2016-07-29 16:33:04 UTC
Permalink
I'm definitely not on a crusade in this matter. Risk assessment will
vary with each individual organization's requirements. As Postfix offers
excellent means of using both encryption and authentication, I have not
yet come across a situation where relying on IP addresses alone was the
sole option available. Then again, I usually work in environments where
distributing SSL keys in a safe manner is usually not a problem.

-Ralph

Loading...