Advanced Research Corp (the Company responsible for the SARA security scanning tool) has fixed the SMTP scan after I demonstrated the problem to them.
The fix is scheduled to be part of the next SARA release (due in about two weeks). If anyone else is using SARA for security scanning, drop me a note and I will forward the patched relay.sara to you. Mike Burden Lynk Systems (616)532-4985 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael W. Burden Sent: Wednesday, August 02, 2000 9:32 AM To: [EMAIL PROTECTED] Subject: Security scanning with SARA --------------------- Attention ----------------------------- Online GNAT Box User Forum is Now Open Click the Register link and sign up today http://www.gnatbox.com/cgi-bin/Ultimate.cgi ------------------------------------------------------------- Send postings to: [EMAIL PROTECTED] Access the list archives at: http://www.gnatbox.com/gb-users/ ------------------------------------------------------------- I sent this to the group last night, but the listserver doesn't like attachments, so I had to copy and paste my shellscript into the email. If anyone out there is using SARA (http://www-arc.com/sara/sara.html) to check the security of the GNAT Box, you should be aware that the two latest versions of SARA (sara-3.1.5 and sara-3.1.6) can return a false positive indicating that the GNAT Box SMTP proxy can be used as a spam relay. So far, I have only seen this happen when scanning one of the GNAT Box's aliases. If anyone is running into problems convincing Customers and/or bosses that the SMTP server is really OK even though SARA says that it's not, I have attached a shellscript that performs the same test that SARA does (only correctly!) and shows that the GNAT Box SMTP proxy does not relay (assuming that you have filled in the "domains to accept" box). I have used this shellscript with bash under Linux. If you try to use it in another environment YMMV. Since I just threw it together as a proof-of-concept, don't expect it to win any points for style! Mike Burden Lynk Systems (616)532-4985 [EMAIL PROTECTED] --------------- CUT HERE --------------- # Perform SMTP testing like relay.sara only slower # (to make sure we get the last response before closing # the SMTP connection) if [ "$#" != 1 ] then echo "Usage: $0 ip_address" exit 1 fi while read mail_from do read rcpt_to read junk ( sleep 2 echo helo nowhere.com >&2 echo helo nowhere.com sleep 1 echo MAIL FROM: $mail_from >&2 echo MAIL FROM: $mail_from sleep 1 echo RCPT TO: $rcpt_to >&2 echo RCPT TO: $rcpt_to sleep 12 echo quit >&2 echo quit ) | telnet $1 25 echo done <<END <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <sara> <[EMAIL PROTECTED]> <> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <\"[EMAIL PROTECTED]\"> <[EMAIL PROTECTED]> <\"sara%mail-abuse.org\"> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]@lynk.com> <[EMAIL PROTECTED]> <\"[EMAIL PROTECTED]\"@lynk.com> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]@lynk.com> <[EMAIL PROTECTED]> <@lynk.com:[EMAIL PROTECTED]> <sara@> <[EMAIL PROTECTED]@> <[EMAIL PROTECTED]> <mail-abuse.org!sara> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> END --------------- CUT HERE --------------- ---------------------------------------------- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe gb-users your_email_address in the body of the message
