Security Incidents mailing list archives
Re: Strange ETRN attempts
From: "Lea, Michael" <MLea () MPI MB CA>
Date: Wed, 26 Jul 2000 15:17:57 -0500
On July 26, 2000 Nicolas Gregoire <nicolas.gregoire () 7THZONE COM> wrote:
Here's what appeared in my logs last night (adresses and names sanitized) : Jul 25 19:08:36 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @acclaim.de Jul 25 19:08:37 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @acclaim.net
[ snip ]
I know that there is some security problems with the SMTP ETRN command, but I don't know which one. Does anybody have any information or links on the ETRN command ? Has anybody ever seen that ?
The ETRN command is a (more) secure replacement for the TURN command. They're both designed so that a mail server with a part-time Internet connections can trigger mail delivery from a full-time host when they connect rather than waiting for the full-time host's MTA to schedule delivery. If your mail server supports the TURN command, somebody could connect to it, issue the command "TURN @mydomain.com", and your server would start sending mail queued for mydomain.com to the attacker over the same connection. Not something you really want happening. With the ETRN command in a similar situation, your server will open a new connection to the MX host for mydomain.com, and start sending any mail it has queued. There aren't any security problems (that I know of) inherent in this, assuming that mydomain.com is resistant to domain hijacking and DNS poisoning. Michael Lea Information Security Manitoba Public Insurance Phone: (204) 985-8224
Current thread:
- Strange ETRN attempts Nicolas Gregoire (Jul 26)
- Re: Strange ETRN attempts Mike Apted (Jul 27)
- <Possible follow-ups>
- Re: Strange ETRN attempts Lea, Michael (Jul 27)