Prevent *Internal* Spoofing in POP3/Exchange Environment?

We have a large, spread-out organization that allows POP into our Exchange environment.  However, theoretically anyone with an account on our Exchange server could change their user information to make it look like the emails were coming from someone else - i.e. change their user name and email address to impersonate our president.

Is there any way of securing this?  

Thanks in advance!!
preismanAsked:
Who is Participating?
 
czcdctConnect With a Mentor Commented:
OK, so delving into the lab to clear my mind (It's been a long while since I wrote an article on this little book of horrors) and some of the things I thought had come into the product are still on the drawing board - which screws us up a little. I think I was merging a lot of LCS information which has got a method of stopping you logging on as you and IM'ing as the boss. This kind of thing is easily stopped from the outside by banning your server from accepting messages from your own address space but again with the ratsh*t since you're on POP3.

As verification I've just asked two other Exchange MVPs on this one and we're aligned on the answer.

Regarding your specific question, the answer to this is digital certificates (see where the LCS thing comes in!) I'm afraid. If you issue everyone a certificate that has the effect of forcing the relationship between the two sections. You can't enter the bosses email address into the "User Information" field and then your own AD credentials and submit mail. Sure, you can enter the bosses name in the "User Information" part (I tested on OE) but it's ignored. The users SMTP address has to match the SMTP address that's attached to the credentials.
The naughty user can still get around this by going and stealing the bosses digital certificate though, but that's a hell of a stretch.

There is the wider option of using RPC over HTTPS but that brings its own problems in that you need Outlook 2003 on XP SP2 etc. so it might not be a starter. It's also more complex to configure if you don't control all the PCs and it forces a logon rather than saving the creds as in a bog standard POP3 client.
0
 
czcdctCommented:
Unless they authenticate as the boss the address that the message comes from will look very obviously fake.
Also make sure that everyone uses SSL, deny non SSL connections to the Virtual Server. That forces secure authentication.
0
 
preismanAuthor Commented:
CZCDCT - thanks for the response; however, if I change my account settings to User Name 'Big Cheese' and email address 'bigcheese@company.com', the email looks exactly like it came from them.  I have to look into the header to see any difference at all, something that most users aren't going to do?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
czcdctCommented:
Interesting thing here is the rights.
1. Your users shouldn't be able to change the SMTP address from which they're sending and then send a message using their own account into your organisation.
2. Your server (the one that's open to anonymous submission) shouldn't be accepting messages that purport to come from your own domain.
0
 
czcdctCommented:
So if I telnet to my server and say ehlo, mail from :<boss@domain.com> it will come back and tell me to get stuffed without going any further.
If I say no problem I have an account and reconfigure my Outlook Express with the Bosses name and his email address I can craft a message that looks like its from him. Big problem is that I don't have the bosses password so the Exchange server isn't going to accept a message from authenticated user "domain\me" spoofing boss@domain.com.
0
 
preismanAuthor Commented:
Thanks, CZCDCT...you said:

"If I say no problem I have an account and reconfigure my Outlook Express with the Bosses name and his email address I can craft a message that looks like its from him. Big problem is that I don't have the bosses password so the Exchange server isn't going to accept a message from authenticated user "domain\me" spoofing boss@domain.com."

For me, this is the exact problem - there are two sections of information for a POP account:

1.  User Information - 'Your Name' and 'E-Mail Address'
2.  Logon Information - 'User Name' and 'Password'

If I have valid information in Section 2, which all of our *internal* users would have, I can type anything I want in Section 1 and the messages will go through?  Unless you can suggest a way for me to associate the 2, which is what my original question was?

Thanks again-
0
 
czcdctCommented:
I need to go into the lab and construct the right security for you. My mini-lab is wide open at the moment (part of a do as I say, not as I do type situation :-) )
Will get back to you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.