Re: [exim] Testing sending hosts open ports

Top Page
Delete this message
Reply to this message
Author: Renaud Allard
Date:  
To: exim-users
Subject: Re: [exim] Testing sending hosts open ports
p0f isn't really a solution, just because windows tcp/ip stack is so
messy that you cannot recognize or really differentiate versions. The
only think you could tell is if it is a windows machine or not. Which is
obviously not a good test.

Also ports 445,135, etc are very often firewalled by ISP themselves, so
you obviously couldn't connect to most senders. I once did a script that
used samba to send a shutdown command to windows machines connecting to
my exim using administrator as the login and a null password (as only a
very badly configured machine should be like that) and putting a delay
line in exim afterwards. But I couldn't connect to many hosts due to
their ISP blocking ports.

A better idea would be connecting to their port 25 when they connect to
yours, try to send a fake mail to your domain (about the way exim does
it with callouts). And if they accept, then, they have an openrelay and
you can start blacklisting. But this would also lead to some (probably
very few) false positives.

As of the moral or legal issues, I don't care, if they run a mail
server, they should expect connections to it. And if they are sending me
spam, I have at least the right to test them, and I could myself pursue
them for sending me spam. After all exim also does this kind of stuff
with callouts, even when an IP that has nothing to do with the
maintainer of the MX tries to send a spoofed mail.

It is a matter of fact that many (most?) mailservers are badly
configured and you cannot use a single test to classify them all.


Richard Clayton <richard@???> said, in message
1aQew$IOGeYEFA9F@???:


>>>I was thinking of some way to examine the sender to see if it
>>>looked like it was a home computer running Windows XP as opposed to
>>>a server.
>>
>>to do this effectively on a machine in the UK would almost certainly
>>involve you in committing an offence under the Computer Misuse Act
>>1990



On top of the legal and moral issues, hitting ports 135 etc won't be all
that effective nowadays, as they'll probably be firewalled by XP for most
home users.

That said, the idea of fingerprinting has been discussed here before, and
the friendly way to do it is passively, using p0f. I suspect that's the
question that Marc should be asking... though asking google first might give
the answer he wants!

Cheers,
Alun.


--

.O.
..O
OOO

PGP key: http://www.llorien.org/gnupg/key.pub