Penetration Testing mailing list archives
Re: Evaluation SMTP Gateway.
From: Alin-Adrian Anton <aanton () spintech ro>
Date: Fri, 11 Feb 2005 22:54:55 +0200
Daniel Espinosa wrote:
Hello, I will evaluate a SMPT Gateway (it is an appliance), the objective of this evaluation is to validate if it really works well in the next criteria: 1.- Anti-Spam. 2.- Antivirus. 3.- WebMail Protection. To do this, I have implemented a lab with the characteristics of an operational environment (Firewall - SMPT Gategay - MailServer - Work stations) Do you know any security methodology to test the previous criteria?, What tools I can use?, Do you have any idea to test those functionalities? Thanks for your help.
Hi, Just some quick thoughts of what's a nice to-do:1. Get a virii collection, especially worms (they are the most common form of mail viruses).
Having the "in the wild" collection is also a good start. Use a script to test the detection rate of the mail-server with AV.See what file types are allowed to be attached, and what file types are not. Is there also any sanity-checking done on the SMTP BODY? etc.
See if AV can look into archives, and what type of archives.2. Do the same with the spamassassin Spam Corpus, they have different level of spam corpuses, the "torture test" being the hardest to detect.
One VERY important thing about AV but especially about anti-spam software, is what happens with blocked messages? Is there a mechanism to check the blocked messages, or not? How well and user friendly this is? How practical is it? Or maybe the messages are black-holed?
Is the AV bouncing-back "you got virii" spam messages to innocent/inexistant senders, or not?
Anti-spam software which blackholes 0.00001% of innocent messages is garbage. It violates the design principles of Internet and SMTP itself.
PS: dns-blacklists blackhole 40% of the Internet.3. All levels of web-based, CGI-based, httpd-based attacks. Depends on the software itself. Is webmail accesible from intranet only, or it is accesible from Internet too? How bullet-proof is the user authentication mechanism? Can the password/cookie be intercepted? How? (also VPN? SSL? JS hashes? etc?)
PPS: You can do much more, those are just few ideas quickly crossing my mind. Hope it helps a bit.
PPPS: Still, you should in the end give them a short idea if they are using buggy software on this gateway (with potential to allow intruders in). (like sendmail for instance)
Yours, -- Alin-Adrian Anton GPG keyID 0x183087BA (B129 E8F4 7B34 15A9 0785 2F7C 5823 ABA0 1830 87BA) gpg --keyserver pgp.mit.edu --recv-keys 0x183087BA "It is dangerous to be right when the government is wrong." - Voltaire
Current thread:
- Evaluation SMTP Gateway. Daniel Espinosa (Feb 11)
- Re: Evaluation SMTP Gateway. Alin-Adrian Anton (Feb 11)
- <Possible follow-ups>
- RE: Evaluation SMTP Gateway. Osvaldo Casagrande (Feb 11)
- Re: Evaluation SMTP Gateway. clickprashant (Feb 14)