To Spoof or Not to Spoof? There Really Is NO Question

Written by Casper Manes on November 7, 2012

I was working with one of my clients the other day when the head of Information Security came into the room along with the IT Director. You could tell by the clap of thunder that accompanied them that this wasn’t going to be good. It turns out that some nasty little bugger out on the Internet had discovered that he or she could send emails in to users in this company and spoof the sender address as another user within the company. The evil attacker decided to exploit this by sending PDF attachments containing malware, and making the emails look like they were from the head of the company, telling users to open the PDF to view important information regarding their benefits plan.

End users looking at the email couldn’t tell it wasn’t from the big boss, and information regarding benefits is enough to pique anyone’s interest, so of course dozens of users opened the PDF-many had not yet patched their Adobe software and as a result were exploited.

This became an “all hands on deck” issue that had to be resolved immediately. Our assignment was to drop everything else, figure out how spoofed emails were getting in, and stop them.

We all know how to execute SMTP commands in a TELNET session to specify a sender address. Most of us have probably automated that process at some time using BLAT or some other software package. Most of us probably configure our email gateway not to accept email from the outside world purporting to be from the inside. This client didn’t.

It was easy enough to find, and to fix, and we did so quickly and reported the door firmly locked. It was for another group to clean the infected machines, so we thought our role in this was done, but then the help desk tickets started flowing in that project management notifications were not getting in.

It seems this client uses a cloud based PMO app that sends notifications to users using an internal address as the source. Yes, it was spoofing internal addresses. As soon as we blocked the attack vector of the malicious user, we broke the functionality of the external app.

The point of this post is not to describe what we did to address this new issue. It’s to talk about what the root cause of this issue was. No, it’s not that we “broke” an app responding to a security issue. It’s that an app was taking advantage of a poor security configuration and doing something it never should have done.

As more and more applications and services move to the cloud, you will likely encounter more applications that exist outside of your network, but that will want to send email in to your internal users, and make it look like the email is internal. You want to make sure that when it comes to email, only one or the other of these two situations exists.

1)    The app sends email using an authenticated connection, or

2)    Your system accepts the email using a dedicated connector set up so only the app can use it.

Under no circumstances should you ever allow anonymous systems to connect to your MTA and send email using a source address that is internal to your company. Spoofing the sender address may make your users feel better about the app, but that doesn’t mean you should drop your guard and run an insecure system. Requiring authentication from the app sending the email, or if it cannot support that, using a dedicated connector that will only accept email from the provider’s network ranges, will enable this masquerade for the specific app to fool your users, but won’t let the bad guys have free reign on your email system.

When it comes to spoofing, just say NO!

Comments

Richard Ramirez November 9, 2012

I wouldn’t blame this on the insecurity of the cloud because it is just poor configuration but the case is good to illustrate how small doors in security can be easily taken advantage of. Thanks for the story, it’s a great learning experience!

Matthew Connell November 12, 2012

I don’t know much about spoofing. In fact, this is one of the rarest times I heard about it. But it’s making me quite anxious, because I know it’s also possible that somebody can spoof me, which means he can send malicious files to all my contacts using my very own e-mail address. Wow. There are a lot of crazies out there, and the last thing I want to happen is to be implicated into something I have no idea about. Worse, I might be even sent to jail for a crime I didn’t actually commit. I hope more information about this will be shared soon.

Quinn November 20, 2012

This is a kind of hijacking and should be considered as a crime. But the way things are going, it seems like the government does not really care about these types of threats unless they are meant to harm Homeland Security, the CIA, or National Defense. That’s really unfortunate since the vast majority does not get the kind of protection that we truly need. We are basically left on our own. Worse, only a few lawyers do understand IT issues such as this, so even if you try to seek a remedy, it still remains such a tough battle ahead.

Mark Lopez November 28, 2012

There are definitely a lot of ways now on how to steal someone else’s identity and use it maliciously and with gusto. It isn’t really spoofing, but something very similar happened to a cousin of mine a few days ago. Since he’s active online, it’s easy for someone to do a research and find his e-mail address. Well someone did and began spamming other people within the network where my cousin frequents to. Suddenly he started receiving threatening e-mails.

Nothing ever guarantees IT security, but many software can definitely increase protection. It’s best to invest in these types.

  • (required)
  • (required)