[Dshield] Any legitimate reaason to strip SMTP X- headers?

Brenden Walker BKWalker at drbsystems.com
Tue May 24 15:40:56 GMT 2005


> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Jeff Kell
> Sent: Tuesday, May 24, 2005 11:26 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Any legitimate reaason to strip SMTP 
> X- headers?
> 
> Paul Marsh wrote:
> > Really good question I've got a Firebox that does the same thing in 
> > it's default proxy config.  Anyone have any ideas?
> 
> You strip X-headers for the same reason you would 
> strip/obfuscate banners and other "identifying" information.  
> If there's an exploit discovered for specific builds of 
> Exchange (for example), and I see from your mail that you are running:
> 
> > X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
> 
> Then kaboom, you're making it easy for the black hats.  
> Especially if these headers get logged somewhere, and perhaps 
> google indexed, etc.

The funny thing is, as you can see.. Data sent from the exchange server
goes out with X-Headers.  There's something else that's proxying port 25
SMTP traffic (of which we have very little, and none of it's really
business related)...  

Of course, our in-house guys don't know anything about it.. They think
it might be Websense doing it..

Seems like an ineffective half-measure in place here.




More information about the list mailing list