OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pedro Quintanilha (PQuintanilhaabril.com.br)
Date: Fri May 24 2002 - 13:05:05 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi there!

    Iīve noted that Trendīs Interscan Viruswall has a horrendous "feature" in itīs WinNT/2K implementation, that is not present in *UX implementations.

    In the most instalations Interscan listens on port 25 (SMTP), receives the message, scan it, and then re-send it to the "real" SMTP daemon (listening on another port), preserving the SMTP-header present in the message.
    But, since it doesnīt includes a new line on SMTP-header with the senderīs IP, and doesnīt write any extra log including it (it just logs virus occurrences), the final message header will not contain the real senderīs IP!!

    In other words, if you want to trace-back the origin of a message, you cannot use the message header to discover the senderīs IP.

    Iīve consulted Trendīs support about that, and they say me that itīs a "product feature", *not* a bug.
    Well... If it is a "product feature", why itīs only present in the Win32 implementations, and not in *UX?

    Example:

    ===============================================================================================
    Microsoft Mail Internet Headers Version 2.0
    Received: from smtp.domain1.com ([172.0.0.1]) by internal.domain1.com with Microsoft SMTPSVC(5.0.2195.4905);
             Thu, 23 May 2002 20:02:08 -0300
    Received: from smtp.domain1.com ([172.0.0.1]) by smtp.domain1.com with Microsoft SMTPSVC(5.0.2195.2966);
             Thu, 23 May 2002 20:02:08 -0300
    Subject: Test
    ===============================================================================================

    In this header you see that the message was received by smtp.domain1.com from itself... it was registered by the SMTP daemon when it receives the Interscan (installed on the same machine) "re-transmition". Itīs ok, but, where is the original senderīs IP???

    Iīve tested it on a Interscan Viruswall 3.52 build 1375, but I think that itīs present on all Win32 versions.

    While Trend is a so-called security company, Iīm affraid about other hidden "features" in itīs products.

    Pedro Quintanilha
    Seguranįa da Informaįão
    Editora Abril s/a
    pquintanilhaabril.com.br
    +55-11-3037-4297