Rejecting incoming mail with from addresses in your own domain.

Russell Fulton r.fulton at auckland.ac.nz
Tue Jul 22 02:04:11 GMT 2003


Hi,
	We all (hopefully) have filters on our border routers that block any
incoming packets with internal address.  It occurred to me (while
dealing with a particularly well targeted bit of spy ware) that we could
do the same for email.

The mail that triggered this though was sent to at least one researcher
in our medical school and purported to be an advertisement for DNA
analysis software.  If one followed the links and  downloaded the trial
versions you ended up with some sort of spy ware installed on your
system.  The email had a From: header of DNAuser at auckland.ac.nz.  I am
also sure that everyone agrees that spammers and worms frequently use
From: headers in the recipient's domain to make the message appear more
trustworthy.

Some of us have a few hosts that handle all (or most of ) our off campus
mail and it should not be difficult to configure these to drop incoming
mail with from addresses which appear to be internal.

One problem I can see with this is that we have individuals who are off
campus (for what ever reason) who are using our MTAs as their SMTP
servers.  We are planning to provide SSL wrapped, authenticated SMTP for
this and we would treat such connections as internal. 

Any other gotcha that anyone can think off?
-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.



More information about the unisog mailing list