[Dshield] little experiment

Brance Amussen :)_S brance at jhu.edu
Wed Mar 2 16:43:10 GMT 2005

My particular machine is registered in my DNS, and I have a host file which
also has my hostname in it, yet, when I watch the transaction between my
mail client (outlook.. No comments from the peanut gallery.. :) ) and my
server, the local IP is always returned by the server in a HELO, after the
EHLO from my client, which contains only my hostname..
So it looks like this; (some info changed to protect the innocent..)

220 mymailserver.org ESMTP ready at  Wed, 2 Mar 2005 10:45:02 -0500
EHLO mymachine 
250-mymailserver.org Hello [] 

I don't know, but it seems to me that this could be a good way of gleaning
information about a network, that otherwise should not be given so freely..
Although minor perhaps, I still can't say I am extremely comfortable wagging
my internal IP's to the world... :P If ya know what I mean.. ;) 

And to know that it is as easily obtainable via a browser connection... My
own paranoia may be getting the better of me, but...

B :)_S  

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Abuse
Sent: Wednesday, March 02, 2005 12:40 AM
To: General DShield Discussion List
Subject: Re: [Dshield] little experiment

** Reply to message from "Johannes B. Ullrich" <jullrich at euclidian.com> on
01 Mar 2005 17:42:54 -0500

> > How do you get the "behind firewall address"?? 
> its a little bit of javacode I found. Essentially, it tells your 
> browser to reload the page, but adds the IP address of your system to 
> the end (you will see 'IP=' at the end of the URL).

Strange.  I have JAVA enabled but my internal IP was not given, I am using
Mozilla v1.7.

> There are a couple of tricks to just display it locally with javascript. 
> But so far, I have only seen java code that was able to actually send 
> it to the server.
> As others have commented, many e-mail clients (e.g. mine) add it to 
> the header, or mail servers add them if they are inside the natted
> If someone knows how to tell thunderbird not to send the IP as part of 
> the 'helo', let me know ;-)

I don't know how Thunderbird works but here is what I did for my email
Polarbar gets the IP of the machine it is running on and does a DNS lookup,
if it does not resolve it uses the IP for the HELO.  If it does resolve it
uses the resolved domain name for the HELO.  I added my machines IP to the
HOSTS file and put the domain name I wanted to use externally there.  Since
this is a laptop using DHCP at home I always get the same IP and when I
travel, who knows what IP comes up, I really don't care if the IP is used
but if I did I could change the HOSTS file.
-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th

send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list