[Previous] [Next] [Index]
[Thread]
Re: Email Hack: Help.
Once upon a time, Gene Ingram told me this tale:
->
->John Cronin wrote:
->>
->> Actually, there may not be much you can do about it. If the hacker hacks
->> into a Linux box running Smail or whatever package they use instead of
->> sendmail on a lot of Linux boxes, they don't even have to hack into
->> your domain to make it look like they are delivering mail from it.
->> They can spoof all the headers and nobody will ever be able to tell
->> it didn't come from your machine. Apparently Smail does not even
->> log the connection made to it, or does not log the connection correctly,
->> or something. It is also possible to spoof sendmail to make it look
->> like the mail comes from your site, but at least in this case you can
->> see where the post actually originated, although it is possible the
->> originator might be using a spoofed IP address or something. The bottom
->> line is that if this spammer knows what he or she is doing, they can
->> make it virtually impossible to trace them back to the originating site.
->>
->Somebody told me that the key to bagging a hacker is in the ``MX
->records,'' does that ring a bell to anyone? They said you can
->nail them through MX records. Now to find out the specifics. ;-)
Actually, I don't think MX records would be that much help in bagging
an email spoofer. If they do leave any kind of record in the sendmail
logs or headers (ie hostname, MX record, what have you) then that can
be useful to track them back to the originating system. But an MX record
is no more useful than a hostname or something like that. An MX record
for YOUR OWN SITE might keep the complete novices from hacking INTO YOUR
SYSTEM, but anybody with knowledge of how MX records work will simply
use the MX records to locate the actual hosts that handle mail for a given
domain.
An MX (mail exchanger) record simply allows for a mail domain that is
not directly tied to a given host. Thus, if my address is
ccocsjo@prism.gatech.edu, and a hacker attempts to connect to
prism.gatech.edu to spoof email, they will fail with a "host unknown"
error, since there is no host named prism.gatech.edu. However, it
is trivial to query using DNS and find out all sorts of info about
our systems. Details are left as an exercise for the reader, but
essentially you can use "nslookup" or even roll your own relatively
easily. There are a lot of advantages to using MX records, and almost
every major Internet site uses them.
With all of this said, I can't help but notice that we are starting
to get way off topic as far as WWW security is concerned. I am happy
to share my knowledge (I know a LOT more about email than about
WWW) but I wonder if this is the appropriate place for this discussion.
If you want to know more about this issue, I am sure there are lists
with a lot more detailed knowledge of email/SMTP security. I don't
know the names of any lists off hand, but if pressed I can probably
find some.
--
John Cronin
Office of Information Technology Customer Support Center 0710
Georgia Institute of Technology, Atlanta Georgia, 30332
Internet: john.cronin@oit.gatech.edu
phone: (404) 894-7563
References: