RE: [Full-Disclosure] Improving E-mail security...

[Eric Wagner <eric@intraspect.com>]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Full-Disclosure] Improving E-mail security...</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=2>Sounds interesting, though sending and receiving relays aren't always the same.</FONT>
</P>

<P><FONT SIZE=2>--E</FONT>
</P>

<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Bengt Ruusunen [<A HREF="mailto:bengtij@hotmail.com";>mailto:bengtij@hotmail.com</A>]</FONT>
<BR><FONT SIZE=2>Sent: Tuesday, August 26, 2003 4:15 PM</FONT>
<BR><FONT SIZE=2>To: full-disclosure@lists.netsys.com</FONT>
<BR><FONT SIZE=2>Subject: [Full-Disclosure] Improving E-mail security...</FONT>
</P>
<BR>

<P><FONT SIZE=2>Hello,</FONT>
</P>

<P><FONT SIZE=2>As everybody knows that recent viruses spread via sending spoofed 'sender </FONT>
<BR><FONT SIZE=2>address'.</FONT>
</P>

<P><FONT SIZE=2>fex.</FONT>
</P>

<P><FONT SIZE=2>I am a person 'someone@someone.com' and got so called 'return mail' from </FONT>
<BR><FONT SIZE=2>'someone@receiving.organisation.com' telling that mail sent by me (which I </FONT>
<BR><FONT SIZE=2>never sent in a first place) cannot be delivered. Obviously containg </FONT>
<BR><FONT SIZE=2>somekind malware as an attachment.</FONT>
</P>

<P><FONT SIZE=2>This kind of 'spread method' could easily stopped if the mail servers </FONT>
<BR><FONT SIZE=2>include some kind of fingerprint to the passing E-mail.</FONT>
</P>

<P><FONT SIZE=2>If the return mail (mail receiver server checks this against an private key </FONT>
<BR><FONT SIZE=2>or something) does not contain an fingerprint then the returned mail should </FONT>
<BR><FONT SIZE=2>not be delivered 'back to the sender'.</FONT>
</P>

<P><FONT SIZE=2>Rather clever way to counterfeit the sender address, it might double the </FONT>
<BR><FONT SIZE=2>infection if the bounce to the 'sender' leads to infection.</FONT>
</P>

<P><FONT SIZE=2>Now, what this kind of 'hardening' might need is...</FONT>
</P>

<P><FONT SIZE=2>- E-mail receiving server could check that 'very first original' From: line </FONT>
<BR><FONT SIZE=2>and if it is same than the receiver address ie. 'someone@someone.com'</FONT>
</P>

<P><FONT SIZE=2>Perform an check to see if the 'sender identification' ie. salted public </FONT>
<BR><FONT SIZE=2>key, GUID or something (X-Authenticated-Guid: #0a845d299ca340087140) exists </FONT>
<BR><FONT SIZE=2>in mail header.</FONT>
</P>

<P><FONT SIZE=2>Delivery should be done only if an 'sender identification' exist and the key </FONT>
<BR><FONT SIZE=2>matches.</FONT>
</P>

<P><FONT SIZE=2>Otherwise mail should be trashed to dev/null :)</FONT>
</P>

<P><FONT SIZE=2>Waiting for comments and succestions...</FONT>
</P>

<P><FONT SIZE=2>_________________________________________________________________</FONT>
<BR><FONT SIZE=2>MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. </FONT>
<BR><FONT SIZE=2><A HREF="http://join.msn.com/?page=features/virus"; TARGET="_blank">http://join.msn.com/?page=features/virus</A></FONT>
</P>

<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>Full-Disclosure - We believe in it.</FONT>
<BR><FONT SIZE=2>Charter: <A HREF="http://lists.netsys.com/full-disclosure-charter.html"; TARGET="_blank">http://lists.netsys.com/full-disclosure-charter.html</A></FONT>
</P>
<BR>

<P><FONT SIZE=2>------------------------</FONT>
<BR><FONT SIZE=2>This message is part of a discussion named:</FONT>
<BR><FONT SIZE=2>Full-Disclosure</FONT>
<BR><FONT SIZE=2>and can be found at:</FONT>
<BR><FONT SIZE=2><A HREF="http://mindshare.intraspect.com/gm/message-1.24.1466530"; TARGET="_blank">http://mindshare.intraspect.com/gm/message-1.24.1466530</A></FONT>
</P>
<BR>
<BR>

</BODY>
</HTML>