The things you “leak”

On December 28, 2004, in Exchange, by

I’m bringing out to the blog an argument I’m having with someone on IM about the private versus “private” and Ipconfig posting issue just to make a point about the risks of life in general on the Internet.

I’m arguing that in a mere email, there is as much risk of information “leakage” about a firm as there is when we post in ipconfig in the newsgroups. 

Let me show you want I mean.  Send an email from your SBS firm network to an outside email box.  Open up the email and adjust it so you can see the headers [Outlook is a pain in the butt for doing this, Thunderbird much easier].

Okay let’s look at the clues that come from a email

  • Inside that email in your internal name.  Probably something.local or maybe .lan both clues that you are an SBS box.  Therefore there’s about a 99% chance that your internal IP address scheme is 192.168.16.x
  • Inside that email is your public IP address
  • Inside that email is the “stamp“ of what version of Exchange you are on.  So if I see “Produced by Microsoft Exchange V6.5.6944.0” or “Produced by Microsoft Exchange V6.5.7226” I know you either have or don’t have Exchange 2003 SP1.  [During the XP sp2 betas the beta testers would read the email headers of the MS folks and track what “next’ build number of XP sp2 they were on versus the beta participants…. sick puppies …weren’t we? 
  • Given that last I checked Dr. J’s job wasn’t to specifically target SBS boxes, I would argue that the fact that you can google the phrase “Remote Web Workplace“ and see potential SBS boxes and get just as much stuff from email headers that the risks are the in the same category. 

Will I still feel that way in a week…. a month… or a year… maybe not.  Probably not.  But I see that email headers “bleed out” just as much private information that we probably don’t realize.

So is Tony right about freaking out about ipconfig postings in the newsgroups?  Probably.  psssst.. just don’t anyone tell Tony I posted that….Jeff also states that to post that information indiscriminately in the newsgroup is not wise.  To post internal information in a public manner that is forever googlable is a bad idea.

But I would still argue that email is just as much of a “bleeder“ of information.

So …what do you disclose about YOUR firm by just sending emails?


10 Responses to The things you “leak”

  1. Wayne Small says:


    You can get as much info about your version of exchange even without an email – try doing a telnet to port 25 of your SBS box and that will show you what version your running. Information leakage is enormous if you know where to look. I was talking to this guy called David who works for our Dept of Defense, and they have their secret network totally isolated from the main LAN – no connectivity between them at all. A good hacker can use the information in your emails quite easily to get in, but they still need more info to actually do any real damage.

  2. Tony Su says:

    As I posted more completely in your other Blog topic (I encourage others to read that blog), I repeat that just because you’re leaking information in one place is <no reason> to willingly dump more information about yourself on the Internet.

    And, remember… everything you dump on the Internet lives forever… somewhere…

    Also, regarding your current post…

    – dotLocal and dotLAN are recommended names for all Windows Domains, not just SBS

    – There’s little excuse for most people to be using the 192.168.16 network ID. They do so only because they don’t know better. I have always consistently recommended changing it and have even suggested in my "Web Publishing Companyweb" paper that the SBS team should do something about this, too… for instance, assigning a network ID by random from a selection.

    – Public network IDs are fine. You often intentionally publicize it because that’s how others will find your server.

    – Yes, you identify your mailserver but if that’s a bugaboo to you, you can modify your server’s banner. Personally on an SBS I don’t bother to do that because I expose so much other information that identifies I’m running Microsoft technologies… like aspx websites, IIS webserver, the number and types of services I’m running.



  3. Susan says:

    .local and .lan are not typically seen by me in other "non" SBS domains.

    Your mileage may vary.

  4. Tim says:

    192.168 wont get routed by default across the internet anyways….., so whats the issue here?

    As a side note, I don’t think people knowing less about your network should be a form of security. A poor analogy could be that I know you drive a ford expedition, but I cant steal it, because you *lock* it. My point is that the difference between stealing your data and not stealing your data should not hinge on what IP scheme you are doing, which can be easily figured out by sniffing your unsecure wireless network, or walking into your office and using an available lan jack to sniff things out.

  5. Matt Gibson says:

    Security by obscurity is no security at all. Enough said.

  6. Tony Su says:

    Secure Computing is a relative term. As long as so much of the Internet requires no authentication (eg. SMTP, DNS) and as long as hackers discover new vulnerabilities particularly where they don’t have to be authenticated there is no reason to make it easy for malicious users.

    Remember, even people who write exploits look for low hanging fruit, and the more useful information about yourself is easy to acquire, the lower you are all the time.

    "Security by Obscurity" alone is insufficient, but it’s also a mistake to not include it in your overall Security Solution.

    I don’t want to discuss specific possibilities of exploiting a Host with a private address because it wouldn’t be responsible, but a general comment is that if what you say were true then there would not be any IDS technology, there would be no reason to patch/harden your machines behind a firewall, there would be no reason to run anti-virus or anti-spyware, there would be no reason to encypt your wireless LAN network.

    Tony Su

  7. Tim says:

    Perhaps the difference then is that in the newsgroup, people are asking for help with a problem, and should post complete, accurate information.

    If I ask someone for their ipconfig output, and they replace everything with x.x.x.x, what good does that do me, or them, from a troubleshooting standpoint.

    My internal ip range is 192.68.10,, default gateway is DNS is Primary DNS suffix is vekst.lan. Now armed with that info, what can you do with it?

  8. Tony Su says:

    Although I said I wouldn’t post a possible attack vector, because one isn’t all that technically original…

    I’d check out whether you’re running any kind of wireless. If you are located close enough to me, have information that’s valuable enough and I felt I could crack your wireless security (WEP and WPA are flawed, MAC addresses worse, not everyone is implementing 802.11i yet and I don’t know any SMB installs implementing RADIUS-backed 802.1x), I’d know exactly what machines to target in the underbelly of your network… the DG, at least one host workstation, maybe more. I could assign myself a workgroup name the same as your domain name and browse your machines although I wouldn’t be able to view resources on the machines without a User account, but be certain that if I have that much access to your network already it wouldn’t be long at all before your entire network is transparent.

    Note that although I’ve mentioned only a wireless way of getting into your network, don’t be misled that if you don’t run wireless you can’t be vulnerable… it’s only an example of one scenario and an imaginative SysAdmin and hacker should be able to easily dream up variations on the theme using other technologies.


  9. James B says:

    Oh if you really want to scream check this guy out…

    Think he is telling you enough about himself?

  10. James B says:

    You know I was taking a look at the Google hits and it would be very easy to make yourself harder to be found just by doing a few simple things to the RWW page.

    1. Change the Title of the page in the HTML.

    2. Change Username/Password to something less "googleable"

    Who are you:

    Secret Code:

    I think if I ever decide to allow direct connections to SBS and not via VPN (which is pretty stupid if you ask me) I would without a doubt make those changes.