Security Flaw with email in cpanel?

**Secmas** · 04-08-2010 06:51 PM

Why an email sent from an authenticated smtp could be delivered using a header that is not the same as the account that authenticated the deliver?

Is not that a security flaw?

I have the following scenario... a customer is reporting that using a php script he could send emails with headers saying that the FROM email address could be anything, even yahoo or gmail accounts.

I have checked and is right, you can do that. Also, you can use Outlook Express, Outlook or ThunderBird and you can set the from address to also completly different to what is set on the SMTP.

So, you could send an email to all your colleagues impersonating your boss telling that this Friday is a payed day off... do you know what will happens...

Ok, I know that if you check in the headers of the email you will discover that the FROM is different as to the SMTP account, but... Who is checking headers on any email? Does a regular person knows how to check on this? I don't think so.

So, my question is, is there a way to make EXIM to check if the sender is the same as the from address?

**Spiral** · 04-10-2010 03:28 PM

This is not a "security issue" and it is perfectly normal to set any FROM headers you wish not just on Cpanel system but any email system in the world and this is standard practice for every spammer out there as I have yet to see one that actually used their own "FROM" headers.

I can very easily say I'm anyone I wish in my headers from any email system --- not just Cpanel (Exim) --- but if I am not a valid sender for who I claim to be, my messages are going to be trashed because the vast majority of email servers use mail verification technologies of some sort to confirm that the sending server is indeed authorized to be sending mail for the domain in question. Standard address verifications, SPF, and Domain
Keys are just a few of these types of technologies meant to do just this.

Anyone can set whatever headers they wish on any email anywhere. The real question however is if the mail server allows you to send without properly authenticating (IE: open relay) and is your mail server authorized to send for the domain you claim to be?

**Secmas** · 04-11-2010 03:02 PM

Thank you Spiral for your answer.

Well, my servers are hardened and are protected to not be open relays, the problem is that I don't want a real user to send emails pretending he is someone else, I want to be sure that the account that has authenticated the smtp is the real "from". Do you think is it hard to accomplish?

Right now I have seen that Goddady email servers are doing a great job protecting this, as if you want to send an email with a "from" different than the authenticated, then the email is not delivered.

Regards,

Sergio

**Secmas** · 04-11-2010 08:23 PM

@ Spiral...
want to send you a PM but it seems that your PM INBOX is full.

Regards,

Sergio

**Spiral** · 04-12-2010 09:36 AM

@ Spiral...
want to send you a PM but it seems that your PM INBOX is full.

I received the alerts this morning on your 3 bounced private messages ....

Sorry about that ---

I was offline with a really nasty flu over the weekend and wasn't checking my private messages any at all.

**Secmas** · 04-12-2010 09:47 AM

Originally Posted by Spiral

I received the alerts this morning on your 3 bounced private messages ....

Sorry about that ---

I was offline with a really nasty flu over the weekend and wasn't checking my private messages any at all.

Hope you get better.

Thanks for replying.

Regards,
Sergio

**cPanelDon** · 04-14-2010 03:05 PM

Originally Posted by Secmas

Why an email sent from an authenticated smtp could be delivered using a header that is not the same as the account that authenticated the deliver?

Is not that a security flaw?

I have the following scenario... a customer is reporting that using a php script he could send emails with headers saying that the FROM email address could be anything, even yahoo or gmail accounts.

I have checked and is right, you can do that. Also, you can use Outlook Express, Outlook or ThunderBird and you can set the from address to also completly different to what is set on the SMTP.

So, you could send an email to all your colleagues impersonating your boss telling that this Friday is a payed day off... do you know what will happens...

Ok, I know that if you check in the headers of the email you will discover that the FROM is different as to the SMTP account, but... Who is checking headers on any email? Does a regular person knows how to check on this? I don't think so.

So, my question is, is there a way to make EXIM to check if the sender is the same as the from address?

The described behavior is not a security flaw in cPanel; additionally, cPanel is not a mail transport agent (MTA), thus, it is unrelated to e-mail in cPanel; however, cPanel and WHM offers tools to tweak your system configuration, allowing you to counteract the undesirable mail usage by ensuring the Sender header is always set for outbound messages sent through your local MTA, such as Exim.

Please see the following thread in the Mail forums for more verbose instruction: Spoofing Mail From My Server - cPanel Forums

LinkBack

Thread Tools