To quote Howard, "what's the problem you're trying to solve". And, let's add to that, "is the solution going to be worse than the problem", and the Andrew Smith rule, "Is the problem you're trying to solve really a problem?"
In theory, you could look for typos that a MTA wouldn't likely commit, but that would only get clumsy telnetters and is likely much more easily implemented in the mail daemon itself. What is "telnet"? It's a program for making an interactive TCP socket connection with a remote (or local) host. It includes terminal capability negotiations that I believe are only negotiated if the destination tries to negotiate them (meaning that sendmail, upon recieving a connection from a telnet client, wouldn't try to negotiate these options, and thus, that characteristic of a telnet client wouldn't be easily discovered). Why do people telnet to a SMTP server? There are legitimate reasons: to test for open relays, to test for valid recipients, to verify that there is a working SMTP server at that address ... all probes are not malicious. Therefore, to return to the Berkowitz query, what problem are you going to solve by being able to differentiate between a telnet program and a MTA? My theory is none. You may be able to avoid some really unsophisticated probes, but spammers and their ilk use MTA-like programs for their probes and trying to identify their behavior with IDS logic is like trying to determine who is a convicted felon by how much they stammer. If I could issue standard mail protocol commands that you consider compromising, would you feel safer if: You'd catch me if I issued them with this: telnet yourmailhost.yourdomain.com 25 And maybe caught me with this: nc yourmailhost.yourdomain.com 25 But had no chance with: ./probesmtp -h yourmailhost.yourdomain.com In short, if you have an application that needs to accept connections from the outside world in general, and you don't have an easily identifiable common attack/probe (like someone trying to use the DEBUG command on a very old sendmail daemon (which you should have secured 7 years ago instead of trying to detect it with an IDS system)) you should secure the application/daemon, not try to make the IDS make subjective calls that it can't be expected to make. On 16-Apr-2002, Priscilla Oppenheimer wrote: > When people Telnet to SMTP server, what do they then do? Do they manually > send the normal SMTP commands? Sorry, if that's a dumb question, but I'm > just trying to figure out the situation. > > If they are not Telnetting in order to send ordinary SMTP commands (HELO, > RSET, RCPT, DATA, etc). then of course, you could recognize them because by > what they aren't doing. > > Let's say they are sending ordinary SMTP commands. Would it be possible > then to recognize this by the timing? Even the fastest typist can't send > those commands as fast as e-mail software can. > > That's my $0.00000010. Please do answer, though. I'm trying to learn more > about this curious thing of Telnetting to ports other than 23. > > Priscilla > > At 02:51 AM 4/16/02, Cisco Breaker wrote: > >Hi, > > > >Is it possible to block telnet to SMTP server from port 25 with IDS. I want > >to create a custom signature for this but I don't know how this can be done. > >If I write a signature beginning with hello it will block all mail traffic > >because all of them starts with hello as I know. And are there any > >resources that tells how to write a custom signature. We are using CSPM > >2.3.3i. > > > >Any help will be appreciated. > > > >Best regards, > > > >Cisco Breaker > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com -- --------------------------------------------------------------------------- ** Andrew W. Smith ** [EMAIL PROTECTED] ** Senior Network Engineer ** ** http://www.neosoft.com/neosoft/staff/andrew ** 1-888-NEOSOFT ** ** NeoSoft, Inc. An Internet America Company 1-800-BE-A-GEEK ** ** "Opportunities multiply as they are seized" - Sun Tzu ** --------------------------------------------------------------------------- Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41715&t=41565 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
