here is somthing interesting. if anybody has come across with a similar case, please update. thanks
> -----Original Message----- > From: Moti Landes > Sent: Thursday, July 31, 2003 11:20 PM > To: '[EMAIL PROTECTED]' > > hi again, > i have finaly figured out what is going on with the SMTP issue of mine. > just to remind you i am using a mail server that is behind a FW (cisco > pix), port 25 is open. > sending an email via WUG fails, and with simple telnet commands goes ok. > here is the problem, and this needs to be fixed in the WUG application. > > i have recorded with a sniffer a typical notofication test from wug, i > will prove that you are doing something wrong in the product, that needs > to be addressed. > > i will comment by each frame to make it easier to understand. > (it would help if you open the email on full-screen so each frame will > consume one full line) > > No. Time Source Destination Protocol > Info > 1 0.000000 128.139.197.90 212.150.53.157 TCP > 3331 > smtp [SYN] Seq=2248052841 Ack=3201267381 Win=65535 Len=0 > > >>>here the test starts, wug is attemting to open port 25 on the mail > server > > 2 0.000079 212.150.53.157 128.139.197.90 TCP > smtp > 3331 [SYN, ACK] Seq=1588681321 Ack=2248052842 Win=64240 Len=0 > > >>>server answering with ACK > > 3 0.004806 128.139.197.90 212.150.53.157 TCP > 3331 > smtp [ACK] Seq=2248052842 Ack=1588681322 Win=65535 Len=0 > > >>>as the protocol defines an ACK is sent in response to the SYN ACK > > 4 0.005505 212.150.53.157 128.139.197.90 SMTP > Response: 220 trafficmon.barak.net.il ESMTP Server Thu, 31 Jul 2003 > 15:03:44 > > >>>once sent, the mail server respondes with the 220 response code. > > 5 0.009702 128.139.197.90 212.150.53.157 SMTP > Command: HELO wug.iucc.ac.il > > >>>HERE THE PROBLEM STARTS !!! > WUG apparently sends the HELO command w/o sending an ACK to the response > 220 as defined in the protocol. > the HELO command goes through and then the server answeres as follows. > > 6 0.009800 212.150.53.157 128.139.197.90 SMTP > Response: 250 trafficmon.barak.net.il greetings, wug.iucc.ac.il > > >>>the server is responding to the HELO command. > >>>WUG is not responding with ACK, as he didnt in respond to the 220 > response code. > > 7 2.416946 212.150.53.157 128.139.197.90 SMTP > Response: 250 trafficmon.barak.net.il greetings, wug.iucc.ac.il > > >>>2.4 seconds go by, the server loses his patients since he has not > recieved an ACK to the 250 response code, and sends > it again. > > 8 2.424284 128.139.197.90 212.150.53.157 TCP > 3331 > smtp [ACK] Seq=2248052897 Ack=1588681445 Win=65412 Len=0 > > >>>ACK from WUG arrives. > at this point the PIX understand that this is a SYN attack (something is > not right) he closes the thread for security reasons. > by the way, after reviewing the debug log on the wug server, i find that > WUG hears the response code 250 and attemts to send > the SMTP command MAIL FROM:, but like i said at this point the thread is > down already. > > 9 29.996634 212.150.53.157 128.139.197.90 TCP > smtp > 3331 [FIN, ACK] Seq=1588681445 Ack=2248052863 Win=64219 Len=0 > > >>>after a timeout, the server takes the connection down. > > 10 30.000396 128.139.197.90 212.150.53.157 TCP > 3331 > smtp [ACK] Seq=2248052897 Ack=1588681446 Win=65412 Len=0 > > >>>WUG responds to that with an ACK > > THIS is why the mails are not going through. > NOW to compare this to a good session i have recorded the same command > from a telnet session. > look how it is SUPOSED to work, this is differant to what WUG is doing. > > No. Time Source Destination Protocol > Info > 1 0.000000 128.139.197.90 212.150.53.157 TCP > 3561 > smtp [SYN] Seq=2498078836 Ack=3214579608 Win=65535 Len=0 > 2 0.000080 212.150.53.157 128.139.197.90 TCP > smtp > 3561 [SYN, ACK] Seq=2042140175 Ack=2498078837 Win=64240 Len=0 > 3 0.004141 128.139.197.90 212.150.53.157 TCP > 3561 > smtp [ACK] Seq=2498078837 Ack=2042140176 Win=65535 Len=0 > 4 0.004841 212.150.53.157 128.139.197.90 SMTP > Response: 220 trafficmon.barak.net.il ESMTP Server Thu, 31 Jul 2003 > 15:19:27 > 5 0.203187 128.139.197.90 212.150.53.157 TCP > 3561 > smtp [ACK] Seq=2498078837 Ack=2042140244 Win=65467 Len=0 > > >>>look here when doing this on a telnet session there is an ACK to the > 220 response code > > 6 14.934140 128.139.197.90 212.150.53.157 SMTP > Command: HELO wug.iucc.ac.il > 7 14.934355 212.150.53.157 128.139.197.90 SMTP > Response: 250 trafficmon.barak.net.il greetings, wug.iucc.ac.il > 8 15.089938 128.139.197.90 212.150.53.157 TCP > 3561 > smtp [ACK] Seq=2498078858 Ack=2042140299 Win=65412 Len=0 > > >>>look here when doing this on a telnet session there is an ACK to the > 250 response code > > 9 36.780857 128.139.197.90 212.150.53.157 SMTP > Command: MAIL FROM:[EMAIL PROTECTED] > 10 36.782118 212.150.53.157 128.139.197.90 SMTP > Response: 250 sender is [EMAIL PROTECTED], sender ok > 11 36.917938 128.139.197.90 212.150.53.157 TCP > 3561 > smtp [ACK] Seq=2498078892 Ack=2042140348 Win=65363 Len=0 > 12 57.339365 128.139.197.90 212.150.53.157 SMTP > Command: RCPT TO:[EMAIL PROTECTED] > 13 57.339761 212.150.53.157 128.139.197.90 SMTP > Response: 250 recipient is [EMAIL PROTECTED], recipient ok > 14 57.538206 128.139.197.90 212.150.53.157 TCP > 3561 > smtp [ACK] Seq=2498078925 Ack=2042140404 Win=65307 Len=0 > 15 61.053573 128.139.197.90 212.150.53.157 SMTP > Command: DATA > 16 61.259526 212.150.53.157 128.139.197.90 TCP > smtp > 3561 [ACK] Seq=2042140404 Ack=2498078931 Win=64146 Len=0 > 17 61.378197 212.150.53.157 128.139.197.90 SMTP > Response: 354 OK End with <CRLF>.<CRLF> > 18 61.561999 128.139.197.90 212.150.53.157 TCP > 3561 > smtp [ACK] Seq=2498078931 Ack=2042140435 Win=65276 Len=0 > 19 68.120681 128.139.197.90 212.150.53.157 SMTP > Message Body > 20 68.259899 212.150.53.157 128.139.197.90 TCP > smtp > 3561 [ACK] Seq=2042140435 Ack=2498078944 Win=64133 Len=0 > 21 71.439263 128.139.197.90 212.150.53.157 SMTP > EOM: . > 22 71.441724 212.150.53.157 128.139.197.90 SMTP > Response: 250 Message accepted for delivery > 23 71.620628 128.139.197.90 212.150.53.157 TCP > 3561 > smtp [ACK] Seq=2498078947 Ack=2042140470 Win=65241 Len=0 > > hope you resolve this ASAP. > > thanks > -- > Greetings, > > Moti Landes > Network Management & Corporate Computing > Technology Division > Barak 013 Israel > > Email: [EMAIL PROTECTED] > WEB Page: http://www.barak013.net.il > GSM Phone: +972 54 841108 > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/
