[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Thunderbird & Gmail

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Thunderbird & Gmail
From: Gerardo Rodríguez <grchapa@xxxxxxxxxxx>
Date: Tue, 14 Oct 2008 23:07:00 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Wed, 15 Oct 2008 00:07:46 -0400
In-reply-to: <BAY118-DAV6D2C7993B317E6505D00EA13B0@xxxxxxx>
References: <BAY118-DAV47DF44CE1DFA4AA968E98A1380@xxxxxxx> <48EBA0B0.9040007@xxxxxxxxxxx> <BAY118-DAV49D8AAE1F6919D38AC0ABA1380@xxxxxxx> <48EBCE98.60501@xxxxxxxxxxx> <1da45f2a0810071609i5a1f530dqa73ad9a79ee1d8e@xxxxxxxxxxxxxx> <48EBFCD1.8010909@xxxxxxxxxxx> <BAY118-DAV6D2C7993B317E6505D00EA13B0@xxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.17 (Windows/20080914)

Hi once again. I was wondering if tor with thunderbird send informationto the pop3/smtp servers, this is what i found out. I had to usethundebird ver 1.5.* with torbutton 1.0.4, and used the WireShark tocapture packets.


While retrieving the mail this two readings where constant:
_____________________________________________________________________________

Frame 10 (60 bytes on wire, 60 bytes captured)

Ethernet II, Src: 2wire_2e:d4:89 (aa:aa:aa:2e:d4:89), Dst:Intel_94:e0:d3 (ff:ff:ff:94:e0:d3)Internet Protocol, Src: 83.132.242.113 (83.132.242.113), Dst:192.168.1.70 (192.168.1.70)Transmission Control Protocol, Src Port: mosaicsyssvc1 (1235), Dst Port:53328 (53328), Seq: 1, Ack: 1, Len: 0

No. Time Source Destination ProtocolInfo11 9.437005 2wire_2e:d4:89 Broadcast ARP Whohas 192.168.1.65? Tell 192.168.1.254

_____________________________________________________________________________

&
_____________________________________________________________________________

No. Time Source Destination ProtocolInfo12 10.373837 192.168.1.70 88.198.51.7 TCP43089 > etlservicemgr [PSH, ACK] Seq=1 Ack=1 Win=64949 Len=586


Frame 12 (640 bytes on wire, 640 bytes captured)

Ethernet II, Src: Intel_94:e0:d3 (ff:ff:ff:94:e0:d3), Dst:2wire_2e:d4:89 (aa:aa:aa:2e:d4:89)Internet Protocol, Src: 192.168.1.70 (192.168.1.70), Dst: 88.198.51.7(88.198.51.7)Transmission Control Protocol, Src Port: 43089 (43089), Dst Port:etlservicemgr (9001), Seq: 1, Ack: 1, Len: 586

Data (586 bytes)

0000  17 03 01 00 20 bc 7f 8b ef dc 1e 82 ca fa 53 e0   .... .........S.
etc.
_____________________________________________________________________________

And while sending mail this two:
_____________________________________________________________________________

No. Time Source Destination ProtocolInfo23 3.306572 CompName schatten.darksystem.net TCPflorence > etlservicemgr [PSH, ACK] Seq=1 Ack=1 Win=64363 Len=586


Frame 23 (640 bytes on wire, 640 bytes captured)

Ethernet II, Src: CompName (ff:ff:ff:94:e0:d3), Dst: 192.168.1.254(aa:aa:aa:2e:d4:89)Internet Protocol, Src: CompName (192.168.1.70), Dst:schatten.darksystem.net (88.198.51.7)Transmission Control Protocol, Src Port: florence (1228), Dst Port:etlservicemgr (9001), Seq: 1, Ack: 1, Len: 586

Data (586 bytes)

0000  17 03 01 00 20 39 1e d3 cb fe 30 60 3f f2 5f 43   .... 9....0`?._C
etc.
_____________________________________________________________________________

&
_____________________________________________________________________________

No. Time Source Destination ProtocolInfo24 3.532021 schatten.darksystem.net CompName TCPetlservicemgr > florence [ACK] Seq=1 Ack=587 Win=65535 Len=0


Frame 24 (60 bytes on wire, 60 bytes captured)

Ethernet II, Src: 192.168.1.254 (aa:aa:aa:2e:d4:89), Dst: CompName(ff:ff:ff:94:e0:d3)Internet Protocol, Src: schatten.darksystem.net (88.198.51.7), Dst:CompName (192.168.1.70)Transmission Control Protocol, Src Port: etlservicemgr (9001), Dst Port:florence (1228), Seq: 1, Ack: 587, Len: 0

_____________________________________________________________________________

Now:

aa:aa:aa:2e:d4:89   is the actual mac address of the adapter in my router
ff:ff:ff:94:e0:d3       is the actual mac address of the adapter in my pc
CompName          is the name of my pc (faked :-)

I´m not an expert in reading packets, but, this is a leak ain´t it?




Gerardo Rodríguez escribió:

Thanks a lot, I´ll be running tests & I´ll post the results

anonym escribió:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/10/08 01:09, Jonathan Addington wrote:

With Wireshark you can filter by port.

..

To address the above, filter by ports, and then by your IP inside the

packet


Sure, filters make it easier finding stuff when you know what to look
for, but I'm not sure that's the case here. In an analysis like this we
are much more interested that which we had not anticipated. For example,
what if Thunderbird leaked DNS requests? Filtering away all but POP and
SMTP would then hide this for us.

We're not dealing with huge amounts of packets here really, perhaps a
couple of hundreds of packets at most. That's a piece of cake to go
through and will make the analysis more complete and thorough. IMHO,
when dealing with these kinds of issues filtering comes in when that's
not a realistic option.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkjr/NAACgkQp8EswdDmSVjMrwCfT2aJ7j7Cko2HhYIItj35gmrK
VW4AoOjIfgtkSPrgghm9yusAz+137GSg
=xWB4
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Thunderbird & Gmail
  - From: Gerardo Rodríguez
- Re: Thunderbird & Gmail
  - From: Gerardo Rodríguez
- Re: Thunderbird & Gmail
  - From: anonym

References:
- Thunderbird & Gmail
  - From: Gerardo Rodríguez
- Re: Thunderbird & Gmail
  - From: anonym
- Re: Thunderbird & Gmail
  - From: Gerardo Rodríguez
- Re: Thunderbird & Gmail
  - From: anonym
- Re: Thunderbird & Gmail
  - From: Jonathan Addington
- Re: Thunderbird & Gmail
  - From: anonym
- Re: Thunderbird & Gmail
  - From: Gerardo Rodríguez

Prev by Author: Re: Thunderbird & Gmail
Next by Author: Re: Thunderbird & Gmail
Previous by thread: Re: Thunderbird & Gmail
Next by thread: Re: Thunderbird & Gmail
Index(es):
- Author
- Thread