Although they are aware that paper mail can be forged, most users are blissfully unaware that email can also be forged. Forged mail can lead to a serious breach of security. Two points of vulnerability that require particular attention are the queue file and the SMTP interface of sendmail.
All versions of sendmail trust the files in the mail queue. They assume that only sendmail has placed files there. As a consequence, a poorly protected queue directory can allow the attacker to create mail that looks 100 percent authentic. This can be used to send forged mail, to append to system critical files, or to run arbitrary programs as root or other users. Consider the following bogus qfAA00001 file for sending forged mail (qf files are described in Section 23.9, "The qf File Internals"):
V1 T829313834 P943442 $_root@yourhost S<root@yourhost> RPFD:george@yourhost H?P?return-path: <root@yourhost> Hmessage-id: <199604121257.GAA12601@yourhost> HFrom: root@yourhost HDate: Fri, 13 Dec 1996 05:47:46 -0700 HTo: george@yourhost HSubject: Change your Password Now!!
This qf
file causes mail to be sent to george that appears
in all ways to come from root.
There is nothing in this qf
file to indicate
to the recipient (or to sendmail) that the message is not authentic.
Now further suppose that the df
file (the message body) contains
the following text:
The system has been compromised. Change your password NOW! Your new password must be: Fuzz7bal Thank you, -System Administration
Unfortunately, in any large organization there will be more than a few users who will obey a message like this. They will gladly change their password to one assigned to them, thereby providing the attacker with easy access to their accounts.
The queue directory must be owned by root and writable only by root. CERT recommends that the queue directory always be mode 0700.
The queue files placed into the queue by sendmail must be well
protected by defining narrow default permissions with the
TempFileMode
(F
) option (see Section 34.8.68, TempFileMode (F)).
A default of 0600 is best.
We won't illustrate the SMTP interaction here. But note
that anyone can connect to your local sendmail via
telnet(1) at port 25 or run sendmail with
the -bs
command-line switch. Once connected, sendmail must
of necessity believe everything it receives. The only
exception is the
hostname sent in the HELO message.
[17]
In that case the sendmail
program looks up the real hostname based on the connection. If
the stated hostname and the real hostname differ, the false
name is used as the name of the sending host with the real name
added in parentheses:
[17] V8 sendmail also tries to verify the connection itself with identd if possible.
550 your.host hello false.host (real.host), pleased to meet you
The real hostname is then used as the sending hostname in the construction of all headers. The result (the header and body received by the user) might look something like this:
From [email protected] Dec 13 14:36:40 1996 Received: from real.host by your.host (8.8.4/8.8.4) id AA00998; Fri, 13 Dec 1996 14:36:38 -0700 Message-Id: <[email protected]> From: [email protected] (System Administration) To: [email protected] Subject: Change your password now! Date: Fri, 13 Dec 1996 05:47:46 -0700 To improve security at our location you are requested to immediately change your password. The password you have been assigned is: 7Fuzzy1's Thank you, -root
Fortunately, the Received:
header above contains the name of the real host (which is not always
the case). An attentive user
can tell that this is a forged message because the host in that
header line differs from the false hostname used in the other header
lines.
However, most mail-reading programs allow users to filter out
(prevent your seeing) uninteresting header lines.
[18]
Typically, users choose
to ignore headers such as Received:
and Message-ID:
.
For such users the task of detecting forged mail is much more difficult.
Instead
of seeing the above message, with real hostnames, they might
see the following with only false names:
[18] In fact, the gnu-emacs(1) mail reader deletes those lines irrevocably.
From [email protected] Dec 13 14:36:40 1996 From: [email protected] (System Administration) To: [email protected] Subject: Change your password now! Date: Fri, 13 Dec 1996 14:36:38 -0700 To improve security at our location you are requested to immediately change your password. The password you have been assigned is: 7Fuzzy1's Thank you, -root
Clearly, a user who sees only this much of the mail message will be more likely to believe that it is real.
Educate your users that mail can be forged. Teach them what to look for when they receive a message of questionable authenticity.
Rarely, if ever, send mail as root. Always communicate as yourself and always use a distinctive style of writing. If users never see mail from root, they will be more likely to question such mail when it arrives.
Train users to never send (or ask to receive) clear-text passwords or other security-related information by email.