Prevent *Internal* Spoofing in POP3/Exchange Environment?

Posted on 2007-07-30
Medium Priority
Last Modified: 2010-03-06
We have a large, spread-out organization that allows POP into our Exchange environment.  However, theoretically anyone with an account on our Exchange server could change their user information to make it look like the emails were coming from someone else - i.e. change their user name and email address to impersonate our president.

Is there any way of securing this?  

Thanks in advance!!
Question by:preisman
  • 5
  • 2
LVL 15

Expert Comment

ID: 19592551
Unless they authenticate as the boss the address that the message comes from will look very obviously fake.
Also make sure that everyone uses SSL, deny non SSL connections to the Virtual Server. That forces secure authentication.

Author Comment

ID: 19592575
CZCDCT - thanks for the response; however, if I change my account settings to User Name 'Big Cheese' and email address 'bigcheese@company.com', the email looks exactly like it came from them.  I have to look into the header to see any difference at all, something that most users aren't going to do?
LVL 15

Expert Comment

ID: 19592790
Interesting thing here is the rights.
1. Your users shouldn't be able to change the SMTP address from which they're sending and then send a message using their own account into your organisation.
2. Your server (the one that's open to anonymous submission) shouldn't be accepting messages that purport to come from your own domain.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

LVL 15

Expert Comment

ID: 19592805
So if I telnet to my server and say ehlo, mail from :<boss@domain.com> it will come back and tell me to get stuffed without going any further.
If I say no problem I have an account and reconfigure my Outlook Express with the Bosses name and his email address I can craft a message that looks like its from him. Big problem is that I don't have the bosses password so the Exchange server isn't going to accept a message from authenticated user "domain\me" spoofing boss@domain.com.

Author Comment

ID: 19592836
Thanks, CZCDCT...you said:

"If I say no problem I have an account and reconfigure my Outlook Express with the Bosses name and his email address I can craft a message that looks like its from him. Big problem is that I don't have the bosses password so the Exchange server isn't going to accept a message from authenticated user "domain\me" spoofing boss@domain.com."

For me, this is the exact problem - there are two sections of information for a POP account:

1.  User Information - 'Your Name' and 'E-Mail Address'
2.  Logon Information - 'User Name' and 'Password'

If I have valid information in Section 2, which all of our *internal* users would have, I can type anything I want in Section 1 and the messages will go through?  Unless you can suggest a way for me to associate the 2, which is what my original question was?

Thanks again-
LVL 15

Expert Comment

ID: 19592956
I need to go into the lab and construct the right security for you. My mini-lab is wide open at the moment (part of a do as I say, not as I do type situation :-) )
Will get back to you.
LVL 15

Accepted Solution

czcdct earned 1500 total points
ID: 19593416
OK, so delving into the lab to clear my mind (It's been a long while since I wrote an article on this little book of horrors) and some of the things I thought had come into the product are still on the drawing board - which screws us up a little. I think I was merging a lot of LCS information which has got a method of stopping you logging on as you and IM'ing as the boss. This kind of thing is easily stopped from the outside by banning your server from accepting messages from your own address space but again with the ratsh*t since you're on POP3.

As verification I've just asked two other Exchange MVPs on this one and we're aligned on the answer.

Regarding your specific question, the answer to this is digital certificates (see where the LCS thing comes in!) I'm afraid. If you issue everyone a certificate that has the effect of forcing the relationship between the two sections. You can't enter the bosses email address into the "User Information" field and then your own AD credentials and submit mail. Sure, you can enter the bosses name in the "User Information" part (I tested on OE) but it's ignored. The users SMTP address has to match the SMTP address that's attached to the credentials.
The naughty user can still get around this by going and stealing the bosses digital certificate though, but that's a hell of a stretch.

There is the wider option of using RPC over HTTPS but that brings its own problems in that you need Outlook 2003 on XP SP2 etc. so it might not be a starter. It's also more complex to configure if you don't control all the PCs and it forces a logon rather than saving the creds as in a bog standard POP3 client.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month14 days, 19 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question