Hi,
Since the previous email bounced, I am resending it, sorry.
---
Hi,
I can do either of the two:
1) Give me the script, I will provide you with NASL (Learning curve,
non-existing)
2) Show everyone the script, I will give you pointers how to write the NASL,
give a small example for you to start from, and we will write it "together"
(Learning curve, high).
I would prefer 2 (Even though I know it will take longer, because I will be
more happy to see others become able to utilize the good interface provided
by NASL to write plugins, and see a less centralized writing plugins).
Thanks
Noam Rathaus
http://www.BeyondSecurity.com
http://www.SecuriTeam.com
>
> ----- Original Message -----
> From: "Hugo van der Kooij" <hvdkooij@vanderkooij.org>
> To: <nessus@list.nessus.org>
> Sent: Wednesday, May 08, 2002 17:18
> Subject: Improving mail relay checks (was: "Nessus calls home")
>
>
> > On Wed, 8 May 2002, Renaud Deraison wrote:
> >
> > > 1. SMTP checks
> > >
> > > Several SMTP checks send an email coming from are going to
> > > nessus@nessus.org (also test_1@nessus.org and test_2@nessus.org).
These
> > > checks are mostly used for bounce or old sendmail attacks. With these
> > > checks, the expected behavior of the MTA is either to send a 50x error
> > > code or to fail to the attack. Under some rare circumstances however,
> > > the mail may be bounced back to nessus@nessus.org, which is a
> > > non-existing mailbox on mail.nessus.org. So if I were to spy on my
> > > users, one could imagine I'd grep "nessus@nessus.org" in
> > > /var/log/maillog and see who's using Nessus. I don't do that, but I
> > > admit it could be done.
> > >
> > > Why do I use "nessus@nessus.org" ? Well, for the relay checks, it
> > > sounded good to use a really existing mail domain, so that half smart
> > > mailer which do some DNS checks on email address would not reject the
> > > mail for the sole reason the email domain is not valid. I was
suggested
> > > to use example.com, but there's no MX for that domain, so I don't like
> > > it.
> >
> > I have a simple script that requires 2 parameters. The IP address of the
> > mailserver to test and a domain name that is present on that server. It
> > uses a fixed but changeable sender address that is defined in the
> > beginning of the script.
> >
> > It does test 21 mail relay variants and exceeds the present options
> > available in nessus. I would welcome to work with someone familiar with
> > nasl to create a better script to test all of these.
> >
> > This script will however not be able to verify everything. Some server
do
> > not report an error on the SMTP session but will not forward the
message.
> > So the only way to be sure is to verify that none of the 21 messages are
> > arriving at the end address.
> >
> > Hugo.
> >
> > --
> > All email send to me is bound to the rules described on my homepage.
> > hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/
> > Don't meddle in the affairs of sysadmins,
> > for they are subtle and quick to anger.
> >
> >
>
Since the previous email bounced, I am resending it, sorry.
---
Hi,
I can do either of the two:
1) Give me the script, I will provide you with NASL (Learning curve,
non-existing)
2) Show everyone the script, I will give you pointers how to write the NASL,
give a small example for you to start from, and we will write it "together"
(Learning curve, high).
I would prefer 2 (Even though I know it will take longer, because I will be
more happy to see others become able to utilize the good interface provided
by NASL to write plugins, and see a less centralized writing plugins).
Thanks
Noam Rathaus
http://www.BeyondSecurity.com
http://www.SecuriTeam.com
>
> ----- Original Message -----
> From: "Hugo van der Kooij" <hvdkooij@vanderkooij.org>
> To: <nessus@list.nessus.org>
> Sent: Wednesday, May 08, 2002 17:18
> Subject: Improving mail relay checks (was: "Nessus calls home")
>
>
> > On Wed, 8 May 2002, Renaud Deraison wrote:
> >
> > > 1. SMTP checks
> > >
> > > Several SMTP checks send an email coming from are going to
> > > nessus@nessus.org (also test_1@nessus.org and test_2@nessus.org).
These
> > > checks are mostly used for bounce or old sendmail attacks. With these
> > > checks, the expected behavior of the MTA is either to send a 50x error
> > > code or to fail to the attack. Under some rare circumstances however,
> > > the mail may be bounced back to nessus@nessus.org, which is a
> > > non-existing mailbox on mail.nessus.org. So if I were to spy on my
> > > users, one could imagine I'd grep "nessus@nessus.org" in
> > > /var/log/maillog and see who's using Nessus. I don't do that, but I
> > > admit it could be done.
> > >
> > > Why do I use "nessus@nessus.org" ? Well, for the relay checks, it
> > > sounded good to use a really existing mail domain, so that half smart
> > > mailer which do some DNS checks on email address would not reject the
> > > mail for the sole reason the email domain is not valid. I was
suggested
> > > to use example.com, but there's no MX for that domain, so I don't like
> > > it.
> >
> > I have a simple script that requires 2 parameters. The IP address of the
> > mailserver to test and a domain name that is present on that server. It
> > uses a fixed but changeable sender address that is defined in the
> > beginning of the script.
> >
> > It does test 21 mail relay variants and exceeds the present options
> > available in nessus. I would welcome to work with someone familiar with
> > nasl to create a better script to test all of these.
> >
> > This script will however not be able to verify everything. Some server
do
> > not report an error on the SMTP session but will not forward the
message.
> > So the only way to be sure is to verify that none of the 21 messages are
> > arriving at the end address.
> >
> > Hugo.
> >
> > --
> > All email send to me is bound to the rules described on my homepage.
> > hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/
> > Don't meddle in the affairs of sysadmins,
> > for they are subtle and quick to anger.
> >
> >
>