Re: [PEN-TEST] eMail auditing problem

[Justin Schaefer <JustinS () SCREAMINGMEDIA COM>]

in order to sniff someones email, the person sniffing would need root access
on a machine between the source of the email and the destination. the person
would then run a packet sniffer, like dsniff or snoop, and filter the input,
to only see what they wanted to see. If you are sure this is happening,
traceroute from your mail server to a destination where your client believes
his mail is being read. Start by checkign out all machines on your local
network for unusual traffic/programs/users logged in etc... and search the
drives fro files that shouldnt be there. logs.. etc. then move on to the
next hop in the traceroute. Once you have gone as far as you can in this
manner, and you can confirm that the email is being raed, it may be time to
start alerting admins at other isps, or carriers. Just keep following the
traceroute, until you find him. Chances are however, that it is somewhere on
your clients network.

-Justin

-----Original Message-----
From: Groh, Jens [mailto:jgroh () LPC-COMPUTER DE]
Sent: Wednesday, September 13, 2000 8:17 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] eMail auditing problem


Hi Folks,

as I'm new to the security scene I have to ask you a questions:

I've heard from a customer, that he believes, that all of his outgoing mail
is read by someone using an email sniffer! My
question now is: has that to be server sided? I mean can anyone use this
email sniffer or has he or she already hacked the
outgoing mail server?

How is this to be done?
What programms?
What procedure?
How would you do that?

Thanx in advance,

Jens Groh
Hostmaster / Security
LPC GmbH
Germany