HPE Community
Operating System - HP-UX
1830207 Members
1859 Online
109999 Solutions
New Discussion

How to disable elm spoofing?

 
Brian Walser_1
Frequent Visitor

‎11-09-2005 11:23 AM

‎11-09-2005 11:23 AM

How to disable elm spoofing?

Putting the following line in the .elm/elmheaders file :
From:Wally
for a user, effectively shows any email the user sends (from elm) to be from Wally whose email address is fred.flintstone@hp.com.
This has been deemed a security threat. Is there someway (elmrc, sendmail,...) where this functionality can be disabled?
0 Kudos
8 REPLIES 8
Adisuria Wangsadinata_1
Honored Contributor

‎11-09-2005 02:09 PM

‎11-09-2005 02:09 PM

Re: How to disable elm spoofing?

Hi Brian,

Good day to you !
Check the url below (docID : IVKBRC00006781) about 'How to configure masquerading (site hiding)' :

http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000062907049

Hope this information can help, let me know if it doesnt.

Cheers,
AW
now working, next not working ... that's unix
0 Kudos
Brian Walser_1
Frequent Visitor

‎11-10-2005 03:23 AM

‎11-10-2005 03:23 AM

Re: How to disable elm spoofing?

AW,
The link you provided has some interesting info - but I don't see how it relates to the problem I am having. I need to know how to disable the "From:" feature (in elmheaders) in elm. I would think there would be an official HP document as this is a security risk on all HP-UX systems...
BW
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎11-10-2005 03:59 AM

‎11-10-2005 03:59 AM

Re: How to disable elm spoofing?

If this is really bothering you then download the source from here and modify to suit your whims (the change would be easy): http://gatekeep.cs.utah.edu/hppd/hpux/Networking/Mail/elm-2.5.7/

However, this is all but a waste of time because the security hole (if you want to call it that) is woven into the fabric of the mail protocol itself. It is trivially easy to modify the 'From' header line at any step along the way. Remember, one could build the entire mail message by hand (or by shell script) and it would be equally compromised. I readily admit that elm makes it easier to modify the From header but closing that hole by no means transforms mail into something secure. You should also note that the "From" entry in the elmheaders file also has perfectly legitimate uses so you could be throwing out the baby with the bathwater.



What might satisfy your auditors is a cron job that scans the /home directory looking at the contents of the elmheaders files and issues a message when a suspicious entry is found.
If it ain't broke, I can fix that.
0 Kudos
Kent Ostby
Honored Contributor

‎11-10-2005 05:30 AM

‎11-10-2005 05:30 AM

Re: How to disable elm spoofing?

Clay is right.

Someone could just as easily do this via mailx, etc.

Why is this considered a security hole?

If there is ever a problem, the message-id can be traced back via the mail.log to the actual sender.
"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Brian Walser_1
Frequent Visitor

‎11-10-2005 10:00 AM

‎11-10-2005 10:00 AM

Re: How to disable elm spoofing?

I know the problem is bigger than elm. I was hoping it could be disabled in sendmail... Management has decided that there is no legitimate reason that anyone should use the "From" feature here - so there is no baby in the bathwater.
With all the security issues surrounding spoofing, I was hoping HP had a patch or other way of disabling the feature. A cron job was talked about - but how long would it take someone to rename a file to elmheaders, send an email and delete the elmheaders file? To quickly to catch with a cron job.
The mail.log file (even with logging level set high) does not supply the "true" sender in all cases. ctladdr gives the corresponding username for the uid, but not the loginname of the user. Thanks for your help.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎11-10-2005 10:15 AM

‎11-10-2005 10:15 AM

Re: How to disable elm spoofing?

Sendmail is as sendmail does. Download the source for it and have at it, but again, any of the intermediate mail servers could be compromised and you really only tightened up one end of a potentially very long pipeline. If this were easy (or even possible if transmitting over public networks) then you would never be getting email from people that you know really didn't send it.
If it ain't broke, I can fix that.
0 Kudos
Steven E. Protter
Exalted Contributor

‎11-10-2005 11:25 AM

‎11-10-2005 11:25 AM

Re: How to disable elm spoofing?

Management can't legislate how the Internet works. Don't think the US Congress really can either.

What you can do is make sure the mail is true before it gets out to the public Internet.

With good sendmail configuration and control of what user mail tools are used you can control how the mail looks on the way out.

Command line Unix is not something everybody needs. Usually that is.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Brian Walser_1
Frequent Visitor

‎11-11-2005 05:34 AM

‎11-11-2005 05:34 AM

Re: How to disable elm spoofing?

I have passed on the info to management.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.