[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Address Scanning Document comments



On Wed, Mar 22, 2006 at 06:04:21PM -0600, Fred Baker wrote:
> 
> For example, when you receive this email, it will have a number of  
> 'receive' lines. In case you have forgotten how to manage your email  
> tool, they look something like this:
> 
> >Received: 	from xbh-sjc-231.amer.cisco.com
> >([128.107.191.100]) by xmb-sjc-225.amer.cisco.com with Microsoft
> >SMTPSVC(6.0.3790.211); Wed, 22 Mar 2006 15:21:53 -0800
> ...
> >Received: 	from cisco.com ([128.107.132.219]) by
> >xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211);
> >Wed, 22 Mar 2006 15:21:48 -0800
> 
> As you can see, it contains the numeric address of the system. Any  
> system that emits email is therefore known by any system that  
> receives it, which is to say that IPv6 addresses of hosts on remote  
> LANs are trivially easy to obtain. And if you can manage to infect  
> one, the neighbor discovery protcool results in that system knowing  
> all of its peers on said LAN even if they don't send mail.
> 
> Hence, I doubt that there will be any address scans, and I also doubt  
> that there will be less attacks. They will just come in a different way.

I agree, and I think Section 3 (Alternatives for Attackers) could add
a list of examples of where to harvest addresses from.   While MX's
will be DNS listed anyway, mail headers are a good (or bad :) example
since internal relays and sender IPs are invariably included.  If 
RFC3041 addresses are used for senders (or for any application) at 
least that harvestable information has its value to the attacker time 
limited.

-- 
Tim/::1