On 08/23/2000 at 22:47:01 ZE2, mouss <[EMAIL PROTECTED]> wrote:
> There is nothing that a firewall can use to distinguish a
> "normal"client from a guy who telnet to the
> port, for the simple reason that both are exactly the same thing.
There are at least two ways that an smtp server can suspect that a
connection has been made from a telnet client. One has been mentioned by
others: the amount of data in each packet and the timing of the packets.
The other is even more obvious. Most, if not all, telnet clients will
attempt to perform telnet option negotiation at the beginning of a
connection. These tcp options will not be present in a normal mail
connection. Here is a trace of the first packet where the client was using
the (crufty) W95 telnet command:
IP header breakdown:
< SRC = 9.1.68.5 > (trallt.almaden.ibm.com)
< DST = 9.1.10.30 > (k85b.almaden.ibm.com)
ip_v=4, ip_hl=20, ip_tos=52, ip_len=64, ip_id=656, ip_off=0DF
ip_ttl=125, ip_sum=9acf, ip_p = 6 (TCP)
TCP header breakdown:
<source port=3762, destination port=25(smtp) >
th_seq=27b65d1, th_ack=0
th_off=11, flags<SYN>
th_win=5840, th_sum=47f5, th_urp=0
mss 1460
nop
wscale 0
nop
nop
opt-8:00000000 0a000000 00000000
|........|
eol
nop
nop
opt-4: mss 0 [len 0]
Everything after the "mss 1460" would not be present when using a normal
smtp client. These are telnet options; the smtp server is going to
completely ignore these unless it is trying to detect that a telnet client
made the connection.
So there are ways to do it, but what's the point? There's nothing wrong
with sending mail with telnet. I do it fairly often. I may be on a
machine that doesn't have a real mail client, I may want to see the smtp
messages that are being issued by the server, whatever. This isn't an
"intrusion" attempt, although a firewall admin may have some interest in
making note of it.
Besides, we found that the originator of this thread was really just trying
to ensure that undesired mail relaying couldn't happen. As he later
discovered, the use of telnet doesn't make this any more possible than it
is with a normal mail client.
Tony Rall
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
