Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

MS Entourage (on OS X) sends information about internal network

From: John Adams <jna+dated+1086561290.e25d7d () retina net>
Date: Tue, 1 Jun 2004 15:34:32 -0700 (PDT)

Here's some tcpdump output from our network:

15:15:37.414183 tione.xxxxxxxxxx.com.smtp > xx.xxx.207.194.45323: P 
[tcp sum ok] 1:93(92) ack 1 win 5792 <nop,nop,timestamp 271042 3607425246> 
(DF) (ttl 64, id 9803, len 144)
0x0000   4500 0090 264b 4000 4006 4e36 d1ed e46a        E...&K@.@.N6...j
0x0010   3fcc cfc2 0019 b10b 8cac 048a c4e3 2986        ?.............).
0x0020   8018 16a0 49ea 0000 0101 080a 0004 22c2        ....I.........".
0x0030   d704 f0de 3232 3020 7469 6f6e 652e 7468        ....220.tione.xx
0x0040   6569 6e74 6572 7365 6374 696f 6e2e 636f        xxxxxxxxxxxxx.co
0x0050   6d20 4553 4d54 5020 5365 6e64 6d61 696c        m.ESMTP.Sendmail
0x0060   2038 2e31 322e 382f 382e 3132 2e38 3b20        .8.12.8/8.12.8;.
0x0070   5475 652c 2031 204a 756e 2032 3030 3420        Tue,.1.Jun.2004.
0x0080   3135 3a31 353a 3337 202d 3034 3030 0d0a        15:15:37.-0400..

15:15:37.430821 xx.xxx.207.194.45323 > tione.xxxxxxxxxx.com.smtp: P 
[tcp sum ok] 1:19(18) ack 93 win 65535 <nop,nop,timestamp 3607425246 
271042> (DF) (ttl 48, id 708, len 70)
0x0000   4500 0046 02c4 4000 3006 8207 3fcc cfc2        E..F..@.0...?...
0x0010   d1ed e46a b10b 0019 c4e3 2986 8cac 04e6        ...j......).....
0x0020   8018 ffff e6d1 0000 0101 080a d704 f0de        ................
0x0030   0004 22c2 4548 4c4f 205b 3130 2e32 2e31        ..".EHLO.[10.2.1
0x0040   2e32 335d 0d0a                                 .23]..

I assume that with enough time it'd be possible to map the internal 
networks of external users if you run a busy MTA - this is more of an 
information leak issue than anything else.

I don't know of too many firewalls that block outbound EHLO data -- does 
anyone know of an FW that can block this type of leak? 

--john


-- 
J. Adams                                        http://www.retina.net/~jna



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: