Re: [PEN-TEST] eMail auditing problem

["Dunker, Noah" <NDunker () FISHNETSECURITY COM>]

This can happen a lot of different ways.  There are hacks to the
sendmail.cf file that can do all sorts of fun stuff... like archive
all outgoing mail to a file... an attacker may be able to have this
file transferred to him within cron or something, or maybe he/she
has access to the server and can just telnet in and read it...

Dsniff, by dugsong:  contains a WONDERFUL e-mail sniffer that places
all e-mail it sees in mbox format.  This could run on the e-mail
server itself, or directly in it's path, at the ISP, or whatnot.
DSniff's "mailsnarf" program can be fed a RegExp to capture only
mail conaining a pattern/string match...  Carnivore, anyone?
j/k, dugsong!

A simple sniffer could just log all port 25, 110, and 143 traffic
to a file... this could be placed in the same locations as dsniff.

The first method is the only one that would mean they've been
hacked (unless a legitimate admin is performing this unscrupulous
act)...  Look for sniffers and mail archives on the local system
to see if it's being stored locally or being sent-off somewhere
else to someone.  That's about the only checking you can do.

Maybe check the validity of sendmail.cf from a known "clean" state.

Noah Dunker
Network Security Engineer
FishNet Security


-----Original Message-----
From: Groh, Jens [mailto:jgroh () LPC-COMPUTER DE]
Sent: Wednesday, September 13, 2000 7:17 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: eMail auditing problem


Hi Folks,

as I'm new to the security scene I have to ask you a questions:

I've heard from a customer, that he believes, that all of his outgoing mail
is read by someone using an email sniffer! My
question now is: has that to be server sided? I mean can anyone use this
email sniffer or has he or she already hacked the
outgoing mail server?

How is this to be done?
What programms?
What procedure?
How would you do that?

Thanx in advance,

Jens Groh
Hostmaster / Security
LPC GmbH
Germany