Tech Notes

Tech Note #20020003

It has come to our attention that malicious users are attempting to send viruses through mail systems by masquerading as legitimate users of the mail system's domain. If sendmail filtering does not filter mail from internal users to internal users, viruses could be transmitted intact.

Problem Description:

There are numerous ways in which a malicious user can send mail as if they are a member of a mail system's domain. If SMTP can be accessed from outside a domain's internal network, a malicious user can masquerade as an internal user. Even if passwords are required to use SMTP (e.g. via poprelayd), a malicious user could acquire the password to a user's mail account via a packet sniffer.

Another approach might be for a malicious user to crack an account on a server inside the internal network or a disgruntled user might possibly even use a legitimate account to send mail.

Whatever method is used to get inside and send mail as if it were local, it appears that the likelihood is very high that such an event will happen. It is simply a matter of when, not if.

If you use a mail filtering program (e.g. BSM Development's MailCorral) which allows filtering of internal mail messages to be turned off, your system will be open to transmission of viruses by any malicious user who uses this exploit to transmit viruses.

Problem Resolution:

Turn off the bypass internal filtering switch of your mail filter immediately. If you use MailCorral, the command line switch to use is "-i" or the configuration file option to use is "FilterInternal".

Additionally, you should make certain that all possible domain names that sendmail will treat as local be identified to your mail filter, if your filter has an additional option for bypassing filtering of mail sent from internal to external users (as MailCorral does). For MailCorral, you should configure sendmail to get this list from a file such as "/etc/mail/local-host-names" and aim MailCorral at this file via the "-D" command line or "DomainList" configuration file option. Furthermore, you should make sure that "localhost" is in the domain list (version 1.0.9 and up of MailCorral forces "localhost" into the domain list, if it isn't present). For example, a MailCorral user would specify:

-D "localhost,/etc/mail/local-host-names"

We also recommend that you use a virus filter on all of your workstations and servers as a second line of defense against viruses. Despite the fact that filtering viruses from email still remains the best way of eliminating the vast majority of viruses at their transmission point, checking for viruses on each local machine is a sound idea because there are other transmission methods and there is always the additional possibility that the mail filter will miss one.