Attempted IMAP connections to wrong GMAIL Server??
Looking into strange traffic on the network ~ Google or CloudFlare DNS issue? Or misconfiguration here?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Bugs | AWS Security | Secure Code | Network Security
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We’ve been having periodic bouts of weird network issues so I started looking at our network traffic more closely. What is going on??
First of all I see all these Push Ack, Fin Push Ack, Reset Ack and other packets getting blocked. Somehow PFSense thinks they are invalid packets so it blocks them. For the sake of International Soccer and a happy home I unblock some of that on our “TV network” and decide I’ll deal with that later. I also double check a whole bunch of other network configurations.
That seems to help but then the issue pops up again and this one seems a bit odd. What am I missing?
First of all I allow traffic to and from the appropriate GMail domains to send and receive mail on appropriate ports per the Google documentation.
We can look up specifically what IP addresses get returned for each mail related domain name.
pop.gmail.com (port 995) for inbound mail that can be deleted after download. You can configure it to remain on the server.
imap.gmail.com (port 993) for inbound mail that stays on the server for cases where you’re reading mail on multiple servers. This is probably the most commonly used option.
smtp.gmail.com (port 25) for outbound mail.
So what is this? I see port 993 so that indicates an IMAP connection, however that is not one of the IP addresses returned from imap.gmail.com by CloudFlare DNS.
It’s definitely in the Google IP space, but Google hosts a lot of other things like Google Cloud — which could be hosting a rogue mail server.
So is this a legitimate mail server or something hosted on Google cloud or what?
Next I used the approach in this post which looks at SPF records:
Drilling down the command that gets me what I’m seeking:
I can see the address that’s bogging down my logs is in this range, which is somehow returned via a “Non-authoritative answer” from the Google DNS server.
So in theory, that IP range has something to do with *outbound* mail as the article states and is in the Google IP ranges. However, I have a host somewhere on my network trying to reach those servers using IMAP to *download* mail not send it out. So how is that host not getting one of the correct IPs to use for IMAP?
I check with my house mate and there’s only once place he checks mail. I briefly take a look and it seems to be correctly configured.
I even run a query for mail.google.com just to see if that IP comes up. It doesn’t. But I would not expect that IMAP servers would be hitting the same web servers that server up gmail on the web on port 443 so that makes sense.
I’m guessing perhaps there’s a misconfiguration somewhere — either on my network (but I don’t think so?) Or perhaps CloudFlare DNS is not returning *all* the google IMAP IPs?
Trying to figure out how else I would determine that is a legitimate Google IMAP Server IP before adding it to the firewall.
By the way, the response here is really sad and unacceptable for businesses attempting to set up zero-trust networks.
Just noticed these IPs getting blocked as well:
More on network security:
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab