Documente Academic
Documente Profesional
Documente Cultură
securityinnovation
Introduction
E-mail is present in nearly every organization
We all understand how it works
www.neutralbit.com
www.neutralbit.com
www.neutralbit.com
www.neutralbit.com
Corporate IP subnetting
Received header addresses are not translated
Internal IP addressing scheme
Type of connection to the internet
Received: from smtp.example.com (6.Net-45-12-192.dynamicIP.example.net
[192.12.45.6])
by mail.example.org (Postfix) with ESMTP id 0AB0E147B1
Received: from smtp.example.com (smtp.example.com [172.18.5.21])
by mx1.example.com (8.11.6/8.11.6) with ESMTP id i82sokwis;
Received: from vaio (172.16.1.100)
by smtp.example.com (Postfix) with ESMTP id i82shwk;
www.neutralbit.com
www.neutralbit.com
Server fingerprinting
Software and versions
Location based on time zones
www.neutralbit.com
www.neutralbit.com
A few examples
Data extracted from Linux kernel mailing list
Around 3 months in early 2006
www.neutralbit.com
target selection?
www.neutralbit.com
where is wally?
www.neutralbit.com
Client fingerprinting
User-Agent: SquirrelMail/1.4.3a
www.neutralbit.com
Patching policies
Application usage
Security gaps
Policy exceptions
Usage trends
Other interesting facts can be guessed
Same e-mail address + alternating mailers + multiple IP
addresses multiple locations (home / work?)
Same e-mail address + same mailer + multiple IP
addresses take the laptop home
Various e-mail domains + same mailer + same IP
address non-corporate mail at work
Changing Date time zones user on the go?
www.neutralbit.com
Custom X-Headers
X-Originating-IP, etc.
Antivirus / Antispam
Message contents
User data
Encoding data
www.neutralbit.com
Message-ID: <1103.203.41.53.196.1128283359.squirrel@mail.example.com>
Message-ID: <11363603.1154544476739.JavaMail.root@as.example.net>
www.neutralbit.com
Conclusions
www.neutralbit.com
Thank you!
Lluis Mora
llmora@neutralbit.com
World Trade Center - Edificio Sur, 2 Planta, Moll de Barcelona, Barcelona, E-08039 Spain
T: +34 933 443 224 - F: +34 933 443 299 info@neutralbit.com http://www.neutralbit.com