Many organizations so heavily depend on their mail systems to do business. But many of mail systems are vulnerable for mail forgery or spoofing. Mail spoofing or mail forgery technique is when an outside person sending e-mail to another person organization to pretend as an organization internal user. A malicious person could use it for social engineering attacks. Imagine e-mail from your network administrator with request to change your password or from your boss with salary increase notice.
This technique utilizes common mis-configuration of mail (SMTP) server. Many SMTP servers include MS Exchange by default accept e-mails with the From field from ether local to the organization or external domains. In most cases an organization does not use such feature, except when users work remotely and send their e-mail using simple client software.
Check more about mail spoofing/forgery on CERT web site at http://www.cert.org/tech_tips/email_spoofing.html.
The simple protection against e-mail spoofing is to configure your organization SMTP server to reject e-mails with the From filed from your organization local domains. See for example a MS Knowledge Base article Q245465 and Q193926 on how-to configure MS Exchange to filter an organization local domain on the external SMTP server.
But before implementing the protection your need to verify that nobody in your organization uses POP3/IMAP4/SMTP mail connection form the outside. Nor any internal services depend on SMTP and use your mail (SMTP) server to send e-mails.
Also consider using cryptographic signature as other alternative for mail forgery protection such as provided by PGP or build-in in MS Outlook and Outlook Express.
The following Mail_Forgery.zip PERL script illustrates such case and written to test this vulnerability. It is simple SMTP client with minimal interactivity.
Just run the script, it will ask you format of name address appearance in the result mail. I.e.. "First Last" <emial@address> or "Last, First" <emial@address>. From first&last names and address and To first&last name and address as well as target SMTP server.
I wrote these tools with honest intentions - to audit my own or my clients networks. Please do not abuse this software.
This script is a free software, under GNU GPL. Thus, because the program is licensed free of charge, there is no warranty for the program, to the extent permitted by applicable law. The program is provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality and performance of the program is with you. Should the program prove defective, you assume the cost of all necessary servicing, repair or correction.
Updated: 20030206