So, here's an interesting task I'm considering undertaking...
We have a Barracuda Spam Firewall in our department. Barracuda provides a plugin for Outlook that allows you to "train" the device on a per-message basis, right from your mailbox. My first inspections tell me that the plugin is:
* Looking at header information to determine the URL with which to contact the appliance
* Looking at header information to uniquely identify the message* Contacting the appliance using some HTTP-based protocol and sending a command
Additionally, the plugin does this without requiring any user authentication with the appliance; apparently the information contained in the message headers is "enough".
My goal is to sniff the transactions to determine the protocol, and then use that information to (hopefully) be able to write plugins for Thunderbird and Apple Mail to do the same thing, since most people here use one or the other, and not Outlook.
Caveat: the connection is SSL-wrapped, so all I'll end up with are SSL packets if I sniff the transaction with WireShark. Granted, I haven't dug into WireShark at all beyond doing packet captures and basic inspection and connection tracing, so I don't know... Will it decrypt an SSL session? If it helps, I can have the SSL certificate used on the appliance...
Here's the headers that the Barracuda adds (outside of additional Received: headers):
X-ASG-Debug-ID: 1173457802-428f005a0000-ipZK9I X-Barracuda-URL: http://cse-barracuda.ucsd.edu:80/cgi-bin/mark.cgi X-Barracuda-Connect: mailbox3.ucsd.edu[132.239.1.55] X-Barracuda-Start-Time: 1173457802 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-ASG-Orig-Subj: Happy Friday!!! X-Barracuda-Virus-Scanned: by Barracuda Spam Firewall at cs.ucsd.edu X-Barracuda-Spam-Score: 1.39X-Barracuda-Spam-Status: No, SCORE=1.39 using global scores of TAG_LEVEL=5.0 QUARANTINE_LEVEL=5.0 KILL_LEVEL=1000.0 tests=HTML_IMAGE_ONLY_24, HTML_MESSAGE, PLING_PLING
X-Barracuda-Spam-Report: Code version 3.1, rules version 3.1.10780
Rule breakdown below
pts rule name description
---- ----------------------
--------------------------------------------------
0.93 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes
of words
0.00 HTML_MESSAGE BODY: HTML included in message
0.46 PLING_PLING Subject has lots of exclamation marks
I'm thinking that the unit might use the Message-ID: header to
identify the message, but message IDs are not guaranteed to be
unique. Not sure if that really matters in the grand scheme of
things... Perhaps it's a mix of Message-ID: and X-Barracuda-Start-
Time: headers, which might be unique _enough_.
Gregory -- Gregory K. Ruiz-Ade <[EMAIL PROTECTED]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
PGP.sig
Description: This is a digitally signed message part
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
