Vulnerabalities SMTP helo without athentication

18 Oct

I would like to highlight a case study where recently I learned that most of mailserver especially based on exim have no SMTP verification for the HELO/EHLO request on the default port (25) by default.

Case:

A spammer can simply telnet to the target mailserver of certain domain and sending email as a valid user to user’s who ar e in same domain without authentication.

Demonstration:

[root@hostname ~]# telnet mail.mytest.com 25

Trying 192.168.1.100…
Connected to mail.mytest.com.
Escape character is ‘^]’. 220┬ámytest.com ESMTP Exim 4.76 Sat, 18 Oct 2014 08:52:09 +0800
ehlo someone@mytest.com
501 Syntactically invalid EHLO argument(s)
ehlo mytest.com 250-mytest.com
Hello mytest.com [123.456.789]
250-SIZE 20971520
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP mail from:<someone@mytest.com>
250 OK rcpt to:<somebody@mytest.com>
250 Accepted
Data
354 Enter message, ending with “.” on a line by itself
Subject: This is a test
Hello, This is a test
.
250 OK id=1XfIGK-0007PS-HJ
quit

 

Concern:

Eventhough the outbound remote mail is filtered by default through the ACL, the concern is a spammer can send e-mail to known user within the same domain and cause confusion and perhaps worst case scenario could cause tense between employee. Imagine if a spamming or perhaps there is a naughty employee with some technical background sending a fake e-mail. That could be dangerous!!

 

Solution: Server administrator have to filter the exim MTA ACL (Access Control) to filter communication on port 25 for unauthorize usage.

No comments yet

Leave a Reply