Re: [PEN-TEST] eMail auditing problem

[pete <pete () POPTEL NET>]

----- Original Message -----
From: "Erik Tayler" <nine () 14x net>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: 13 September 2000 21:56
Subject: Re: [PEN-TEST] eMail auditing problem


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Just to clarify (and try not to seem picky), the sniffer
doesn't need
> to reside "between the source of the email and the
destination". It
> can reside on the server sending mail, or the server receiving
mail,
> as well as anything in-between. Just seemed like something was
left
> out.
Indeed and further, it doesn't need to reside on the path that's
reported by traceroute. Even without considering traceroute's
inability to show anything more than a route used at that moment
(and may not even be internally consistent if the route changes
during the traceroute itself), look at tunnelx (IOS Transparent
reroute and capture) in phrack 56 article 10
(http://www.phrack.com/search.phtml?view&article=p56-10) if you
want to get really paranoid.

However, I would first ask your customer what reason he has for
thinking his mail is being sniffed. In my experience some people
tend to blame any information leakage or weirdness on hacking.

IMHO, YMMV, just my 1/2d etc.
pete

> Erik Tayler
> http://www.14x.net/fx
>
> - -----Original Message-----
> From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On
> Behalf
> Of Justin Schaefer
> Sent: Wednesday, September 13, 2000 12:05 PM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: eMail auditing problem
>
>
> in order to sniff someones email, the person sniffing would
need root
> access
> on a machine between the source of the email and the
destination. the
> person
> would then run a packet sniffer, like dsniff or snoop, and
filter the
> input,
> to only see what they wanted to see. If you are sure this is
> happening,
> traceroute from your mail server to a destination where your
client
> believes
> his mail is being read. Start by checkign out all machines on
your
> local
> network for unusual traffic/programs/users logged in etc... and
> search the
> drives fro files that shouldnt be there. logs.. etc. then move
on to
> the
> next hop in the traceroute. Once you have gone as far as you
can in
> this
> manner, and you can confirm that the email is being raed, it
may be
> time to
> start alerting admins at other isps, or carriers. Just keep
following
> the
> traceroute, until you find him. Chances are however, that it is
> somewhere on
> your clients network.
>
> - -Justin
>
> - -----Original Message-----
> From: Groh, Jens [mailto:jgroh () LPC-COMPUTER DE]
> Sent: Wednesday, September 13, 2000 8:17 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: [PEN-TEST] eMail auditing problem
>
>
> Hi Folks,
>
> as I'm new to the security scene I have to ask you a questions:
>
> I've heard from a customer, that he believes, that all of his
> outgoing mail
> is read by someone using an email sniffer! My
> question now is: has that to be server sided? I mean can anyone
use
> this
> email sniffer or has he or she already hacked the
> outgoing mail server?
>
> How is this to be done?
> What programms?
> What procedure?
> How would you do that?
>
> Thanx in advance,
>
> Jens Groh
> Hostmaster / Security
> LPC GmbH
> Germany
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.3 for non-commercial use
<http://www.pgp.com>
>
iQA/AwUBOb/qEE0pQlPl0B0AEQKSEgCfZgbW62buQ0qozRfWnKgwPmWqlqsAoJah
> X36PAG7Od/kT8tofXQxylL5p
> =+/GD
> -----END PGP SIGNATURE-----