Firewall Wizards mailing list archives
Re: MS Entourage (on OS X) sends information about internal network
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 1 Jun 2004 18:56:27 -0400 (EDT)
On Tue, 1 Jun 2004, John Adams wrote:
Here's some tcpdump output from our network: 15:15:37.414183 tione.xxxxxxxxxx.com.smtp > xx.xxx.207.194.45323: P [tcp sum ok] 1:93(92) ack 1 win 5792 <nop,nop,timestamp 271042 3607425246> (DF) (ttl 64, id 9803, len 144) 0x0000 4500 0090 264b 4000 4006 4e36 d1ed e46a E...&K@.@.N6...j 0x0010 3fcc cfc2 0019 b10b 8cac 048a c4e3 2986 ?.............). 0x0020 8018 16a0 49ea 0000 0101 080a 0004 22c2 ....I.........". 0x0030 d704 f0de 3232 3020 7469 6f6e 652e 7468 ....220.tione.xx 0x0040 6569 6e74 6572 7365 6374 696f 6e2e 636f xxxxxxxxxxxxx.co 0x0050 6d20 4553 4d54 5020 5365 6e64 6d61 696c m.ESMTP.Sendmail 0x0060 2038 2e31 322e 382f 382e 3132 2e38 3b20 .8.12.8/8.12.8;. 0x0070 5475 652c 2031 204a 756e 2032 3030 3420 Tue,.1.Jun.2004. 0x0080 3135 3a31 353a 3337 202d 3034 3030 0d0a 15:15:37.-0400.. 15:15:37.430821 xx.xxx.207.194.45323 > tione.xxxxxxxxxx.com.smtp: P [tcp sum ok] 1:19(18) ack 93 win 65535 <nop,nop,timestamp 3607425246 271042> (DF) (ttl 48, id 708, len 70) 0x0000 4500 0046 02c4 4000 3006 8207 3fcc cfc2 E..F..@.0...?... 0x0010 d1ed e46a b10b 0019 c4e3 2986 8cac 04e6 ...j......)..... 0x0020 8018 ffff e6d1 0000 0101 080a d704 f0de ................ 0x0030 0004 22c2 4548 4c4f 205b 3130 2e32 2e31 ..".EHLO.[10.2.1 0x0040 2e32 335d 0d0a .23].. I assume that with enough time it'd be possible to map the internal networks of external users if you run a busy MTA - this is more of an information leak issue than anything else. I don't know of too many firewalls that block outbound EHLO data -- does anyone know of an FW that can block this type of leak?
Postfix at the application level should be able to handle it. Ideally, user machines shouldn't be sending SMTP directly (yes, it's more of an issue on a Windows network though,) and you should scrub the headers at the gateway if that's a concern for you. Entourage also puts the e-mail address in the message-id- but Outlook Express puts the IP address in the message-id, so that allows leakage as well. I'm not sure how Outlook generates message-ids, but suspect there's some leakage stuff in there too. There are generally enough ways to get a system to cough up its physical address that I'm not sure it's a major issue in any case. Ok, you get the addresses of the desktops- you can call and get that from most of the users, and generally, you don't need the addresses to get malcode onto the desktops, so any piece of malware you can get run will enumerate for you- and if they're allowed to SMTP straight out, Bob's your uncle. One good program or installer, and you're generally in the same place. In general, I'm not as worried about information disclosure as I used to be, because it really doesn't gain the attacker much that can't be gained some other way. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- MS Entourage (on OS X) sends information about internal network John Adams (Jun 01)
- Re: MS Entourage (on OS X) sends information about internal network Paul D. Robertson (Jun 01)
- Re: MS Entourage (on OS X) sends information about internal network Vladimir Parkhaev (Jun 01)