hMailServer script to anonymise internal IP addresses
We all know that (accidentally) exposing private information to all and sundry is a bad thing; information leaked in SMTP Received: headers is a goldmine for pentesters and blackhats alike. Here’s a little script for hMailServer which will anonymise the names and IP addresses of internal SMTP mail clients that would otherwise be placed into a Received: header.
The script might need some tweaking to suit your environment:
- It will anonymise Received: headers only when the connecting client’s IP address starts with 172.16. Alter this check to suit your own environment
- You’ll need to change mail.example.com to whatever hMailServer’s Local host name is set to (under Settings->Protocols->SMTP->Delivery of e-mail)
hMailServer scripts are by default written in VBScript; I’ve had extensive counselling to get over the experience, and I’m fine now.
Tweak the script below, then add it to EventHandlers.vbs. Take care if you already have a handler defined for OnAcceptMessage:
‘ Strips out private IP addresses from Received header
‘ if the client’s IP address is in 172.16.0.0/16
Sub OnAcceptMessage(oClient, oMessage)
‘ Check client’s IP address – we only want to do this work
‘ for internal clients
If Left( oClient.IPAddress, 7 ) = “172.16.” Then
set oHeaders = oMessage.Headers
‘ Iterate over the headers looking for Received:
For i = oHeaders.Count -1 To 0 Step -1
Set oHeader = oHeaders.Item(i)
‘ Check if this is a header which we should modify.
If LCase(oHeader.Name) = “received” Then
‘ Log the header value in case we need it later on
EventLog.Write(“Pre-anonymisation: ” + oHeader.Value)
‘ Set up the regex
Set myRegExp = New RegExp
myRegExp.Global = False
myRegExp.Pattern = “\bfrom[\-\sA-Za-z0-9\.\]\[\(\)]*by mail.example.com\b”
‘ Do the replacement
oHeader.Value = myRegExp.Replace( oHeader.Value, “from mailclient by mail.example.com” )
‘ Dump the modified header
EventLog.Write(“Post-anonymisation: ” + oHeader.Value)
‘ Save all the changes…
The before-and-after Received: headers look like this:
Received: from some-machine ([172.16.28.16]) by mail.example.com ; Tue, 8 Jun 2010 11:49:22 +0100
Received: from mailclient by mail.example.com ; Tue, 8 Jun 2010 11:49:22 +0100
…thereby neatly hiding the fact that there is an internal machine called some-machine at IP address 172.16.28.16. The original header is logged to hMailServer’s EventLog file in case it’s needed later on for debugging, or during Incident Response or other forensic activity.
You can download the script here – I hope someone finds it useful!
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk