Jump to content
Sign in to follow this  
beach200

Is Outgoing Smtp Open To Abuse?

Recommended Posts

Have I got this right? Any person anywhere can set their outgoing SMTP server to my SMTP server and thereby send mail physically thru my account. If this is so, is there something I can do to prevent this? Any assistance here is appreciated. Tks

Share this post


Link to post
Share on other sites

Welcome to the forum, beach200. :)

 

Someone will correct me if I am wrong, but I don´t think someone without an valid domain address and password could use your smtp.

But if the person knew every little info needed about your smtp settings, then yes.

Share this post


Link to post
Share on other sites

Welcome to the forum!

 

It is true, you would need a valid password for it to work. However, you can have scripts such as formmail which can be used to send mail from your server, hence the reason such scripts should have decent sercurity so that this things can not happen.

 

It is easy to fake a domain name in the header, but if you where to truely look at the headers you would see that infact they do not originate from that domaini name but infact from somewhere else.

 

Jimuni

Share this post


Link to post
Share on other sites

Welcome to the forums beach200. It is not that simple, most servers require authentication is necessary before using them to send mail.

Share this post


Link to post
Share on other sites

Welcome to the forums, beach200.

 

Jimuni said it well. Our servers do not openly relay mail, so they would have to have your account info to do so. However, that doesn't prevent them from faking your email and sending it from their own host (that's an SMTP design issue), but it will clearly show in the headers that you were not actually the sender of the email.

Share this post


Link to post
Share on other sites

Thanks for the welcome and info. I am still not entirely convinced. I will search for some evidence of the issue.

Share this post


Link to post
Share on other sites

Don't know what we can say other than what's been said to convince you. Do you have an issue or an email that you can show us that makes you think otherwise?

 

When I say email, I mean the full headers of the email.

Share this post


Link to post
Share on other sites

Is the sun hot? Yes. I'm not convinced.

 

I'm probably just not getting what is on your mind, but it is a fact that without your password or a faulty script no one can send email from your SMTP.

 

As was said, it is easy to fake an email header sent from some other email server to appear to be from you@yourTCHdomain.com, but the headers will betray the forgery.

 

Maybe if you just tell us what you are seeing as the issue we can help explain why it is.

 

Edit: Forgot to say ... Welcome to the forums!

Share this post


Link to post
Share on other sites

It would seem from where I sit, that I have an outgoing smtp server which doesn't require authentication. I can test this simply thru MS OutLook. This seems to permit use of this outgoing server by anyone. Is this possible? What am I missing here?

Share this post


Link to post
Share on other sites

Is the outgoing SMTP server where your account is at TCH?

 

Are you sending immediately after checking incoming email? Sometimes if you check email and then send something it "remembers" your authentication.

Share this post


Link to post
Share on other sites
Is the outgoing SMTP server where your account is at TCH?

 

Are you sending immediately after checking incoming email? Sometimes if you check email and then send something it "remembers" your authentication.

 

Yes, the SMTP is with TCH (the best).

Using OutLook Exp, after a reboot of Win XP, I don't need authentication. So presumably, no one else does either.

Share this post


Link to post
Share on other sites

Submit a ticket using the link at the top of this page and we can have a look. We need more information than provided here to see if there is a configuration problem.

Share this post


Link to post
Share on other sites

Outlook Express nearly always does a check of your POP3 before the send (because most people have it do the default check for emails when it starts). If you have done this, then you have already authenticated with the server, and do not need to do so again when you send.

 

As Rick says though, open a ticket and we'll check

Share this post


Link to post
Share on other sites

Got a good reply from Rick via a ticket. As Andy says the process of checking the pop3 server via OutLook performs authentication which remains on the server for some time (x minutes). This fits prefectly with the evidence. It seems that if you read the pop3 server, and then use any technique to send via the smtp server (within x minutes), you can get a free ride. If this is so, my scepticism seems to be justified.

Share this post


Link to post
Share on other sites

But don't you have to authenticate first? You can set my email program to check your mail, but if you don't enter the username/pwd, it won't download anything and you'll get an authentication error.

Share this post


Link to post
Share on other sites
Got a good reply from Rick via a ticket. As Andy says the process of checking the pop3 server via OutLook performs authentication which remains on the server for some time (x minutes). This fits prefectly with the evidence. It seems that if you read the pop3 server, and then use any technique to send via the smtp server (within x minutes), you can get a free ride. If this is so, my scepticism seems to be justified.

 

POP before SMTP means that once you check your email via POP3, for a certain amount of time, your IP address and only your IP address is allowed to send mail through your account. That's hardly a free ride, unless you have other people using your machine that you don't trust at the same time (but then you'd likely have bigger problems :notworthy:).

Share this post


Link to post
Share on other sites
POP before SMTP means that once you check your email via POP3, for a certain amount of time, your IP address and only your IP address is allowed to send mail through your account. That's hardly a free ride, unless you have other people using your machine that you don't trust at the same time (but then you'd likely have bigger problems :P).

 

 

This fits even more closely with the evidence! I guess the initial question is solved. Tks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×