1 Lluis Mora, Neutralbit Black Hat Europe Amsterdam, NL // March 2007 securityinnovation
2 Introduction is present in nearly every organization We all understand how it works How envelope and headers work How it can be spoofed How it can be read in transit What a message looks like What to say and what to keep to ourselves But what does a message tell about its sender?
3 SMTP Control information What makes SMTP messages so interesting? Control information is embedded in the message Some headers are mandatory, others can be stripped All of them usually end up stored in the mailbox Mailing list archives Public logs of our communications Stored over the years The ultimate SMTP information gatherer source!
4 SMTP Network mapping Received headers: an advanced record route Probably the most well-known information gathering aspect of SMTP Mandatory, per RFC2821: each node adds its header, no one touches the headers Used to prevent mail loops and debug delivery Strip with caution
5 SMTP Network mapping (II) Each relay adds IP address of sending gateway FQDN of receiving server Transfer protocol MTA server software Timestamp, including time zone Received: from relay.example.com ( ) by neutralbit.com (Postfix) with ESMTP id 35B83500EC for Mon, 15 May :26: (UTC)
6 SMTP Network mapping (III) Not a traceroute SMTP path, not at the IP level but has its own advantages Allows us to peek behind NAT and firewalls Point-to-point relaying It is initiated by the victim, part of the communication Not rocket science Everybody knows about them, but are we conscious of what they tell about us?
7 SMTP Network mapping (IV) Corporate IP subnetting Received header addresses are not translated Internal IP addressing scheme Type of connection to the internet Received: from smtp.example.com (6.Net dynamicIP.example.net [ ]) by mail.example.org (Postfix) with ESMTP id 0AB0E147B1 Received: from smtp.example.com (smtp.example.com [ ]) by mx1.example.com (8.11.6/8.11.6) with ESMTP id i82sokwis; Received: from vaio ( ) by smtp.example.com (Postfix) with ESMTP id i82shwk;
8 SMTP Network mapping (V) Corporate Internet access policies Centralized Internet access? Each location has a public connection? Received: from mx1.uk.example.com ([ ]) by vger.kernel.org From: John Doe Received: from smtp.de.example.com ([ ]) by vger.kernel.org From: Pam Plinas
9 SMTP Network mapping (VI) Server fingerprinting Software and versions Location based on time zones Received: from mx2.example.mil [ ] by gatekeeper with POP3 (fetchmail-6.3.0) for (single-drop); Mon, 02 Jan :43: (PST) Received: from mx1.example.mil ([ ]) by mx2.example.mil with Microsoft SMTPSVC( ); Tue, 3 Jan :44:
10 SMTP Network mapping (VI) Relay link information SMTP Link encryption Received: from lappy ( ) by pub.example.net (qmail) with ESMTP ID MG0007DA (SSL/TLS, 3DES, CBC mode, keysize 192 bits) ; 8 Sep :40: Received: from [ ] (ilm.example.com [ ]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested)
11 SMTP Network mapping (VII) Graphic representation of SMTP paths Definitively flashier than staring at logs Parsing of Received headers is challenging Absorb more information at once One image A few examples Data extracted from Linux kernel mailing list Around 3 months in early 2006
12 SMTP Network mapping (VIII) spot the telecommuters
13 SMTP Network mapping (VII) target selection?
14 SMTP Network mapping (IX) where is wally?
15 Client fingerprinting Based on a different set of headers User-Agent X-Mailer X-MIME-OLE Excellent level of details Down to the patch level Not used for anything else
16 Client fingerprinting (II) X-Mailer: Microsoft Office Outlook, Build User-Agent: Thunderbird (Windows/ ) X-Mailer: ColdFusion MX Application Server X-MimeOLE: Produced By Microsoft MimeOLE V X-Mailer: Evolution ( fc4) X-Mailer: iplanet Messenger Express 5.2 Patch 2 (built Jul ) X-Mailer: Lotus Notes Release 5.0.6a January 17, 2001 User-Agent: SquirrelMail/1.4.3a User-Agent: Wanderlust/ (Your Wildest Dreams) SEMI/ (Maruoka) FLIM/ APEL/10.6 MULE XEmacs/21.5 (beta21) (corn) (+CVS ) (i386-suse-linux)
17 Client application usage Long term analysis If we get access to a long stretch of messages Plot client mailers over time then add mailer release dates
18 Client application usage (II) Organization trend analysis With enough s, we can find out details about the organization policies Patching policies Application usage Security gaps Policy exceptions maybe not just for SMTP servers?
19 Usage trends Other interesting facts can be guessed Same address + alternating mailers + multiple IP addresses multiple locations (home / work?) Same address + same mailer + multiple IP addresses take the laptop home Various domains + same mailer + same IP address non-corporate mail at work Changing Date time zones user on the go?
20 Other interesting headers Indirect sources of information Implementation differences Ordering of headers Quoted replies Custom X-Headers X-Originating-IP, etc. Antivirus / Antispam Subject: Re: [RELEASE 4] Testing patch #49192 Date: Tue, 21 Feb :21: X-Originating-IP: X-Virus-Scanned: by amavisd-new p10 (Debian) X-Spam-Checker-Version: SpamAssassin ( X-Spam-Status: No, score=-1.4 required=2.0 Message contents User data Encoding data
21 Other interesting headers (II) Indirect sources of information Encoded data in unsuspecting headers Message-ID: Message-ID: Message-ID: Content-Type: multipart/mixed; boundary=appl
22 Conclusions Strip unneeded information at border gateways whenever possible Find out what has already leaked and fix it Analysis relies on client provided data, handle with care
23 Thank you! Lluis Mora World Trade Center - Edificio Sur, 2ª Planta, Moll de Barcelona, Barcelona, E Spain T: F:
CIPHERMAIL EMAIL ENCRYPTION Ciphermail Gateway Administration Guide September 23, 2014, Rev: 9112 Copyright 2008-2014, ciphermail.com. Acknowledgements: Thanks goes out to Andreas Hödle for feedback. CONTENTS
IceWarp Unified Communications Reference Version 11.1 Published on 11/4/2014 Contents... 4 About... 5 The Big Picture... 7 Reference... 8 General... 8 Dial Plan... 9 Dial Plan Examples... 12 Devices...
Manual POLICY PATROL EMAIL MAIL SECURITY MANUAL Policy Patrol Email Mail Security This manual, and the software described in this manual, are copyrighted. No part of this manual or the described software
Symantec Encryption Management Server Administrator's Guide 3.3 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Solving the Firewall/NAT Traversal Issue of SIP: Who Should Control Your Security Infrastructure? Ingate Systems www.ingate.com 1 1 Executive Summary...3 2 SIP, NATs and Enterprise Firewalls...4 3 Methods
Tivoli Management Framework Firewall Security Toolbox User s Guide Version 1.3 GC23-4826-00 Tivoli Management Framework Firewall Security Toolbox User s Guide Version 1.3 GC23-4826-00 Note Before using
Guidance for using the East Sussex County Council Secure Email system ESCC February 2010 Using the ESCC SecureMail system The ESCC SecureMail system is an email system that provides a high level of security
The Definitive IP PBX Guide Understand what an IP PBX or Hosted VoIP solution can do for your organization and discover the issues that warrant consideration during your decision making process. This comprehensive
TELSTRA CLOUD SERVICES CLOUD INFRASTRUCTURE PRICING GUIDE AUSTRALIA WELCOME TO TELSTRA CLOUD SERVICES Our cloud infrastructure solutions are made up of a combination of scalable cloud resources, including
DocuFire for Windows User Manual Version: 5.20 Date: February 19, 2010 Web: http://www.docufire.com TABLE OF CONTENTS Introduction to DocuFire for Windows... 4 Contacting Technical Support... 4 Getting
IceWarp Unified Communications VoIP Service Reference Version 10.4 Printed on 13 April, 2012 Contents VoIP Service 1 Introduction... 1 The Big Picture... 4 Reference... 5 General... 5 Dial Plan... 7 Dial
The Claws Mail Team (http://www.claws-mail.org/) Copyright 2006-2014 The Claws Mail Team. 1. Introduction 1.1. What is Claws Mail? Claws Mail is an email client aiming at being fast, easy-to-use and powerful.
Special Publication 800-41 Guidelines on Firewalls and Firewall Policy Recommendations of the National Institute of Standards and Technology John Wack, Ken Cutler, Jamie Pole NIST Special Publication 800-41
IceWarp Unified Communications IceWarp Outlook Sync User Guide Version 10.5 Printed on 20 December, 2012 Contents IceWarp Outlook Sync User Guide 1 Installation... 2 Installation Pre-requisites... 3 Installation
GHz 2.4 802.11g WIRELESS Wireless-G ADSL Gateway with 2 Phone Ports User Guide Model No. WAG54GP2 Copyright and Trademarks Specifications are subject to change without notice. Linksys is a registered trademark
The official Manual This manual was written and published by ppedv AG. The containing information can be changed anytime. The names and values used in the examples are mostly fictive. Without agreement
Diafaan SMS Server 3.0 Manual 2 Diafaan SMS Server 3.0 Manual Table of Contents Part I Welcome to Diafaan SMS Server 5 Part II Getting started 7 1 Gateways... and connectors 10 2 Add a... gateway 12 Add
WHITE PAPER Network Security: A Simple Guide to Firewalls CONTENTS Why a Firewall Am I Really at Risk?................... 1 What Is a Firewall?......... 2 Types of Attack............ 2 Firewall Technologies........
Ralf Hildebrandt c 2007 state-of-mind LISA 07 Dallas, November 2007 Methods Which methods are available? In order to prevent spam from reaching the users mailboxes there are basically four methods: syntactic
Kerio Connect Administrator s Guide Kerio Technologies 2011 Kerio Technologies s.r.o. All rights reserved. This guide provides detailed description on Kerio Connect, version 7.2. All additional modifications
39 Anti Spam Best Practices Anti Spam Engine: Time-Tested Scanning An IceWarp White Paper October 2008 www.icewarp.com 40 Background The proliferation of spam will increase. That is a fact. Secure Computing
Web Portal User Guide Version 6.0 2013 Pitney Bowes Software Inc. All rights reserved. This document may contain confidential and proprietary information belonging to Pitney Bowes Inc. and/or its subsidiaries