> -----Original Message-----
> From: Marc Sherman [mailto:msherman@projectile.ca]
> I happen to know that a certain hotshot M&A guy at
> Acquisicorp has his
> laptop set up to send "EHLO hot.grits". It's a bogus EHLO
> string, but
> it is (fairly) unique. My eavesdropping box can record IP/EHLO pairs
> for all incomming connections on port 587, before the
> STARTTLS command.
> By searching for hot.grits, and doing reverse lookups on the IP
> addresses, I can figure out what possible target companies
> Mr. Hotshot
> M&A guy is scouting for hostile takeover this week, and Buy Low, Sell
> High! It's a victimless crime!
Sounds pretty far fetched. And with TLS-on-connect you could still get
similar information by looking at where the packets are coming from. ("Gee,
this client is coming from an IP block owned by Hot Grits, Inc.!")
Besides, Mr. IT Guy would probably be better off with a keylogger. Next
you'll have to worry about keyboard-to-CPU TLS. ;)
