Fw: Improving mail relay checks (was: "Nessus calls home")

From: Noam Rathaus (noamrat_private)
Date: Wed May 08 2002 - 10:28:09 PDT

  • Next message: Michael Scheidell: "Re: your mail"

    Hi,
    
    
    Since the previous email bounced, I am resending it, sorry.
    
    ---
    Hi,
    
    I can do either of the two:
    1) Give me the script, I will provide you with NASL (Learning curve,
    non-existing)
    2) Show everyone the script, I will give you pointers how to write the NASL,
    give a small example for you to start from, and we will write it "together"
    (Learning curve, high).
    
    I would prefer 2 (Even though I know it will take longer, because I will be
    more happy to see others become able to utilize the good interface provided
    by NASL to write plugins, and see a less centralized writing plugins).
    
     Thanks
    Noam Rathaus
    http://www.BeyondSecurity.com
    http://www.SecuriTeam.com
    
    >
    > ----- Original Message -----
    > From: "Hugo van der Kooij" <hvdkooijat_private>
    > To: <nessusat_private>
    > Sent: Wednesday, May 08, 2002 17:18
    > Subject: Improving mail relay checks (was: "Nessus calls home")
    >
    >
    > > On Wed, 8 May 2002, Renaud Deraison wrote:
    > >
    > > > 1. SMTP checks
    > > >
    > > > Several SMTP checks send an email coming from are going to
    > > > nessusat_private (also test_1at_private and test_2at_private).
    These
    > > > checks are mostly used for bounce or old sendmail attacks. With these
    > > > checks, the expected behavior of the MTA is either to send a 50x error
    > > > code or to fail to the attack. Under some rare circumstances however,
    > > > the mail may be bounced back to nessusat_private, which is a
    > > > non-existing mailbox on mail.nessus.org. So if I were to spy on my
    > > > users, one could imagine I'd grep "nessusat_private" in
    > > > /var/log/maillog and see who's using Nessus. I don't do that, but I
    > > > admit it could be done.
    > > >
    > > > Why do I use "nessusat_private" ? Well, for the relay checks, it
    > > > sounded good to use a really existing mail domain, so that half smart
    > > > mailer which do some DNS checks on email address would not reject the
    > > > mail for the sole reason the email domain is not valid. I was
    suggested
    > > > to use example.com, but there's no MX for that domain, so I don't like
    > > > it.
    > >
    > > I have a simple script that requires 2 parameters. The IP address of the
    > > mailserver to test and a domain name that is present on that server. It
    > > uses a fixed but changeable sender address that is defined in the
    > > beginning of the script.
    > >
    > > It does test 21 mail relay variants and exceeds the present options
    > > available in nessus. I would welcome to work with someone familiar with
    > > nasl to create a better script to test all of these.
    > >
    > > This script will however not be able to verify everything. Some server
    do
    > > not report an error on the SMTP session but will not forward the
    message.
    > > So the only way to be sure is to verify that none of the 21 messages are
    > > arriving at the end address.
    > >
    > > Hugo.
    > >
    > > --
    > > All email send to me is bound to the rules described on my homepage.
    > >     hvdkooijat_private http://hvdkooij.xs4all.nl/
    > >     Don't meddle in the affairs of sysadmins,
    > >     for they are subtle and quick to anger.
    > >
    > >
    >
    



    This archive was generated by hypermail 2b30 : Wed May 08 2002 - 09:36:37 PDT