[Dshield] little experiment

Henry Hertz Hobbit hhhobbit at comcast.net
Sat Mar 5 16:13:16 GMT 2005

On Wed, 2005-03-02 at 14:39, Brance Amussen :)_S wrote:
> It doesn't work on Windows either, as my previous post points out.. 
> >From what I have read so far, the only reason I can see for a client and
> server to give/get the IP address is for identification, and why isn't
> domain name good enough? according to RFC 2821;
> In the EHLO command the host sending the command identifies itself;
>    the command may be interpreted as saying "Hello, I am <domain>" (and,
>    in the case of EHLO, "and I support service extension requests").
> However, it is the server which actually comes back with the local IP. Also
> the MTA which constructs the header attached to the actual mail is the one
> responsible for adding the local IP to the mail headers.. 
> In addition I can find no good reason for the IP address to be a part of the
> header, excepting of course for logging purposes, and perhaps forensics.. In
> fact RFC822-Standard for the format of ARPA Internet text messages. Doesn't
> even have the words "IP Address" in it at all... (couldn't find an
> obsoleting RFC.. Didn't have much time to look however..)
> Please feel free to correct me if I am wrong.. 
> So why have it in there??? Some developer out there must know.. Could it be
> Carnivore, or Echelon again?? ;) (not to start any more conspiracy
> theories..)
> Brance :)_S

You have it only partially correct - okay, mostly correct.  I have
looked at it in Ethereal in the past, and it IS the MUA client that is
contains your internal LAN IP address, not the SMTP server.  I did it
again just to be sure.  If anybody wants the sanitized ASCII log, I can
send them the log of ethereal capture, scrubbed (actually, more for
clarity than anything else) with the following replacements in the log:

MYIP  - my local internal IP address.
MYLANOUT - the internal address of my LAN router port
ISPDNS - One of Comcast's DNS servers
ISPSMTP - Comcast's SMTP server

You have until /tmp is cleaned by the machine to request the log, but
you could easily do it yourself.  The EHLO packet is the ONLY one that
contains your internal IP in it, just as Johannes said (but I already
knew that).  That is the ONLY packet that contains your internal IP
address in the BODY of the message.  Yes, I was careful to do the test
WITH and WITHOUT SSL enabled.  The results are the same.  In other
words, a good WAN <-> LAN firewall could be made to scrub the internal
address by just replacing it with your WAN address.  That probably is
the simplest solution if you have hundreds or thousands of hosts, but in
that case, your internal MTA dumps the address anyway before it passes
it out to the world, BUT its address won't be hidden, which means
hackers will know your internal MTA address UNLESS you transfer through
a MTA on the firewall.  For less than a dozen hosts, it would be nice to
tell the MUA what you want the IP address to be, but that opens up
potentials for abuse.  It doesn't matter, since anybody can volunteer to
help with building Thunderbird and change what it is in the code to
stick your WAN address in there instead.

I have searched the RFCs, and you are probably correct.  What they want
that IP address for, is just to know where the message is coming from. 
If it is your WAN address instead of the internal LAN address you are
just fine.  They just don't want you pretending to be somebody you
aren't.  It doesn't have anything to do with Big Brother, and anyway,
Big Brother is Google, not the government.

Key Name:  "Henry Hertz Hobbit"
Key fingerprint = 924E BE61 1ACF B87A DCA9 009E E74C 183D 0164 F7D5

More information about the list mailing list