|
|
Log in / Subscribe / Register

Fingerprinting the World's Mail Servers (O'Reilly)

[Posted January 10, 2007 by cook]

Ken Simpson and Stas Bekman discuss a survey of the most popular mail server programs on the net, open-source software dominates the arena. "This summer, the sales staff at MailChannels came to the dev team with an urgent request: "Can you tell us which companies are running Sendmail? If we could know that, it would be so much easier to sell our Sendmail-compatible product." For those of us who understand the SMTP protocol, the answer was, of course, a resounding "Yes." Most mail servers announce their identity when you connect to them on TCP port 25. The dev team decided that this was a summer science project they just had to get on top of. We even gave the science project a name: PingedIn, and we hope to provide more dynamic content on our skeletal website."
to post comments

Fingerprinting the World's Mail Servers (O'Reilly)

Posted Jan 10, 2007 18:56 UTC (Wed) by pheldens (guest, #19366) [Link] (4 responses)

So they cooperated in a be it targetted unsollicited email solution, thanks guys.

Not spam?

Posted Jan 11, 2007 2:29 UTC (Thu) by Max.Hyre (subscriber, #1054) [Link] (3 responses)

If they have a clue (and it sounds as if they do), they're sending precisely zero emails. As they note, MTAs typically announce their identities at connection time. For instance:

mhyre@sandia:~$ telnet debian.org 25
Trying 192.25.206.10...
Connected to debian.org.
Escape character is '^]'.
220 gluck.debian.org ESMTP Exim 4.50 Wed, 10 Jan 2007 19:18:31 -0700
quit
221 gluck.debian.org closing connection
Connection closed by foreign host.
mhyre@sandia:~$

We just said ``hi'' to the mail server. It told us it's gluck's ESMTP server, running Exim, and we said ``bye''. This isn't spam, just as pinging a host to see whether it's up isn't a portscan attack.

Not spam?

Posted Jan 11, 2007 8:46 UTC (Thu) by pheldens (guest, #19366) [Link] (2 responses)

No I mean the endgoal, they are targetting mailserver admins with their advertisement crap.

Not necessarily

Posted Jan 11, 2007 16:00 UTC (Thu) by AnswerGuy (guest, #1256) [Link]

They said that their marketing team asked them to help develop a list of targets. They did not say how the target market was reached.

If I were selling a "sendmail compatible product" then it would be quite
reasonable of me to create a list of sendmail users from a list of
companies ... and then to contact them using paper mail or other out-of-band
means.

Also B2B marketing is not "spam" in the normal sense of the term.

While I personally prefer a "don't call us ... we'll find you" business
strategy ... even in my B2B (business-to-business) transactions, it's
hard to be too harsh on one company contacting other companies which are
reasonable prospective customers. ("Reasonable" can be a bit vague ...
but let's allow that for now).

JimD

Sure, but...

Posted Jan 11, 2007 17:14 UTC (Thu) by gvy (guest, #11981) [Link]

...what else could you expect of a "marketing dept"? These poor bastards have to invent another crap to push down throats, crappy way. OTOH those who are getting hired to produce that crap wouldn't earn their bread without marketing, and those who can both "work by conscience" (as Russians say) *and* get the product to customers are very rare these days.

And sendmail is just about as stinky as basically anything those markedroids would push, so why worry... those concerned have migrated to "sendmail-compatible" postfix ages ago, only insane vendors like Red Hat are still spreading this plague by default. *That* is worth worring about, to some extent.

Interesting result although its hard to say what they were measuring

Posted Jan 10, 2007 20:58 UTC (Wed) by nigelm (subscriber, #622) [Link]

It looks like they tried to identify the incoming main MX hosts for a set of companies. This would have no weighting by amount of mail any host/domain moves, and might well completely bypass the large ISPs (whose customers may be in completely different domains).

Postini is split out, but not (for example) Messagelabs (who have their own server banner, but I believe run qmail - can't imagine why).

Maybe I should spend a little while identifying the hosts that send us mail - might well be an interesting mix and can probably be almost entirely done by ferreting in the received headers.

MessageLabs

Posted Jan 10, 2007 21:37 UTC (Wed) by ttul (guest, #42683) [Link] (5 responses)

MessageLabs should have received a higher weighting in our survey -- the problem was that our source data was a company list focused mostly on North America. MessageLabs has lots of European and Asian companies that were not surveyed by us.

I have invited them, and I openly invite anyone else to provide us with a comprehensive world-wide company database and we will gladly survey it and post the results.

-- Ken Simpson, Founder and CEO, MailChannels

MessageLabs

Posted Jan 10, 2007 22:07 UTC (Wed) by man_ls (guest, #15091) [Link]

It would be opening your clients up for spam. I expect they should refuse or suffer the ensuing bad karma.

MessageLabs

Posted Jan 11, 2007 0:11 UTC (Thu) by sjlyall (guest, #4151) [Link] (1 responses)

Ken,

Will you be providing more details of the tests you used to identify the different software? This would be very useful for similar projects.

MessageLabs

Posted Jan 12, 2007 2:15 UTC (Fri) by vonbrand (subscriber, #4458) [Link]

This is something that nmap does. I wonder if they looked at its MTA-detection (and if found lacking, contributed their own rules).

MessageLabs

Posted Jan 11, 2007 19:21 UTC (Thu) by kh (guest, #19413) [Link] (1 responses)

I wish you had not used a pie chart that did not add up to 100% (63.6%?) but maybe that is just misleading to me. Otherwise I enjoyed the article.

I am actually surprised that Exchange is out naked on as many sites as it is.

MessageLabs

Posted Jan 12, 2007 18:37 UTC (Fri) by rahvin (guest, #16953) [Link]

It's the first thing I noticed and I can't help but stop reading an article where they have a pie chart that is a whole pie and only adds up to 2/3rds of the pie. Either someone can't do percentages correctly or they failed to include crucial information about the pie chart, either way the article committed suicide.

Some of the world uses multiple mail servers

Posted Jan 13, 2007 17:16 UTC (Sat) by dps (guest, #5725) [Link]

I happen be the system admin of a domain, which they may or may not have fingerprinted. If they did they would imagine it runs postfix, as both the public MX servers do.

The internal mail server, where the mail boxes reside, runs mailscanner, spamaassasin, a couple of AV products and sendmail. You can not talk to this box direcly, or know it is a MX, because it is only listed in the interal DNS information, firewalled, in private IP space and the check_* rulesets do not allow it.

This illistrates that the resounding "Yes" might be a little less resounding than the MailChannels people imagine.


Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds