Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Filtering email headers generated from internal network (Sensible?)

from [Joachim Schipper] Network Security [Permanent Link]
Subject: Re: Filtering email headers generated from internal network (Sensible?)
Date: Tue, 10 May 2005 10:19:51 +0200 
On Mon, May 09, 2005 at 11:23:16AM -0700, anyluser wrote:


IMO there's a balance between sec through obscurity
(STO) and flat out information leakage.  Just as most
things in security, this as much a balance as any
other.  

Generally speaking sec through obscurity implies (to
me) that you're relying on the obfuscation for more
then it's really worth.  If you think it'll keep you
safe, you're using STO.  If you're realistic about
your expectations then do a CBA (cost/benefit
analysis) and make your decision as to whether or not
it's worthwhile.  

IMO if there's a mail routing infrastructure behind
your borders then you should obscure it to the
outside, if you have the time.  That'

Granted it wont make you secure but it'll least keep
your infrastructure details relatively private, which
being the paranoid lot we probably are is a good
thing.  :)


You'll need to analyze what you want to cut out, though. While I fully
agree that cutting out Received: headers may be somewhat useful [1],
cutting out X-Virus-Scanned headers seems sensible [2], cutting out
User-Agent isn't all that much good. In the overwhelming number of
cases, people use Outlook, and Outlook's idea of HTML is pretty
noticeably different from anything not made by Microsoft. And it's the
biggest one, so guessing people use Outlook is usually a safe bet.

Other mailers are probably recognizable by, at least, their HTML
implementation as well. However, since Outlook is the most often
exploited, hiding Outlook is most useful.

There are a couple of notes I'd like to make, though.
[1] If you end up with a broken Received: path, this will break
a lot of stuff, and might cause your e-mail to be rejected as spoofed.
Check the message-ID; the first receiving mail server may well
be encoded in there. Ripping out the message-ID is not advised, as it
makes tracking mail much more difficult.
[2] Though I do not see much benefit in scanning outgoing mail, then
telling no-one that you did it. Not that any sane person wouldn't use
his own scanner as well...

Looks to me like you have to be very, very careful here, or stuff will
break. But it might work.

                Joachim

Attachment: pgpV4f2Srl8e2.pgp
Description: PGP signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  AW: DDos within a pentest, Julian Totzek
Next by Date:  Re: DDos within a pentest, Jose Maria Lopez Hernandez
Previous by Thread:  Re: Filtering email headers generated from internal network (Sensible?), Kyle Maxwell
Next by Thread:  Re: Filtering email headers generated from internal network (Sensible?), Brendan Murray
Indexes:  [Date] [Thread] [Top] [All Lists]