You're talking about outbound, for which port scanning is not relevant. The text "One can connect to the server with HELLO call" also refers to a TCP/IP connection, not to sending a SPOOL file.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of ITschak Mugzach <[email protected]> Sent: Thursday, July 12, 2018 3:06 PM To: [email protected] Subject: Re: Seeking a tool to do a network security scan of z/OS Shmuel, the SMTP server is mainly spool based. So you can create a text file (Defined in the RFC you mentioned), write it to the spool in the write and class used by the server and it will be sent. You can use fake name and fake domain (The server will state "I don't know you", ut will send the message. SMTP is so easy to penetrate, if you don't have a security exit developed & installed. I once unloaded the security database of a client and sent part of it to his GMAIL account. Guess what: Hist exchange configured as a mail relay as well! Clients do stupid things. I told you, this is how I refill my ref, This is what we do most of the time in Israel & Europe. ITschak On Thu, Jul 12, 2018 at 8:14 PM Seymour J Metz <[email protected]> wrote: > If it works it's because they didn't properly configure the server. Just > connecting to the server isn't enough to send an e-mail to it. RFC 4954 > came out in July 2007 and RFC 2554 came out in March 1999. sendmail has > supported it since 8.10. > > > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > ________________________________________ > From: IBM Mainframe Discussion List <[email protected]> on behalf > of ITschak Mugzach <[email protected]> > Sent: Thursday, July 12, 2018 1:08 PM > To: [email protected] > Subject: Re: Seeking a tool to do a network security scan of z/OS > > Shmuel, > > I refill the refrigerator doing pentests. I done this and many other > attacks on clients mainframes and in 90% of the cases, I am able to send > emails using the mainframe smtp configured as an MTA. if you look at you > smtp server log you might see some TCP connections (bingo!) or just users > who write a different domain name in the from clause. > > Trust me, it work. > > ITschak > > On Thu, Jul 12, 2018 at 6:36 PM Seymour J Metz <[email protected]> wrote: > > > Does your SMTP server not do authentication? That would certain get the > > auditors' attention. > > > > Do your users respond to phish attempts? Another security problem, and > one > > that has nothing to do with the mainframe. > > > > I suppose it's to much to expect for users to look at the trace fields to > > determine the provenances of messages. > > > > > > -- > > Shmuel (Seymour J.) Metz > > http://mason.gmu.edu/~smetz3 > > > > ________________________________________ > > From: IBM Mainframe Discussion List <[email protected]> on behalf > > of ITschak Mugzach <[email protected]> > > Sent: Wednesday, July 11, 2018 4:35 PM > > To: [email protected] > > Subject: Re: Seeking a tool to do a network security scan of z/OS > > > > Do you mean outside of the mainframe? Not as a single package, but NMAP > > will show you which ports are opened on the mainframe. If your mainframe > > answers the scan, you already have a problem... Now assume that port 25 > is > > open and your mail server is configured an MTA. One can connect to the > > server with HELLO call and send emails under fake name and domain as spam > > to collect userids, passwords and other secrets. > > > > It's a good idea to have an extra agent to IronSphere to do that -) > > > > ITschak > > > > On Wed, Jul 11, 2018 at 9:53 PM Dyck, Lionel B. (RavenTek) < > > [email protected]> wrote: > > > > > Is there a tool available that can do a network security scan of a z/OS > > > system to identify network vulnerabilities? > > > > > > thanks > > > > > > > > > -------------------------------------------------------------------------- > > > Lionel B. Dyck (Contractor) <sdg>< > > > Mainframe Systems Programmer - RavenTek Solution Partners > > > > > > > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to [email protected] with the message: INFO IBM-MAIN > > > > > > > > > -- > > ITschak Mugzach > > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring > > for Legacy **| * > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > > -- > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring > for Legacy **| * > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
