MODO INDICATIVO PRESENTE DE INDICATIVO
LAS REBAJAS
E-mail is unive rsal among companies in today ’s connected wo r l d . It has become a mission-cri t- ical application, yet it is one of the most poorly protected applications on many netwo r k s .Yo u might ask,“ W hy is it so common to run e-mail attacks when e-mail is such a high-risk appli- c a t i o n ? ”You would think that this platform would be the most secured item.This is not the c a s e. We have compiled a short list of reasons that e-mail is so frequently exploited:
■ E-mail systems are almost always accessible via the Internet.To get your e-mail to
the Internet, you need to have a passage to and from the Internet. Not only that— you also have other e-mail services available that will allow your attacker to exploit a great many areas instead of focusing on just one area. For instance, an attacker can exploit SMTP and POP3.
■ E-mail systems are not always well understood. An e-mail administrator needs to
be a network engineer first.
■ Part of the lack of security on e-mail systems comes from overworked administra-
tors who get the e-mail systems running and then leave them to go “fight other network fires”—or they simply maintain a system as is, without really checking for vulnerabilities on the current system.You could have an open relay with loads of spam being launched off your server, and if you didn’t know any better, this would just continue indefinitely, whereas the source of origin for the attack is your relay’s IP address on the DMZ.
Before we move any further, let’s quickly look at what the e-mail system looks like from a DMZ perspective, as shown in Figure B.23.
As you can see in Figure B.23, you have an attacker looking to spam from your relay. Here is the breakdown:
■ The attacker will use a program, tool, or technique to probe your DMZ looking
for the e-mail relay. Finding one is simple: Look for port 25 for SMTP and port 110 for POP3. Once you know this, you know that the system is functional for e- mail.
■ Next you have to try to relay off the server.This can be done in many ways, which
we look at shortly. Once you know it is spammable, you just need to know exploit the system.
■ Technically, if the hacker is not overzealous, the attack could actually go unde-
tected, because if you don’t know you have an open relay, you might miss the spam going through it. If the hacker pelts your system with data to relay, however, you will see a slowdown (by checking the e-mail system’s performance-moni- toring tools), especially if the spam contains large attachments.
■ As shown in Figure B.23, it is quite possible that if defenses are not set properly, a
hacker can actually open the door directly into your private intranet. Be very careful to lock down access at the firewall that divides the DMZ from the private internal network.
Figure B.23
Viewing E-Mail Systems on the DMZIn Figure B.23, you see an attacker on the Internet looking to use your system as an open relay.The hacker tests your system to see if it is in fact an open relay and then exploits it.You really have to know how SMTP works to totally understand the hack.To do that, you have to know how to get into and test an e-mail system without a GUI, which you saw us do earlier in this chapter with the Novell e-mail relay on the DMZ. SMTP relays are exploitable on any platform that allows an open relay. SMTP mail runs over TCP port 25 and is present on virtually all Unix machines as Sendmail and is present on many Windows machines, but only if it has been installed by choice since it is not default with Windows 2003 (hence the vulnerability scanning). Spoofing e-mail is very simple.Take a look at the following examples:
#telnet <ip address or DNS name of email server> 25 HELO <anyhost@anydomainname>
MAIL FROM: <anyuser at anydomainname>
RCPT TO: <returnaddressofchoice at anydomainname> DATA:
Your email goes here .
It was very common for e-mail servers to allow mail relaying as a rule.This has been tightened down in recent years, but many e-mail servers can be found that still will allow you to relay mail this way if they are misconfigured, which is also very common. Here is a real-world example with some minor editing using one of a major ISP’s e-mail servers: 220 orngca-mls03.socal.XX.com ESMTP *** FOR AUTHORIZED USE ONLY! ***
HELO anydomain.com
250 orngca-mls03.socal.XX.com Hello XXXX-west-12-34-56-78.biz.XX.com [12.34.56.78], pleased to meet you
MAIL FROM: [email protected]
250 2.1.0 [email protected]... Sender ok
RCPT TO: [email protected]
250 2.1.5 [email protected]... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself this is a test
.
250 2.0.0 h2N0oRX19041 Message accepted for delivery
You can see that the ISP’s SMTP e-mail server happily accepted the dummy domain name and user we keyed in, and then it accepted the message for delivery. Remember, exploits and attacks are not always the work of a C++ programmer hacking up code to launch crafted packets at vulnerable servers, but at times, you might find a person new to the security game looking for a testing ground—your e-mail server.
Your e-mail server is very easy to lock down as well. In Figure B.24, you can see that just about any program or system you use will have a hardening feature built in. We cover Novell in this appendix because we covered the hardening of Solaris and Windows in the earlier portion of this book, so in this figure you can see that the SMTP relay properties of the SMTP object in the GroupWise system allow you to disable the use of your relay for spamming purposes.
We have now covered e-mail-relaying issues within the DMZ; you should have a new idea as to where you need to focus your analysis. An open relay, spamming problem, or any other disruption to your e-mail service is not good for your network nor for your company, once it winds up on a blacklist and cannot legitimately send and receive mail to certain pro- tected domains. It is important that you test this; try to see if it is vulnerable yourself and close it up and patch it as needed.
Figure B.24
Disabling Relaying on Your E-Mail RelayYou should know by now that we have not listed every single attack you could possibly see.This chapter is meant only to show you the DMZ in a different perspective, the way a potential hacker might see it. Often spamming is the most important thing that a hacker will do to your e-mail relay.