[fw-wiz] MS Entourage (on OS X) sends information about internal network

From: John Adams (jna+dated+1086561290.e25d7d_at_retina.net)
Date: 06/02/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] MS Entourage (on OS X) sends information about internal network"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 1 Jun 2004 15:34:32 -0700 (PDT)

    Here's some tcpdump output from our network:

    15:15:37.414183 tione.xxxxxxxxxx.com.smtp > xx.xxx.207.194.45323: P
    [tcp sum ok] 1:93(92) ack 1 win 5792 <nop,nop,timestamp 271042 3607425246>
    (DF) (ttl 64, id 9803, len 144)
    0x0000 4500 0090 264b 4000 4006 4e36 d1ed e46a E...&K@.@.N6...j
    0x0010 3fcc cfc2 0019 b10b 8cac 048a c4e3 2986 ?.............).
    0x0020 8018 16a0 49ea 0000 0101 080a 0004 22c2 ....I.........".
    0x0030 d704 f0de 3232 3020 7469 6f6e 652e 7468 ....220.tione.xx
    0x0040 6569 6e74 6572 7365 6374 696f 6e2e 636f xxxxxxxxxxxxx.co
    0x0050 6d20 4553 4d54 5020 5365 6e64 6d61 696c m.ESMTP.Sendmail
    0x0060 2038 2e31 322e 382f 382e 3132 2e38 3b20 .8.12.8/8.12.8;.
    0x0070 5475 652c 2031 204a 756e 2032 3030 3420 Tue,.1.Jun.2004.
    0x0080 3135 3a31 353a 3337 202d 3034 3030 0d0a 15:15:37.-0400..

    15:15:37.430821 xx.xxx.207.194.45323 > tione.xxxxxxxxxx.com.smtp: P
    [tcp sum ok] 1:19(18) ack 93 win 65535 <nop,nop,timestamp 3607425246
    271042> (DF) (ttl 48, id 708, len 70)
    0x0000 4500 0046 02c4 4000 3006 8207 3fcc cfc2 E..F..@.0...?...
    0x0010 d1ed e46a b10b 0019 c4e3 2986 8cac 04e6 ...j......).....
    0x0020 8018 ffff e6d1 0000 0101 080a d704 f0de ................
    0x0030 0004 22c2 4548 4c4f 205b 3130 2e32 2e31 ..".EHLO.[10.2.1
    0x0040 2e32 335d 0d0a .23]..

    I assume that with enough time it'd be possible to map the internal
    networks of external users if you run a busy MTA - this is more of an
    information leak issue than anything else.

    I don't know of too many firewalls that block outbound EHLO data -- does
    anyone know of an FW that can block this type of leak?


    J. Adams					http://www.retina.net/~jna
    firewall-wizards mailing list

  • Next message: Paul D. Robertson: "Re: [fw-wiz] MS Entourage (on OS X) sends information about internal network"

    Relevant Pages

    • Re: Problem with Policy Definition
      ... Do the external users log into the network as domain users with your ... supplied computers or are they coming with their own computers and plugging ... intranet access + internet access ...
    • Re: Basic concept of AD and DNS
      ... external users should not be able to join the domain as is. ... network, i doubt that it is not a reasonable way. ... should i build up a vpn service in my win2003 AD server, ... then you need to implement what is known as split brain DNS. ...
    • RE: ssh-scan
      ... So disconnect the system from the network (and possibly bring it down ... crime unit to report whatever evidence you have. ... evidence you may conclude that there was no information leak, ... If you don't take any action against these crimes, ...
    • VPN through BSD for Win2k, totally baffled
      ... FreeBSD box running IPFW acting as a gateway to private network. ... External users ...
    • Re: ISA Server XP Clients Web browsing internal websites
      ... Those sites are available to internal and external users but not to the user ... Which VPN solution do you have? ... An external consultant setup the network. ... > Remote users are having trouble accessing internal websites. ...