Re: Strange ETRN attempts

["Lea, Michael" <MLea () MPI MB CA>]

On July 26, 2000 Nicolas Gregoire <nicolas.gregoire () 7THZONE COM> wrote:
> Here's what appeared in my logs last night (adresses and names
> sanitized) :
>
> Jul 25 19:08:36 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @acclaim.de
> Jul 25 19:08:37 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @acclaim.net
                 [ snip ]
> I know that there is some security problems with the SMTP ETRN command,
> but I don't know which one.
>
> Does anybody have any information or links on the ETRN command ?
> Has anybody ever seen that ?

The ETRN command is a (more) secure replacement for the TURN command.
They're both designed so that a mail server with a part-time Internet
connections can trigger mail delivery from a full-time host when they
connect rather than waiting for the full-time host's MTA to schedule
delivery.

If your mail server supports the TURN command, somebody could connect to it,
issue the command "TURN @mydomain.com", and your server would start sending
mail queued for mydomain.com to the attacker over the same connection. Not
something you really want happening.

With the ETRN command in a similar situation, your server will open a new
connection to the MX host for mydomain.com, and start sending any mail it
has queued.  There aren't any security problems (that I know of) inherent in
this, assuming that mydomain.com is resistant to domain hijacking and DNS
poisoning.

Michael Lea
Information Security
Manitoba Public Insurance
Phone: (204) 985-8224