Gregory K. Ruiz-Ade wrote:
So, here's an interesting task I'm considering undertaking...
We have a Barracuda Spam Firewall in our department. Barracuda provides
a plugin for Outlook that allows you to "train" the device on a
per-message basis, right from your mailbox. My first inspections tell
me that the plugin is:
* Looking at header information to determine the URL with which to
contact the appliance
* Looking at header information to uniquely identify the message
* Contacting the appliance using some HTTP-based protocol and sending a
command
Additionally, the plugin does this without requiring any user
authentication with the appliance; apparently the information contained
in the message headers is "enough".
My goal is to sniff the transactions to determine the protocol, and then
use that information to (hopefully) be able to write plugins for
Thunderbird and Apple Mail to do the same thing, since most people here
use one or the other, and not Outlook.
Caveat: the connection is SSL-wrapped, so all I'll end up with are SSL
packets if I sniff the transaction with WireShark. Granted, I haven't
dug into WireShark at all beyond doing packet captures and basic
inspection and connection tracing, so I don't know... Will it decrypt an
SSL session? If it helps, I can have the SSL certificate used on the
appliance...
[snip]
I'm guessing that in order to test you need a Windows machine with
Outlook installed plus the plugin. I don't know where you would find the
RSA key from the plugin in order to decrypt the SSL session, but if
you do manage to find it Wireshark is capable of decrypting the stream.
See <http://wiki.wireshark.org/SSL> for more info.
This could be a case where you need to run Outlook under a debugger and
hook into the SSL before the data makes its way out of the machine. This
is pretty easy to do under WINE <http://www.winehq.org> and
<http://appdb.winehq.org/appview.php?iAppId=34> since you can turn on
the relay function and watch everything going to/from a DLL. I think
ReactOS <http://www.reactos.org> can do the same thing also, assuming
you can get Outlook to run. If WINE doesn't work, maybe the commercial
version "Crossover Linux" from Codeweavers might work better.
Gus
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
