Inbox (1): Proper Email Authentication
Emails are sent from a source server to a destination server (sometimes through multiple hops) via the SMTP protocol. When you use a webmail client – think Gmail and Yahoo – to send an email, the web server sends emails to its bundled SMTP server and handles authentication for you. When you send an email through a desktop client, like Outlook, Thunderbird, or some mobile clients, the client connects directly to the configured SMTP server, authenticates and sends the email.
However, email is an old and arcane system designed for a less hostile world. SMTP servers are often configured to allow unauthenticated connections to send emails, allowing an attacker to spoof email addresses for phishing or spamming. In some intranet configurations, these emails could appear to be authentic with no telling signs of being sent by the legitimate account owner.
If there is an open SMTP relay on your company network, here is a quick way to make some money (and then go to jail).
ncat -t -C smtp.example.com 25 <<EOF
helo example.com
mail from:<mr.ceo@example.com>
rcpt to:<hrdepartment@example.com>
data
From: “Mr. CEO” mr.ceo@example.com
To: “HR” hrdepartment@example.com
Date: Wed, 01 Apr 2021 12:01:01 -0500
Subject: Give John Smith a bonus
He deserves a $10k bonus.
Regards,
Mr. CEO
.
quit
EOF
The preceding command would cause an email to be sent to the HR department pretending to be the CEO asking to give John Smith a bonus. The command would work because ‘ncat’ is a modern netcat utility, ‘-t’ adds on flags for telnet compatibility and ‘-C’ converts the line ending to CRLF (which some SMTP servers require).
The best way to close an SMTP relay and prevent everyone from getting 10k is to require authentication and ensure that permissions do not allow authenticated users to send emails from other people without proper authorization.