The banner you see is actually a PIX firewall wrapping the SMTP connection. The goal is to enable only a specific set of commands, thereby protecting the SMTP daemon from any information gathering attacks. There is a bug in some releases which dont accurately maintain the "state" of the SMTP connection and allow for arbitrary commands to be sent to the backend server. You do this by specifying a DATA command before the RCPT TO, followed immediately by the command you want to send. So to fingerprint the backend service, you would send something like this: telnet xxx.xxx.xxx.xxx 25 Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. 220*********************************************0************200************** HELO 250 somehost Ok MAIL FROM: userat_private 250 Ok DATA 503 No recipients: need RCPT HELP 214-Commands: 214- HELO MAIL RCPT DATA RSET 214- NOOP QUIT HELP VRFY ETRN 214- XEXCH50 STARTTLS AUTH 214 End of HELP info 354 Enter mail, end with "." on a line by itself Without that initial "DATA", the HELP command would return an "invalid command" or similar response... The HELP output above would identify this as an Exchange 5.x Internet Mail Service. More information about this bug in particular can be found here: http://online.securityfocus.com/bid/3365 -HD On Wednesday 03 July 2002 12:27, Marco van Berkum wrote: > Can anyone tell me what mailserver this is ? > It's running on a Novell machine (hostname has been changed) > > ws# telnet xxx.xxx.xxx.xxx 25 > Trying xxx.xxx.xxx.xxx... > Connected to xxx.xxx.xxx.xxx. > Escape character is '^]'. > 220 > *********************************************0************200************** >******* helo > 250 somehost Ok > mail from: marcoat_private > 250 Ok > rcpt to: user@somehost > 250 Ok > data > 354 Enter mail, end with "." on a line by itself > test > . > 250 Ok > quit > 221 somehost Closing transmission channel > Connection closed by foreign host. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jul 03 2002 - 20:00:06 PDT