10.7 Forged Mail

Although they are aware that paper mail can be forged, most users are blissfully unaware that email can also be forged. Forged mail can lead to a serious breach of security. Two points of vulnerability that require particular attention are the queue file and the SMTP interface of sendmail.

10.7.1 Forging with the Queue Directory

All versions of sendmail trust the files in the mail queue. They assume that only sendmail has placed files there. As a consequence, a poorly protected queue directory can allow the attacker to create mail that looks 100% authentic. This can be used to send forged mail, to append to system-critical files, or to run arbitrary programs as root or other users. Consider the following bogus qfAA00001 file for sending forged mail (qf files are described in Section 11.11):

V1
T829313834
P943442
$_root@yourhost
S<root@yourhost>
RPFD:george@yourhost
H?P?return-path: <root@yourhost>
Hmessage-id: <199604121257.GAA12601@yourhost>
HFrom: root@yourhost
HDate: Fri, 13 Dec 1996 05:47:46 -0700
HTo: george@yourhost
HSubject: Change your Password Now!!

This qf file causes mail to be sent to george that appears in all ways to come from root. There is nothing in this qf file to indicate to the recipient (or to sendmail) that the message is not authentic. Now further suppose that the df file (the message body) contains the following text:

The system has been compromised. Change your password NOW!
Your new password must be:

                           Fuzz7bal
Thank you,
        --System Administration

Unfortunately, in any large organization there will be more than a few users who will obey a message such as this. They will gladly change their password to one assigned to them, thereby providing the attacker with easy access to their accounts.

The queue directory must be owned by, and writable only by, root or the user defined by the RunAsUser option (RunAsUser). CERT recommends that the queue directory always be mode 0700.

The MSP queue of V8.12 and above (typically /var/spool/clientmqueue) must be owned by smmsp, with group smmsp, and should be mode 0770.

The queue files placed into the queue by sendmail must be well protected by defining narrow default permissions with the TempFileMode option (TempFileMode) prior to V8.12, or the QueueFileMode option (QueueFileMode) beginning with V8.12. A default of 0600 is best for the main queue, and a default of 0660 is recommended for the MSP queue.

10.7.2 Forging with SMTP

We won't illustrate the SMTP interaction here. But note that anyone can connect to your local sendmail via telnet(1) at port 25 or run sendmail with the -bs command-line switch. Once connected, sendmail must, of necessity, believe everything it receives. The only exception is the hostname sent in the HELO or EHLO message.^[21] In that case the sendmail program looks up the real hostname based on the connection. If the stated hostname and the real hostname differ, the false name is used as the name of the sending host with the real name added in parentheses:

^[21] V8 sendmail also tries to verify the connection itself with identd, if possible.

250 your.host Hello false.host (real.host), pleased to meet you

The real hostname is then used as the sending hostname in the construction of all headers. The result (the header and body received by the user) might look something like this:

From root@false.host Dec 13 14:36:40 2002
Received: from false.host (real.host [real.IP.address]) by your.host (8.12/8.12)
        id AA00998; Fri, 13 Dec 2002 14:36:38 -0700
Message-Id: <9612213133.GAA05059@your.host>
From: root@false.host (System Administration)
To: you@your.host
Subject: Change your password now!
Date: Fri, 13 Dec 2002 05:47:46 -0700

To improve security at our location you are requested to immediately
change your password. The password you have been assigned is:

        7Fuzzy1's

Thank you,
        --root

Fortunately, this Received: header contains the name of the real host (which is not always the case). An attentive user can tell that this is a forged message because the host in that header line differs from the false hostname used in the other header lines.

However, most mail-reading programs allow users to filter out (prevent your seeing) uninteresting header lines.^[22] Typically, users choose to ignore headers such as Received: and Message-ID:. For such users the task of detecting forged mail is much more difficult. Instead of seeing the earlier message with real hostnames, they might see the following with only false names:

^[22] In fact, old versions of the GNU emacs(1) mail reader delete those lines irrevocably.

From root@false.host Dec 13 14:36:40 2002
From: root@false.host (System Administration)
To: you@your.host
Subject: Change your password now!
Date:  Fri, 13 Dec 2002 14:36:38 -0700

To improve security at our location you are requested to immediately
change your password. The password you have been assigned is:

        7Fuzzy1's

Thank you,
        --root

Clearly, a user who sees only this much of the mail message will be more likely to believe that it is real. There are several ways you can educate your users that mail can be forged:

• Teach users what to look for when they receive a message of questionable authenticity.

• Rarely, if ever, send mail as root. Always communicate as yourself and always use a distinctive style of writing. If users never see mail from root, they will be more likely to question such mail when it arrives. Even if the forger pretends to be you, that forger will likely not be in a position to imitate your distinctive writing style.

• Train users to never send (or ask to receive) clear-text passwords or other security-related information by email.

• Train users to use digital signatures, such as PGP or S/MIME, to authenticate email contents.