Penetration Testing mailing list archives
Re: [PEN-TEST] eMail auditing problem
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Wed, 13 Sep 2000 12:31:48 -0500
This can happen a lot of different ways. There are hacks to the sendmail.cf file that can do all sorts of fun stuff... like archive all outgoing mail to a file... an attacker may be able to have this file transferred to him within cron or something, or maybe he/she has access to the server and can just telnet in and read it... Dsniff, by dugsong: contains a WONDERFUL e-mail sniffer that places all e-mail it sees in mbox format. This could run on the e-mail server itself, or directly in it's path, at the ISP, or whatnot. DSniff's "mailsnarf" program can be fed a RegExp to capture only mail conaining a pattern/string match... Carnivore, anyone? j/k, dugsong! A simple sniffer could just log all port 25, 110, and 143 traffic to a file... this could be placed in the same locations as dsniff. The first method is the only one that would mean they've been hacked (unless a legitimate admin is performing this unscrupulous act)... Look for sniffers and mail archives on the local system to see if it's being stored locally or being sent-off somewhere else to someone. That's about the only checking you can do. Maybe check the validity of sendmail.cf from a known "clean" state. Noah Dunker Network Security Engineer FishNet Security -----Original Message----- From: Groh, Jens [mailto:jgroh () LPC-COMPUTER DE] Sent: Wednesday, September 13, 2000 7:17 AM To: PEN-TEST () SECURITYFOCUS COM Subject: eMail auditing problem Hi Folks, as I'm new to the security scene I have to ask you a questions: I've heard from a customer, that he believes, that all of his outgoing mail is read by someone using an email sniffer! My question now is: has that to be server sided? I mean can anyone use this email sniffer or has he or she already hacked the outgoing mail server? How is this to be done? What programms? What procedure? How would you do that? Thanx in advance, Jens Groh Hostmaster / Security LPC GmbH Germany
Current thread:
- Re: [PEN-TEST] eMail auditing problem, (continued)
- Re: [PEN-TEST] eMail auditing problem Nicolas Gregoire (Sep 13)
- Re: [PEN-TEST] eMail auditing problem Mathew Bevan (Sep 13)
- Re: [PEN-TEST] eMail auditing problem DA Smith (Sep 14)
- Re: [PEN-TEST] eMail auditing problem Mathew Bevan (Sep 13)
- Re: [PEN-TEST] eMail auditing problem Jose Nazario (Sep 13)
- Re: [PEN-TEST] eMail auditing problem Karyn Pichnarczyk (Sep 13)
- Re: [PEN-TEST] eMail auditing problem Justin Schaefer (Sep 13)
- Re: [PEN-TEST] eMail auditing problem Erik Tayler (Sep 13)
- Re: [PEN-TEST] eMail auditing problem Jan Muenther (Sep 14)
- Re: [PEN-TEST] eMail auditing problem pete (Sep 14)
- Re: [PEN-TEST] eMail auditing problem Erik Tayler (Sep 13)
- Re: [PEN-TEST] eMail auditing problem Brentlinger, Mike (ISS eServices) (Sep 13)
- Re: [PEN-TEST] eMail auditing problem Dunker, Noah (Sep 13)
- Re: [PEN-TEST] eMail auditing problem Oxenreider, Jeff (Sep 13)
- Re: [PEN-TEST] eMail auditing problem Talisker (Sep 14)
- Re: [PEN-TEST] eMail auditing problem Nicolas Gregoire (Sep 13)