Jump to content


Photo

Is Outgoing Smtp Open To Abuse?


  • Please log in to reply
19 replies to this topic

#1 beach200

beach200

    New To The Neighborhood

  • Members
  • Pip
  • 11 posts

Posted 21 February 2006 - 03:59 AM

Have I got this right? Any person anywhere can set their outgoing SMTP server to my SMTP server and thereby send mail physically thru my account. If this is so, is there something I can do to prevent this? Any assistance here is appreciated. Tks

#2 TCH-Thomas

TCH-Thomas

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 14,908 posts

Posted 21 February 2006 - 04:05 AM

Welcome to the forum, beach200. :)

Someone will correct me if I am wrong, but I donīt think someone without an valid domain address and password could use your smtp.
But if the person knew every little info needed about your smtp settings, then yes.

Thomas Jikrantz
Forum Moderator
TotalChoice Hosting, Inc.

Any links or suggestions for third party software/sites should be used at your own risk. My opinions and recommendations are not necessary those of TCH and TCH is not responsible.

As a Forum Moderator I can assist in answering many of your hosting related questions. However, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.
Web Hosting by Total Choice Web Hosting - 24/7 Help Desk


#3 TCH-JimE

TCH-JimE

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 2,738 posts

Posted 21 February 2006 - 04:39 AM

Welcome to the forum!

It is true, you would need a valid password for it to work. However, you can have scripts such as formmail which can be used to send mail from your server, hence the reason such scripts should have decent sercurity so that this things can not happen.

It is easy to fake a domain name in the header, but if you where to truely look at the headers you would see that infact they do not originate from that domaini name but infact from somewhere else.

Jimuni
J

#4 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 21 February 2006 - 08:19 AM

Welcome to the forums beach200

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#5 TCH-Rob

TCH-Rob

    Help Desk Manager

  • Members
  • PipPipPipPip
  • 7,797 posts

Posted 21 February 2006 - 10:39 AM

Welcome to the forums beach200. It is not that simple, most servers require authentication is necessary before using them to send mail.

#6 TCH-Andy

TCH-Andy

    Immediate Family

  • Members
  • PipPipPipPip
  • 4,699 posts

Posted 21 February 2006 - 12:17 PM

Welcome to the forums beach200 :)
Andy Beckett
-----------------
Part of the TCH family since the beginnings of time.

#7 TCH-RobertM

TCH-RobertM

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,228 posts

Posted 21 February 2006 - 12:28 PM

Welcome to the forums beach200

I am sure you will find your new home quite cozy

#8 MikeJ

MikeJ

    Big Gorilla

  • Members
  • PipPipPipPip
  • 2,369 posts

Posted 21 February 2006 - 06:08 PM

Welcome to the forums, beach200.

Jimuni said it well. Our servers do not openly relay mail, so they would have to have your account info to do so. However, that doesn't prevent them from faking your email and sending it from their own host (that's an SMTP design issue), but it will clearly show in the headers that you were not actually the sender of the email.
<a href="http://twitter.com/skraggy" target="_blank">Twitter</a> | <a href="http://plurk.com/skraggy" target="_blank">Plurk</a>

#9 beach200

beach200

    New To The Neighborhood

  • Members
  • Pip
  • 11 posts

Posted 21 February 2006 - 07:36 PM

Thanks for the welcome and info. I am still not entirely convinced. I will search for some evidence of the issue.

#10 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 21 February 2006 - 07:39 PM

Don't know what we can say other than what's been said to convince you. Do you have an issue or an email that you can show us that makes you think otherwise?

When I say email, I mean the full headers of the email.

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#11 Deverill

Deverill

    Immediate Family

  • Members
  • PipPipPipPip
  • 3,307 posts

Posted 22 February 2006 - 01:13 PM

Is the sun hot? Yes. I'm not convinced.

I'm probably just not getting what is on your mind, but it is a fact that without your password or a faulty script no one can send email from your SMTP.

As was said, it is easy to fake an email header sent from some other email server to appear to be from you@yourTCHdomain.com, but the headers will betray the forgery.

Maybe if you just tell us what you are seeing as the issue we can help explain why it is.

Edit: Forgot to say ... Welcome to the forums!
"A winner is simply willing to do what a loser won't."

#12 beach200

beach200

    New To The Neighborhood

  • Members
  • Pip
  • 11 posts

Posted 26 February 2006 - 05:36 PM

It would seem from where I sit, that I have an outgoing smtp server which doesn't require authentication. I can test this simply thru MS OutLook. This seems to permit use of this outgoing server by anyone. Is this possible? What am I missing here?

#13 Deverill

Deverill

    Immediate Family

  • Members
  • PipPipPipPip
  • 3,307 posts

Posted 26 February 2006 - 05:39 PM

Is the outgoing SMTP server where your account is at TCH?

Are you sending immediately after checking incoming email? Sometimes if you check email and then send something it "remembers" your authentication.
"A winner is simply willing to do what a loser won't."

#14 beach200

beach200

    New To The Neighborhood

  • Members
  • Pip
  • 11 posts

Posted 26 February 2006 - 05:53 PM

Is the outgoing SMTP server where your account is at TCH?

Are you sending immediately after checking incoming email? Sometimes if you check email and then send something it "remembers" your authentication.


Yes, the SMTP is with TCH (the best).
Using OutLook Exp, after a reboot of Win XP, I don't need authentication. So presumably, no one else does either.

#15 TCH-Rick

TCH-Rick

    Technical Support Services Manager

  • Members
  • PipPipPipPip
  • 1,853 posts

Posted 26 February 2006 - 05:58 PM

Submit a ticket using the link at the top of this page and we can have a look. We need more information than provided here to see if there is a configuration problem.

#16 TCH-Andy

TCH-Andy

    Immediate Family

  • Members
  • PipPipPipPip
  • 4,699 posts

Posted 27 February 2006 - 02:57 AM

Outlook Express nearly always does a check of your POP3 before the send (because most people have it do the default check for emails when it starts). If you have done this, then you have already authenticated with the server, and do not need to do so again when you send.

As Rick says though, open a ticket and we'll check
Andy Beckett
-----------------
Part of the TCH family since the beginnings of time.

#17 beach200

beach200

    New To The Neighborhood

  • Members
  • Pip
  • 11 posts

Posted 27 February 2006 - 05:12 AM

Got a good reply from Rick via a ticket. As Andy says the process of checking the pop3 server via OutLook performs authentication which remains on the server for some time (x minutes). This fits prefectly with the evidence. It seems that if you read the pop3 server, and then use any technique to send via the smtp server (within x minutes), you can get a free ride. If this is so, my scepticism seems to be justified.

#18 stevevan

stevevan

    Immediate Family

  • Members
  • PipPipPipPip
  • 3,522 posts

Posted 27 February 2006 - 06:31 AM

But don't you have to authenticate first? You can set my email program to check your mail, but if you don't enter the username/pwd, it won't download anything and you'll get an authentication error.
Steve, W4SJV

"When all else fails (and it will)...there's Amateur Radio!"
"It is better to let people THINK you're a fool than to open your mouth and remove all doubt."

#19 MikeJ

MikeJ

    Big Gorilla

  • Members
  • PipPipPipPip
  • 2,369 posts

Posted 27 February 2006 - 12:27 PM

Got a good reply from Rick via a ticket. As Andy says the process of checking the pop3 server via OutLook performs authentication which remains on the server for some time (x minutes). This fits prefectly with the evidence. It seems that if you read the pop3 server, and then use any technique to send via the smtp server (within x minutes), you can get a free ride. If this is so, my scepticism seems to be justified.


POP before SMTP means that once you check your email via POP3, for a certain amount of time, your IP address and only your IP address is allowed to send mail through your account. That's hardly a free ride, unless you have other people using your machine that you don't trust at the same time (but then you'd likely have bigger problems :notworthy:).
<a href="http://twitter.com/skraggy" target="_blank">Twitter</a> | <a href="http://plurk.com/skraggy" target="_blank">Plurk</a>

#20 beach200

beach200

    New To The Neighborhood

  • Members
  • Pip
  • 11 posts

Posted 27 February 2006 - 06:23 PM

POP before SMTP means that once you check your email via POP3, for a certain amount of time, your IP address and only your IP address is allowed to send mail through your account. That's hardly a free ride, unless you have other people using your machine that you don't trust at the same time (but then you'd likely have bigger problems :P).



This fits even more closely with the evidence! I guess the initial question is solved. Tks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users