Author: W B Hacker Date: To: exim users Subject: Re: [exim] Testing sending hosts open ports
Renaud Allard wrote:
> p0f isn't really a solution, just because windows tcp/ip stack is so
> messy that you cannot recognize or really differentiate versions. The
> only think you could tell is if it is a windows machine or not. Which is
> obviously not a good test.
This is digressing to mere noise.
A reasonably well-configured mail server can be on any OS.
So, too a badly-configured one.
IF/AS/WHEN a 'correspondent' arrives via properly-implemented
smtp protocols, with zero protocol violations, or 'few that are
critical'....
just handle the (compliant) traffic offered...
If NOT... NOT. Who cares what else that box is doing?
Spam/ham is a different issue.
What next? The snail-mail postman should show up with proof he
locked the windows in his house when he left for work that
morning, fed his dog, and doesn't heat with gas?
Bill
>
> Also ports 445,135, etc are very often firewalled by ISP themselves, so
> you obviously couldn't connect to most senders. I once did a script that
> used samba to send a shutdown command to windows machines connecting to
> my exim using administrator as the login and a null password (as only a
> very badly configured machine should be like that) and putting a delay
> line in exim afterwards. But I couldn't connect to many hosts due to
> their ISP blocking ports.
>
> A better idea would be connecting to their port 25 when they connect to
> yours, try to send a fake mail to your domain (about the way exim does
> it with callouts). And if they accept, then, they have an openrelay and
> you can start blacklisting. But this would also lead to some (probably
> very few) false positives.
>
> As of the moral or legal issues, I don't care, if they run a mail
> server, they should expect connections to it. And if they are sending me
> spam, I have at least the right to test them, and I could myself pursue
> them for sending me spam. After all exim also does this kind of stuff
> with callouts, even when an IP that has nothing to do with the
> maintainer of the MX tries to send a spoofed mail.
>
> It is a matter of fact that many (most?) mailservers are badly
> configured and you cannot use a single test to classify them all.
>
>
> Richard Clayton <richard@???> said, in message
> 1aQew$IOGeYEFA9F@???:
>
>
>
>>>>I was thinking of some way to examine the sender to see if it
>>>>looked like it was a home computer running Windows XP as opposed to
>>>>a server.
>>>
>>>to do this effectively on a machine in the UK would almost certainly
>>>involve you in committing an offence under the Computer Misuse Act
>>>1990
>
>
>
> On top of the legal and moral issues, hitting ports 135 etc won't be all
> that effective nowadays, as they'll probably be firewalled by XP for most
> home users.
>
> That said, the idea of fingerprinting has been discussed here before, and
> the friendly way to do it is passively, using p0f. I suspect that's the
> question that Marc should be asking... though asking google first might give
> the answer he wants!
>
> Cheers,
> Alun.
>
>
>