Although they are aware that paper mail can be forged, most users are blissfully unaware that email can also be forged. Forged mail can lead to a serious breach of security. Two points of vulnerability that require particular attention are the queue file and the SMTP interface of sendmail .
All versions of sendmail trust the files in the mail queue. They assume that only sendmail has placed files there. As a consequence, a poorly protected queue directory can allow the attacker to create mail that looks 100 percent authentic. This can be used to send forged mail, to append to system critical files, or to run arbitrary programs as root or other users. Consider the following bogus qfAA00001 file for sending forged mail ( qf files are described in Section 23.9, "The qf File Internals" ):
V1 T829313834 P943442 $_root@yourhost S<root@yourhost> RPFD:george@yourhost H?P?return-path: <root@yourhost> Hmessage-id: <199604121257.GAA12601@yourhost> HFrom: root@yourhost HDate: Fri, 13 Dec 1996 05:47:46 -0700 HTo: george@yourhost HSubject: Change your Password Now!!
The system has been compromised. Change your password NOW! Your new password must be: Fuzz7bal Thank you, -System Administration
Unfortunately, in any large organization there will be more than a few users who will obey a message like this. They will gladly change their password to one assigned to them, thereby providing the attacker with easy access to their accounts.
We won't illustrate the SMTP interaction here. But note
that anyone can connect to your local
(1) at port 25 or run
550 your.host hello false.host (real.host), pleased to meet you
The real hostname is then used as the sending hostname in the construction of all headers. The result (the header and body received by the user) might look something like this:
From email@example.com Dec 13 14:36:40 1996 Received: from real.host by your.host (8.8.4/8.8.4) id AA00998; Fri, 13 Dec 1996 14:36:38 -0700 Message-Id: <9612213133.GAA05059@your.host> From: firstname.lastname@example.org (System Administration) To: email@example.com Subject: Change your password now! Date: Fri, 13 Dec 1996 05:47:46 -0700 To improve security at our location you are requested to immediately change your password. The password you have been assigned is: 7Fuzzy1's Thank you, -root
However, most mail-reading programs allow users to filter out
(prevent your seeing) uninteresting header lines.
Typically, users choose
to ignore headers such as
From firstname.lastname@example.org Dec 13 14:36:40 1996 From: email@example.com (System Administration) To: firstname.lastname@example.org Subject: Change your password now! Date: Fri, 13 Dec 1996 14:36:38 -0700 To improve security at our location you are requested to immediately change your password. The password you have been assigned is: 7Fuzzy1's Thank you, -root
Clearly, a user who sees only this much of the mail message will be more likely to believe that it is real.