[Dshield] little experiment
Brance Amussen :)_S
brance at jhu.edu
Wed Mar 2 16:43:10 GMT 2005
My particular machine is registered in my DNS, and I have a host file which
also has my hostname in it, yet, when I watch the transaction between my
mail client (outlook.. No comments from the peanut gallery.. :) ) and my
server, the local IP is always returned by the server in a HELO, after the
EHLO from my client, which contains only my hostname..
So it looks like this; (some info changed to protect the innocent..)
220 mymailserver.org ESMTP ready at Wed, 2 Mar 2005 10:45:02 -0500
250-mymailserver.org Hello [22.214.171.124]
I don't know, but it seems to me that this could be a good way of gleaning
information about a network, that otherwise should not be given so freely..
Although minor perhaps, I still can't say I am extremely comfortable wagging
my internal IP's to the world... :P If ya know what I mean.. ;)
And to know that it is as easily obtainable via a browser connection... My
own paranoia may be getting the better of me, but...
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Abuse
Sent: Wednesday, March 02, 2005 12:40 AM
To: General DShield Discussion List
Subject: Re: [Dshield] little experiment
** Reply to message from "Johannes B. Ullrich" <jullrich at euclidian.com> on
01 Mar 2005 17:42:54 -0500
> > How do you get the "behind firewall address"??
> its a little bit of javacode I found. Essentially, it tells your
> browser to reload the page, but adds the IP address of your system to
> the end (you will see 'IP=126.96.36.199' at the end of the URL).
Strange. I have JAVA enabled but my internal IP was not given, I am using
> But so far, I have only seen java code that was able to actually send
> it to the server.
> As others have commented, many e-mail clients (e.g. mine) add it to
> the header, or mail servers add them if they are inside the natted
> If someone knows how to tell thunderbird not to send the IP as part of
> the 'helo', let me know ;-)
I don't know how Thunderbird works but here is what I did for my email
Polarbar gets the IP of the machine it is running on and does a DNS lookup,
if it does not resolve it uses the IP for the HELO. If it does resolve it
uses the resolved domain name for the HELO. I added my machines IP to the
HOSTS file and put the domain name I wanted to use externally there. Since
this is a laptop using DHCP at home I always get the same IP and when I
travel, who knows what IP comes up, I really don't care if the IP is used
but if I did I could change the HOSTS file.
-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list