Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] eMail auditing problem
From: pete <pete () POPTEL NET>
Date: Thu, 14 Sep 2000 10:48:20 +0100

----- Original Message -----
From: "Erik Tayler" <nine () 14x net>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: 13 September 2000 21:56
Subject: Re: [PEN-TEST] eMail auditing problem


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just to clarify (and try not to seem picky), the sniffer
doesn't need
to reside "between the source of the email and the
destination". It
can reside on the server sending mail, or the server receiving
mail,
as well as anything in-between. Just seemed like something was
left
out.
Indeed and further, it doesn't need to reside on the path that's
reported by traceroute. Even without considering traceroute's
inability to show anything more than a route used at that moment
(and may not even be internally consistent if the route changes
during the traceroute itself), look at tunnelx (IOS Transparent
reroute and capture) in phrack 56 article 10
(http://www.phrack.com/search.phtml?view&article=p56-10) if you
want to get really paranoid.

However, I would first ask your customer what reason he has for
thinking his mail is being sniffed. In my experience some people
tend to blame any information leakage or weirdness on hacking.

IMHO, YMMV, just my 1/2d etc.
pete


Erik Tayler
http://www.14x.net/fx

- -----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On
Behalf
Of Justin Schaefer
Sent: Wednesday, September 13, 2000 12:05 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: eMail auditing problem


in order to sniff someones email, the person sniffing would
need root
access
on a machine between the source of the email and the
destination. the
person
would then run a packet sniffer, like dsniff or snoop, and
filter the
input,
to only see what they wanted to see. If you are sure this is
happening,
traceroute from your mail server to a destination where your
client
believes
his mail is being read. Start by checkign out all machines on
your
local
network for unusual traffic/programs/users logged in etc... and
search the
drives fro files that shouldnt be there. logs.. etc. then move
on to
the
next hop in the traceroute. Once you have gone as far as you
can in
this
manner, and you can confirm that the email is being raed, it
may be
time to
start alerting admins at other isps, or carriers. Just keep
following
the
traceroute, until you find him. Chances are however, that it is
somewhere on
your clients network.

- -Justin

- -----Original Message-----
From: Groh, Jens [mailto:jgroh () LPC-COMPUTER DE]
Sent: Wednesday, September 13, 2000 8:17 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] eMail auditing problem


Hi Folks,

as I'm new to the security scene I have to ask you a questions:

I've heard from a customer, that he believes, that all of his
outgoing mail
is read by someone using an email sniffer! My
question now is: has that to be server sided? I mean can anyone
use
this
email sniffer or has he or she already hacked the
outgoing mail server?

How is this to be done?
What programms?
What procedure?
How would you do that?

Thanx in advance,

Jens Groh
Hostmaster / Security
LPC GmbH
Germany

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use
<http://www.pgp.com>


iQA/AwUBOb/qEE0pQlPl0B0AEQKSEgCfZgbW62buQ0qozRfWnKgwPmWqlqsAoJah
X36PAG7Od/kT8tofXQxylL5p
=+/GD
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault