[Owasp-delhi] MAIL SERVER TESTING

Soi, Dhruv dhruv.soi at owasp.org
Wed Dec 16 07:58:15 EST 2009


I think there is slight confusion between both the tests. Below are the test
cases for open relay and spoofing. Apart from open relay, you may try to do
local relay and SMTP implementation shall allow to send email as
abc at domain.com to abc at domain.com without asking for credentials.

 

Simple Open Relay Testing

=====

telnet mail.domain.com 25

mail from:spammer at evil.com

rcpt to:vicimemail at domain.com

data

some text in the email

.

quit

=====

 

Above mail will throw an error stating "550 Relay Access Denied" if the
server is running with SMTP AUTH. Else email will be delivered. 

 

 

Mail Spoofing Test - Even with SMTP AUTH, let us say you have valid
credentials (abc at domain.com) and you try to send the email as ceo at domain.com
as From address in your outlook:

telnet mail.domain.com 25

AUTH PLAIN AHRlc3QAdGVzdDEyMzQ=

mail from:ceo at domain.com

rcpt to:vicimemail at domain.com

data

You are fired with immediate effect. Some more text in the email.

.

quit

====

 

If mail server is not doing the login checks, above mail will pass due to
the correct credentials valid to some other mailbox. Else you will see an
error message "Access Denied: victimemail at domain.com: mailbox ceo at domain.com
not owned by the user"

 

Hope helpful!

 

 

 

 

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Suryavanshi,
Rajesh
Sent: Wednesday, December 16, 2009 6:09 PM
To: vaibhav aher
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] MAIL SERVER TESTING

 

thats right vaibhav..

 

I was meant to place authentication control in between.. if we block relay
there is no use to have SMTP.

 

since it was mentioned below: test like open relay, mail spoofing, both are
interconnected.  We test open relay to prevent mail spoofing.

 

 

Rgds, 

 

Raj

 

  _____  

From: vaibhav aher [mailto:vaibhavaher at gmail.com] 
Sent: Wednesday, December 16, 2009 5:44 PM
To: Suryavanshi, Rajesh
Subject: Re: [Owasp-delhi] MAIL SERVER TESTING

Hello Raj.

 

If you block there Relay you will not able to send the mails. Then there
will be no use of SMTP.

Kindly refer to SMTP AUTH, to stop Open Mail Relay.

 

Regards

Vaibhav 

IS Consultant.

On Wed, Dec 16, 2009 at 5:02 PM, Suryavanshi, Rajesh
<rajesh_suryavanshi at uhc.com> wrote:

 Hi All,

 

I need to have one clarification here regarding open relay, mail spoofing;
Is it possible to perform mail spoofing if open relay is blocked on a mail
server.

 

 

 

Rgds.

 

Raj

 

  _____  

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Parmendra Sharma

Sent: Wednesday, December 16, 2009 4:45 PM
To: dhruv.soi at torridnetworks.com
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] MAIL SERVER TESTING

Hi,

 

Thanks for the comments.

 

but what i was asking is there any specific "methodology/Guideline/How to"
to test such issues.

On Wed, Dec 16, 2009 at 4:35 PM, Soi, Dhruv <dhruv.soi at torridnetworks.com>
wrote:

Apart from standard assessment of mail server to check for vulnerabilities
in the SMTP/POP3/IMAP/OS software there are few mail server specific test
like open relay, mail spoofing, usage of plain text protocols, user
harvesting VRFY (SMTP command), Brute Force Prevention to POP3/SMTP/webmail,
Malware Evasion, SPAM Tests, Information Leakage in bounced messages,
webmail security, password policies etc.

 

Hope Helpful.

 

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Parmendra Sharma
Sent: Wednesday, December 16, 2009 4:24 PM
To: owasp-delhi at lists.owasp.org
Subject: [Owasp-delhi] MAIL SERVER TESTING

 

Hello All,

 

Can anyone share details (How to perform vapt, any guideline, any
methodology) regarding the vulnerability asssessment and pen test process
for a MAIL SERVER.

-- 
Thanks and Regards:

Parmendra Sharma
Computer Security Analyst




-- 
Thanks and Regards:

Parmendra Sharma
Computer Security Analyst

This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.


_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi

 

 
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20091216/d1a54bef/attachment-0001.html 


More information about the Owasp-delhi mailing list