SMTP Information gathering

Similar documents

Mail system components. Electronic Mail MRA MUA MSA MAA. David Byers

An overview of IT Security Forensics

. MIME is the protocol that was devised to allow non-ascii encoded content in an and attached files to an .

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

CipherMail Gateway Quick Setup Guide

Tracing IP Addresses Through the Internet

Telematics. 13th Tutorial - Application Layer Protocols

How To Configure Forefront Threat Management Gateway (Forefront) For An Server

Serial Deployment Quick Start Guide

, SNMP, Securing the Web: SSL

Djigzo encryption. Djigzo white paper

Using WinGate 6 . Concepts, Features, and Configurations.

Analysis of Spam Filter Methods on SMTP Servers Category: Trends in Anti-Spam Development

DJIGZO ENCRYPTION. Djigzo white paper

Libra Esva. Whitepaper. Glossary. How Really Works. Security Virtual Appliance. May, It's So Simple...or Is It?

A D M I N I S T R A T O R V 1. 0

Table of Contents. Electronic mail. History of (2) History of (1) history. Basic concepts. Aka (or according to Knuth)

Mail agents. Introduction to Internet Mail. Message format (2) Authenticating senders

Load Balancing Exchange 2007 SP1 Hub Transport Servers using Windows Network Load Balancing Technology

sendmail Cookbook Craig Hunt O'REILLY' Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo

PineApp Archive-Secure Quick Installation Guide:

Celframe - Easy Linux - Lesson 8 - Server

Networking Applications

Management CSCU9B2 CSCU9B2 1

CIPHERMAIL ENCRYPTION. CipherMail white paper

Exchange 2007/2010 Journaling for Cryoserver

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

F-Secure Internet Gatekeeper

PrivaSphere Gateway Certificate Authority (GW CA)

Ciphire Mail. Abstract

Filtering Mail with Milter. David F. Skoll Roaring Penguin Software Inc.

How To Write An On A Linux Computer (No Mail) (No ) (For Ahem) (Or Ahem, For Ahem). (For An ) Or Ahem.Org) (Ahem) Or An

2- Electronic Mail (SMTP), File Transfer (FTP), & Remote Logging (TELNET)

POP3 Connector for Exchange - Configuration

Internet Security [1] VU Engin Kirda

Network Services. SMTP, Internet Message Format. Johann Oberleitner SS 2006

2- Electronic Mail (SMTP), File Transfer (FTP), & Remote Logging (TELNET)

ORF ENTERPRISE EDITION 1. Installation Guide FOR ORF ENTERPRISE EDITION 4.4

Journaling Guide for Archive for Exchange 2007

Math SMTP Server Configuration

1. The Web: HTTP; file transfer: FTP; remote login: Telnet; Network News: NNTP; SMTP.

Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day. SSL Certificate - Subject Common Name Does Not Match Server FQDN

Technical Note. ISP Protection against BlackListing. FORTIMAIL Deployment for Outbound Spam Filtering. Rev 2.2

Migration Project Plan for Cisco Cloud Security

Internet Technology 2/13/2013

SECURING INFORMATION SYSTEMS

Service Overview & Installation Guide

QMAIL & SMTP: A Secure Application for an Unsecure Protocol. Orr Dunkelman. orrd@vipe.technion.ac.il. January 27, 2004 SMTP and QMAIL Slide 1

Astaro Mail Archiving Getting Started Guide

PureMessage for Microsoft Exchange Help. Product version: 4.0

Configuring Outlook to send mail via your Exchange mailbox using an alternative address

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

Guardian Digital Secure Mail Suite Quick Start Guide

Ciphermail Gateway Administration Guide

1 Accessing accounts on the Axxess Mail Server

Security and privacy in public WLAN networks

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

CS43: Computer Networks . Kevin Webb Swarthmore College September 24, 2015

Domain Name System (DNS)

Simple Mail Transfer Protocol

Versions Addressed: Microsoft Exchange 2003 Document Updated: March 25, 2015 Co nfidential Copyright 2015 Smarsh, Inc. All rights reserved.

Solution Brief FortiMail for Service Providers. Nathalie Rivat

Cannot send Autosupport , error message: Unknown User

Linux Network Administration

Installing GFI FAXmaker version 12

Migration Quick Reference Guide for Administrators

Electronic Mail

How To Archive A Mail From A Mailbox On A Server On A Password Protected (Smtp) On A Pc Or Mac (Mailbox) On An Ipa (For A Password Saf ) On Your Pc Or Ipa On A Mac

MailStore Server 5.0 Documentation

Transferring Your Internet Services

Ciphermail for BlackBerry Reference Guide

Funkwerk UTM Release Notes (english)

Secured Mail through PGP Mail Gateway

Evolution of the WWW. Communication in the WWW. WWW, HTML, URL and HTTP. HTTP Abstract Message Format. The Client/Server model is used:

Marketing Glossary of Terms

XGENPLUS SECURITY FEATURES...

Network Fundamentals Carnegie Mellon University

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

Ciphermail for BlackBerry Quick Start Guide

My FreeScan Vulnerabilities Report

MS Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

BorderWare Firewall Server 7.1. Release Notes

CS 164 Winter 2009 Term Project Writing an SMTP server and an SMTP client (Receiver-SMTP and Sender-SMTP) Due & Demo Date (Friday, March 13th)

Setup Local Mail Server Using Postfix, Dovecot And Squirrelmail On CentOS 6.5/6.4

Message-IDs helpful for forensic analysis?

MS Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

You may use port 587 if port 25 is blocked by your internet provider. This does not apply to customers using PolarComm internet.

IronPort Authentication

Transcription:

Lluis Mora, Neutralbit llmora@neutralbit.com Black Hat Europe Amsterdam, NL // March 2007 securityinnovation

Introduction E-mail is present in nearly every organization We all understand how it works How envelope and headers work How it can be spoofed How it can be read in transit What a message looks like What to say and what to keep to ourselves But what does a message tell about its sender?

SMTP Control information What makes SMTP messages so interesting? Control information is embedded in the message Some headers are mandatory, others can be stripped All of them usually end up stored in the mailbox Mailing list archives Public logs of our communications Stored over the years The ultimate SMTP information gatherer source!

SMTP Network mapping Received headers: an advanced record route Probably the most well-known information gathering aspect of SMTP Mandatory, per RFC2821: each node adds its header, no one touches the headers Used to prevent mail loops and debug delivery Strip with caution

SMTP Network mapping (II) Each relay adds IP address of sending gateway FQDN of receiving server Transfer protocol MTA server software Timestamp, including time zone Received: from relay.example.com (201.20.51.192) by neutralbit.com (Postfix) with ESMTP id 35B83500EC for <llmora@neutralbit.com>; Mon, 15 May 2006 20:26:52 +0000 (UTC)

SMTP Network mapping (III) Not a traceroute SMTP path, not at the IP level but has its own advantages Allows us to peek behind NAT and firewalls Point-to-point relaying It is initiated by the victim, part of the communication Not rocket science Everybody knows about them, but are we conscious of what they tell about us?

SMTP Network mapping (IV) Corporate IP subnetting Received header addresses are not translated Internal IP addressing scheme Type of connection to the internet Received: from smtp.example.com (6.Net-45-12-192.dynamicIP.example.net [192.12.45.6]) by mail.example.org (Postfix) with ESMTP id 0AB0E147B1 Received: from smtp.example.com (smtp.example.com [172.18.5.21]) by mx1.example.com (8.11.6/8.11.6) with ESMTP id i82sokwis; Received: from vaio (172.16.1.100) by smtp.example.com (Postfix) with ESMTP id i82shwk;

SMTP Network mapping (V) Corporate Internet access policies Centralized Internet access? Each location has a public connection? Received: from mx1.uk.example.com ([195.166.192.8]) by vger.kernel.org From: John Doe <jdoe@uk.example.com> Received: from smtp.de.example.com ([32.1.120.11]) by vger.kernel.org From: Pam Plinas <pplinas@de.example.com>

SMTP Network mapping (VI) Server fingerprinting Software and versions Location based on time zones Received: from mx2.example.mil [192.18.1.12] by gatekeeper with POP3 (fetchmail-6.3.0) for <jdoe@example.com> (single-drop); Mon, 02 Jan 2006 14:43:41-0800 (PST) Received: from mx1.example.mil ([192.168.1.2]) by mx2.example.mil with Microsoft SMTPSVC(6.0.3790.211); Tue, 3 Jan 2006 07:44:01 +0900

SMTP Network mapping (VI) Relay link information SMTP Link encryption Received: from lappy (192.168.1.4) by pub.example.net (qmail) with ESMTP ID MG0007DA (SSL/TLS, 3DES, CBC mode, keysize 192 bits) ; 8 Sep 2006 16:40:03 +0200 Received: from [24.26.7.196] (ilm.example.com [24.26.7.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested)

SMTP Network mapping (VII) Graphic representation of SMTP paths Definitively flashier than staring at logs Parsing of Received headers is challenging Absorb more information at once One image A few examples Data extracted from Linux kernel mailing list Around 3 months in early 2006

SMTP Network mapping (VIII) spot the telecommuters

SMTP Network mapping (VII) target selection?

SMTP Network mapping (IX) where is wally?

Client fingerprinting Based on a different set of headers User-Agent X-Mailer X-MIME-OLE Excellent level of details Down to the patch level Not used for anything else

Client fingerprinting (II) X-Mailer: Microsoft Office Outlook, Build 11.0.5510 User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) X-Mailer: ColdFusion MX Application Server X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Mailer: Evolution 2.2.3 (2.2.3-4.fc4) X-Mailer: iplanet Messenger Express 5.2 Patch 2 (built Jul 14 2004) X-Mailer: Lotus Notes Release 5.0.6a January 17, 2001 User-Agent: SquirrelMail/1.4.3a User-Agent: Wanderlust/2.12.0 (Your Wildest Dreams) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 APEL/10.6 MULE XEmacs/21.5 (beta21) (corn) (+CVS-20050720) (i386-suse-linux)

Client application usage Long term analysis If we get access to a long stretch of messages Plot client mailers over time then add mailer release dates

Client application usage (II) Organization trend analysis With enough e-mails, we can find out details about the organization policies Patching policies Application usage Security gaps Policy exceptions maybe not just for SMTP servers?

Usage trends Other interesting facts can be guessed Same e-mail address + alternating mailers + multiple IP addresses multiple locations (home / work?) Same e-mail address + same mailer + multiple IP addresses take the laptop home Various e-mail domains + same mailer + same IP address non-corporate mail at work Changing Date time zones user on the go?

Other interesting headers Indirect sources of information Implementation differences Ordering of headers Quoted replies Custom X-Headers X-Originating-IP, etc. Antivirus / Antispam Subject: Re: [RELEASE 4] Testing patch #49192 Date: Tue, 21 Feb 2006 10:21:14 +0100 X-Originating-IP: 10.2.1.122 X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-1 X-Spam-Status: No, score=-1.4 required=2.0 Message contents User data Encoding data

Other interesting headers (II) Indirect sources of information Encoded data in unsuspecting headers Message-ID: <Pine.LNX.4.21.0611280421440.26304-100000@example.org> Message-ID: <1103.203.41.53.196.1128283359.squirrel@mail.example.com> Message-ID: <11363603.1154544476739.JavaMail.root@as.example.net> Content-Type: multipart/mixed; boundary=apple-mail-1 944594902

Conclusions Strip unneeded information at border gateways whenever possible Find out what has already leaked and fix it Analysis relies on client provided data, handle with care

Thank you! Lluis Mora llmora@neutralbit.com World Trade Center - Edificio Sur, 2ª Planta, Moll de Barcelona, Barcelona, E-08039 Spain T: +34 933 443 224 - F: +34 933 443 299 info@neutralbit.com http://