mailing list archives
Re: [PEN-TEST] eMail auditing problem
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Wed, 13 Sep 2000 12:31:48 -0500
This can happen a lot of different ways. There are hacks to the
sendmail.cf file that can do all sorts of fun stuff... like archive
all outgoing mail to a file... an attacker may be able to have this
file transferred to him within cron or something, or maybe he/she
has access to the server and can just telnet in and read it...
Dsniff, by dugsong: contains a WONDERFUL e-mail sniffer that places
all e-mail it sees in mbox format. This could run on the e-mail
server itself, or directly in it's path, at the ISP, or whatnot.
DSniff's "mailsnarf" program can be fed a RegExp to capture only
mail conaining a pattern/string match... Carnivore, anyone?
A simple sniffer could just log all port 25, 110, and 143 traffic
to a file... this could be placed in the same locations as dsniff.
The first method is the only one that would mean they've been
hacked (unless a legitimate admin is performing this unscrupulous
act)... Look for sniffers and mail archives on the local system
to see if it's being stored locally or being sent-off somewhere
else to someone. That's about the only checking you can do.
Maybe check the validity of sendmail.cf from a known "clean" state.
Network Security Engineer
From: Groh, Jens [mailto:jgroh () LPC-COMPUTER DE]
Sent: Wednesday, September 13, 2000 7:17 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: eMail auditing problem
as I'm new to the security scene I have to ask you a questions:
I've heard from a customer, that he believes, that all of his outgoing mail
is read by someone using an email sniffer! My
question now is: has that to be server sided? I mean can anyone use this
email sniffer or has he or she already hacked the
outgoing mail server?
How is this to be done?
How would you do that?
Thanx in advance,
Hostmaster / Security
- Re: [PEN-TEST] eMail auditing problem, (continued)