Mailing List Archive: exim: users

How do ISP's restrict access without authentication

Index | Next | Previous | View Threaded

eximquest1 at mailinator

Oct 26, 2009, 6:33 AM

Post #1 of 10 (1351 views)
Permalink

How do ISP's restrict access without authentication

Hi,
I was wondering how exactly ISP's - that don't require authentication -
manage to restrict access to their customers only.
I know that Exim can restrict access by IP address, but IP addresses can be
spoofed (and very often are spoofed by automated scanners which search for
SMTP servers that are open in this way).
How then, do ISP's manage to prevent their servers from being abused?
In other words, if an ISP only authenticates based on IP address, then
surely that would leave their server open to abuse.
The answer to this question will help me a lot.
Thanks

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

chris at qwirx

Oct 26, 2009, 6:46 AM

Post #2 of 10 (1304 views)
Permalink

Re: How do ISP's restrict access without authentication [In reply to]

On Tue, 27 Oct 2009, Charlie wrote:

> I was wondering how exactly ISP's - that don't require authentication -
> manage to restrict access to their customers only.
> I know that Exim can restrict access by IP address, but IP addresses can be
> spoofed (and very often are spoofed by automated scanners which search for
> SMTP servers that are open in this way).

This is pure nonsense. IP addresses in TCP connections are very difficult
(basically impossible) to spoof without access to the physical wire (or
link layer) that the user is on, or without them finding out.

This in itself destroys the rest of the argument, but if you want extra
security, configure your border firewall to block incoming packets from
the outside world that claim to be coming from IP addresses that you know
are internal to your network.

Cheers, Chris.
--
_ ___ __ _
/ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

peter.lindberg at fiber

Oct 26, 2009, 6:53 AM

Post #3 of 10 (1296 views)
Permalink

Re: How do ISP's restrict access without authentication [In reply to]

Charlie skrev:
> Hi,
> I was wondering how exactly ISP's - that don't require authentication -
> manage to restrict access to their customers only.
> I know that Exim can restrict access by IP address, but IP addresses can be
> spoofed (and very often are spoofed by automated scanners which search for
> SMTP servers that are open in this way).
> How then, do ISP's manage to prevent their servers from being abused?
> In other words, if an ISP only authenticates based on IP address, then
> surely that would leave their server open to abuse.
> The answer to this question will help me a lot.

Hi, i don't think it's a problem for isp's. since they own the ip's and
they have full control over the routing, they can see and prevent ppl
from spoofing their ip, bots can infiltrate their network and try to use
isp's servers for relaying spam thou, but inserting a limit of what ppl
can send and monitoring abnormal behavior, and virus/spamprotecion on
outgoing servers can solve that

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

richard at highwayman

Oct 26, 2009, 7:40 AM

Post #4 of 10 (1324 views)
Permalink

Re: How do ISP's restrict access without authentication [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <810190912069457987532D87BAE82817 [at] CharlieCompa>, Charlie
<eximquest1 [at] mailinator> writes

>I was wondering how exactly ISP's - that don't require authentication -
>manage to restrict access to their customers only.

They use ACL conditions that check the IP address is in range

>I know that Exim can restrict access by IP address,

Exactly so

>but IP addresses can be
>spoofed

For two way TCP conversations (as needed for email transfer) IP
addresses cannot be spoofed unless

the spoofer can sniff the traffic as it travels between the endpoints
(not a very interesting attack scenario)
or
the mail server stack is sub-standard and does not use truly random
initial sequence numbers (in which case, upgrade to something that
was shipped this century)

>(and very often are spoofed by automated scanners which search for
>SMTP servers that are open in this way).

Scanners can operate (no idea how many do in practice) by just using SYN
packets and then causing the SYN-ACK to go to a third party whose
machine state can be tested remotely (usually because it allocates
sequential identifiers to RST packets). But all this scanning activity
does is to detect the TCP/25 listener, it doesn't involve any forging of
email traffic.

- --
richard Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBSuW0z5oAxkTY1oPiEQKKEQCgiu7JaG3m5btuZWocTJcnCJr2VPIAoPGH
0DHZE++FpUbAa90SKtbwBOUK
=Hdd1
-----END PGP SIGNATURE-----

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbh at conducive

Oct 26, 2009, 7:44 AM

Post #5 of 10 (1332 views)
Permalink

Re: How do ISP's restrict access without authentication [In reply to]

Charlie wrote:
> Hi,
> I was wondering how exactly ISP's - that don't require authentication -
> manage to restrict access to their customers only.
> I know that Exim can restrict access by IP address, but IP addresses can be
> spoofed (and very often are spoofed by automated scanners which search for
> SMTP servers that are open in this way).
> How then, do ISP's manage to prevent their servers from being abused?
> In other words, if an ISP only authenticates based on IP address, then
> surely that would leave their server open to abuse.
> The answer to this question will help me a lot.
> Thanks
>
>

Simple, really. Though the explanation may be less so..

;-)

A 'connectivity' ISP is what we are talking about here - specifically an entity
that provides (broad)bandwidth. Not all also offer mail services, but most do.

Their customers are connected to their host(s) over a network the ISP controls.

Whether that is cable-modem, [a|d]dsl, or fiber to the desktop, all arrivals
(with whom we are concerned herein) attach from access points under the control
of that ISP - even if routed over intervening contract carriers.

In this environment, all IP's assigned to the almost-always present NAT device,
are issued from a pool (Allocated Portable) controlled by the connectivity ISP,
and traverse only routers they control.

In effect, the customers are 'inside' a ring-fence, hence 'known' to be from
those attached to their network and in their billing system, and no others.

Ergo, their system 'knows' which customer is on which assigned-from-pool IP at
any given date/time, as the IP may be changed at intervals from 15 minutes (PCCW
ADSL PPoe) to a few times a year.

NB: Examples include PCCW, HKCable (Hong Kong), Comcast, Verizon, SWBell (USA),
BTL (UK). IOW - fiber, cable, or telco 'major carriers' with physical
outside-plant. Nothing to do with the MTA, per se - everything to do with the
network architecture.

Exceptions - big as they are - include MSN/Hotmail, Gmail, yahoo, AOL - who
ordinarily do NOT provide fiber, cable, or copper to the average residence or
business. These have to rely on userid:password auth just as a one-man shop does.

HTH,

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mi6 at orcon

Nov 5, 2009, 2:46 AM

Post #6 of 10 (1201 views)
Permalink

Re: How do ISP's restrict access without authentication [In reply to]

Thanks everyone for your replies, and sorry for the late reply.
So, here is my problem.
I need to be able to authenticate traffic that is automatically being routed
to my mail server from a hotel's network.
I have the hotel's IP address, so I can authenticate based on that. I cannot
authenticate based on any sort of username/password, because the SMTP
redirection software they use cannot properly adjust these values to match
what we need.

The problem is that authentication based solely on IP address is not good
enough, because within a few days, the mail server is 'discovered' by
Chinese spammers. We've also tried the same thing with an entirely different
hotel (and the different IP address). This was also discovered as being a
mail server that authenticates solely by IP address, and was quickly spammed
by the Chinese spammers (using a forged IP address).

My question is this - is there anything I can do properly authenticate this
SMTP traffic?

On 2009-10-26 13:33, Charlie wrote:
> Hi,
> I was wondering how exactly ISP's - that don't require authentication -
> manage to restrict access to their customers only.
> I know that Exim can restrict access by IP address, but IP addresses can
> be
> spoofed (and very often are spoofed by automated scanners which search for
> SMTP servers that are open in this way).
> How then, do ISP's manage to prevent their servers from being abused?
> In other words, if an ISP only authenticates based on IP address, then
> surely that would leave their server open to abuse.
> The answer to this question will help me a lot.
> Thanks
>
>
>

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at lists

Nov 5, 2009, 3:04 AM

Post #7 of 10 (1191 views)
Permalink

Re: How do ISP's restrict access without authentication [In reply to]

Charlie wrote:

> Thanks everyone for your replies, and sorry for the late reply.
> So, here is my problem.
> I need to be able to authenticate traffic that is automatically being routed
> to my mail server from a hotel's network.
> I have the hotel's IP address, so I can authenticate based on that. I cannot
> authenticate based on any sort of username/password, because the SMTP
> redirection software they use cannot properly adjust these values to match
> what we need.
>
> The problem is that authentication based solely on IP address is not good
> enough, because within a few days, the mail server is 'discovered' by
> Chinese spammers. We've also tried the same thing with an entirely different
> hotel (and the different IP address). This was also discovered as being a
> mail server that authenticates solely by IP address, and was quickly spammed
> by the Chinese spammers (using a forged IP address).

For all intents and purposes, you can't "forge" IP addresses in TCP
connections. Authentication based on IP should be fine. Please show us
the exact configuration that you've used to restrict relaying by IP.

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

renaud at allard

Nov 5, 2009, 3:17 AM

Post #8 of 10 (1195 views)
Permalink

Re: How do ISP's restrict access without authentication [In reply to]

Mike Cardwell wrote:
> Charlie wrote:
>
>> Thanks everyone for your replies, and sorry for the late reply.
>> So, here is my problem.
>> I need to be able to authenticate traffic that is automatically being routed
>> to my mail server from a hotel's network.
>> I have the hotel's IP address, so I can authenticate based on that. I cannot
>> authenticate based on any sort of username/password, because the SMTP
>> redirection software they use cannot properly adjust these values to match
>> what we need.
>>
>> The problem is that authentication based solely on IP address is not good
>> enough, because within a few days, the mail server is 'discovered' by
>> Chinese spammers. We've also tried the same thing with an entirely different
>> hotel (and the different IP address). This was also discovered as being a
>> mail server that authenticates solely by IP address, and was quickly spammed
>> by the Chinese spammers (using a forged IP address).
>
> For all intents and purposes, you can't "forge" IP addresses in TCP
> connections. Authentication based on IP should be fine. Please show us
> the exact configuration that you've used to restrict relaying by IP.
>

It's maybe that spammers are in the hotel in the form of trojanned
client machines... That would explain it very easily.

Attachments:

smime.p7s (5.01 KB)

richard at highwayman

Nov 5, 2009, 3:20 AM

Post #9 of 10 (1189 views)
Permalink

Re: How do ISP's restrict access without authentication [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <023F9377EB5B4E3FA914AAA057E9103F [at] CharlieCompa>, Charlie
<mi6 [at] orcon> writes

>I have the hotel's IP address, so I can authenticate based on that.

I think you probably need to post the details of this mechanism, so that
the experts can see if you are doing it correctly

>The problem is that authentication based solely on IP address is not good
>enough, because within a few days, the mail server is 'discovered' by
>Chinese spammers. We've also tried the same thing with an entirely different
>hotel (and the different IP address). This was also discovered as being a
>mail server that authenticates solely by IP address, and was quickly spammed
>by the Chinese spammers (using a forged IP address).

Either the hotel's machines are insecure and are being used as proxies
(which is a security issue that they can fix), or you are mistaken

It will not be possible to forge an IP address and make a TCP connection
to your machine (assuming your OS dates from 1990 or later)

- --
richard Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBSvK055oAxkTY1oPiEQKo1gCeI8VUdIFEjgil1npGyzLBEiUdYzsAoOsQ
d+A+iKbFulZ/KWYTNRirnfCX
=koYQ
-----END PGP SIGNATURE-----

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mi6 at orcon

Nov 5, 2009, 6:52 PM

Post #10 of 10 (1180 views)
Permalink

Re: How do ISP's restrict access without authentication [In reply to]

This is the check we are doing:

In the mail ACL we do a database query using the value $sender_host_address

deny
set acl_m1 = ${lookup pgsql{ select smtp_identify_user( \
'${quote_pgsql:$authenticated_id}',\
'${quote_pgsql:$sender_address}',\
'${quote_pgsql:$sender_host_address}'\
)}{$value}}
Message = ${substr_3:$acl_m1}
condition = ${if eq {${substr_0_3:$acl_m1}}{X: }}
defer
message = ${substr_3:$acl_m1}
condition = ${if eq {${substr_0_3:$acl_m1}}{Y: }}
accept
condition = ${if gt{${substr_0_3:$acl_m1}}{A: }}

we then choose to accept or defer depending on what we get.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads