On 12 Dec 2017, at 18:43 (-0500), Gary wrote:
https://robotattack.org
These tests appear to be aimed at website testing. Any ideas how to
test a mail server for the robot attack?
In addition to the fact that (non-antique) OpenSSL is not vulnerable to
the attack, the way it works would be difficult to use against any
post-connection TLS initiation (i.e. STARTTLS for SMTP & IMAP4, STLS for
POP3) because it would generate substantial log noise, which it would
not for HTTPS (or probably for "wrappermode" SMTPS.) If you log deeply
enough to see the attack, it gets lost in the background noise.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
