Mailing List SIMS@mail.stalker.com Message #15453
From: Bill Cole <listbill@scconsult.com>
Subject: Re: comments please
Date: Tue, 20 Feb 2007 13:44:54 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 12:07 PM -0500 2/20/07, Stefan Jeglinski wrote:
Wanted to run this by everyone in case I'm missing something. I'm tempted to ask for ideas on dirty tricks to play, but that would not be appropriate, now would it...

Most certainly not. it is always tempting, but never a good idea...

I have a correspondent, dbrown@vifprogram.com (please do not send e-mail to her). She is mostly computer illiterate, but sometimes seems to know more than her mail admins. We've noticed for some time that only a relatively small fraction of my e-mails get to her, and I never get bounces. Often, she tells me that their e-mail is "messed up," and recently they did "a big upgrade" which broke things pretty badly but now she ways it mostly seems to work. Except for me. Well, I finally did some investigating, and found out what at least part of the problem was. At the end of this message, I include an e-mail I telnetted directly to their primary so I knew she would get it. She indeed did, and took it to her IT people. They hemmed and hawed, and she said it didn't seem like they really understood what I was saying. If that's true, they are in bad shape. They are a 100% Microsoft shop. By dint of what they do, their company gets e-mails from around the world, but I suspect they are not receiving more than a few.

But I wanted to get opinions here - is there anything else I can do probe-wise or otherwise for fun or science, eg probe what version of server they are using on their primary, since they are obviously obfuscating it? I don't really want to go to them directly now (postmaster), since they know I will be connected to her, and frankly, if they get their toes stepped on, I don't want her to suffer for it.

[...]

Also, mail2.vifprogram.com is in violation of the spirit of RFC2821 for not
providing a domain name in the initial 220 response. You can obfuscate which
Microsoft mail server is in use if you like, but at least try to be good netizens :-)


The typical cause of what you see there (all asterisks) is the use of a misfeature of the Cisco PIX firewall called "SMTP fixup" whereby the PIX does a line-by-line proxying of all of the SMTP commands and responses, intentionally breaking things which are not deemed safe or essential by the people at Cisco who clearly know absolutely nothing about SMTP. The breakage of the banner is just the beginning and no one should ever use that setting of the PIX. Among other absurd nastiness, it breaks if the entire terminating '\r\n.\r\n' is broken up between more than one TCP segment or IP datagram.

It is extremely common for organizations with amateur firewall admins to choose the PIX and leave the SMTP 'fixup' and scratch their heads for months about the double-digit percentages of mail they never see before getting the message that Cisco screwed this idea up so badly and famously that they've never even bothered a serious attempt at fixing it.

--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster