[OT] Port 25 vulnerability

Matt Kettler mkettler at EVI-INC.COM
Fri Jan 30 16:28:01 GMT 2004

At 10:36 AM 1/30/2004, you wrote:

>Try doing an nslookup with type=mx on amazon or microsoft or even
>weldre5j.k12.co.us and then try telneting to port 25 of one of those servers

Amazon Works flawlessly for me.

I think you're confusing servers blocking your IP address from connecting
with them blocking telnet connections. The two are NOT the same. (ie: if
you fail to telnet to amazon's mailserver on port 25, a local copy of
sendmail would also fail).

So, I repeat my statement that it's not simple for a mailserver to discern
wether it is being connected to by a telnet client, a mail client, or a
mail server application.

Theoretically you could make a mailserver issue out some telnet terminal
emulation commands to see if a telnet client on the other end answers them.
However this would likely confuse real mailservers trying to deliver mail.

I assume this is what merakmail does.. Not that the feature offers any
noticeable security benefits, as someone can merely use netcat instead
(netcat doesn't do terminal emulations, thus won't respond to, or be
thwarted by this). Most amateur skript-kiddies use netcat or c-code and not
telnet anyway, so even most of your unsophisticated attackers can waltz
right past it. (it's difficult to automate telnet from a script, but netcat
is made for it, hence it's favored for such things).

As for amazon:

;amazon.com.                    IN      MX

amazon.com.             7200    IN      MX      10 service-4.amazon.com.
amazon.com.             7200    IN      MX      10 service-5.amazon.com.
amazon.com.             7200    IN      MX      10 service-3.amazon.com.

$telnet service-4.amazon.com 25
Connected to service-4.amazon.com.
Escape character is '^]'.
220 service-4.amazon.com Generic SMTP handler
HELO xanadu2.evi-inc.com
250 service-4.amazon.com talking to xanadu2.evi-inc.com ([])

More information about the MailScanner mailing list