Security scanning with SARA

Wed, 2 Aug 2000 09:40:23 -0400 (EDT) 

I sent this to the group last night, but the listserver doesn't like
attachments, so I had to copy and paste my shellscript into the email.

If anyone out there is using  SARA  (http://www-arc.com/sara/sara.html)
to check the security of the GNAT Box, you should be aware that the
two latest versions of SARA (sara-3.1.5 and sara-3.1.6) can return a
false positive indicating that the GNAT Box SMTP proxy can be used as a
spam relay.  So far, I have only seen this happen when scanning one of
the GNAT Box's aliases.

If anyone is running into problems convincing Customers and/or bosses
that the SMTP server is really OK even though  SARA  says that it's not,
I have attached a shellscript that performs the same test that  SARA
does (only correctly!) and shows that the GNAT Box SMTP proxy does not
relay (assuming that you have filled in the "domains to accept" box). 

I have used this shellscript with  bash  under  Linux.  If you try to
use it in another environment YMMV.  Since I just threw it together as
a proof-of-concept, don't expect it to win any points for style!

Mike Burden
Lynk Systems
(616)532-4985
[EMAIL PROTECTED]




---------------  CUT HERE  ---------------
# Perform  SMTP  testing like  relay.sara  only slower
# (to make sure we get the last response before closing
# the  SMTP  connection)
if [ "$#" != 1 ]
then
   echo "Usage: $0 ip_address"
   exit 1
fi

while read mail_from
do
   read rcpt_to
   read junk

   ( sleep 2
     echo helo nowhere.com >&2
     echo helo nowhere.com
     sleep 1
     echo MAIL FROM: $mail_from >&2
     echo MAIL FROM: $mail_from
     sleep 1
     echo RCPT TO: $rcpt_to >&2
     echo RCPT TO: $rcpt_to
     sleep 12
     echo quit >&2
     echo quit
   ) | telnet $1 25
echo
done <<END
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>

<sara>
<[EMAIL PROTECTED]>

<>
<[EMAIL PROTECTED]>

<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>

<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>

<[EMAIL PROTECTED]>
<\"[EMAIL PROTECTED]\">

<[EMAIL PROTECTED]>
<\"sara%mail-abuse.org\">

<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]@lynk.com>

<[EMAIL PROTECTED]>
<\"[EMAIL PROTECTED]\"@lynk.com>

<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]@lynk.com>

<[EMAIL PROTECTED]>
<@lynk.com:[EMAIL PROTECTED]>

<sara@>
<[EMAIL PROTECTED]@>

<[EMAIL PROTECTED]>
<mail-abuse.org!sara>

<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>

END
---------------  CUT HERE  ---------------

Reply via email to