tcpdump during SMTP AUTH session with no SSL Email message was from joeblow@mailserver.com, to joeschmoe@somedomain.com, subject line "OOOOOOOOOOOOOOOOOOOOOOOOOOOOO" with body "UUUUUUUUUUUUUUUUUUUUUUUUU". Message is cleartext, dunno why the user/pass is not...maybe it was already cached? Help...lol. ----------------------- NOTE: Damian Menscher writes: "Caching doesn't make sense here, so I did some digging through the RFCs and found that the username and password are base64 encoded. The string [censored] decodes to ^@mbates^@[censored] which, I assume, is your username and password." (yup.) ------------------------------------------------------------------------------- -------------------- joeblow@dhcp06 ~/Desktop $ sudo tcpdump -i en0 -s 1500 -X 'port 25' tcpdump: listening on en0 14:54:45.911135 my.client.computer.com.51333 > my.mailserver.com.smtp: S 4137297113:4137297113(0) win 32768 (DF) 0x0000 4500 003c 7eed 4000 4006 8ed3 81aa f96a E..<~.@.@......j 0x0010 423b 6fab c885 0019 f69a 24d9 0000 0000 B;o.......$..... 0x0020 a002 8000 2d2a 0000 0204 05b4 0103 0300 ....-*.......... 0x0030 0101 080a d694 25d4 0000 0000 ......%..... 14:54:46.026960 my.mailserver.com.smtp > my.client.computer.com.51333: S 1870849923:1870849923(0) ack 4137297114 win 1460 (DF) 0x0000 4500 003c 0000 4000 3006 1dc1 423b 6fab E..<..@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e783 f69a 24da ...j....o.....$. 0x0020 a012 05b4 640d 0000 0204 05b4 0101 080a ....d........... 0x0030 0242 7a76 d694 25d4 0103 0300 84a5 71f2 .Bzv..%.......q. 14:54:46.027121 my.client.computer.com.51333 > my.mailserver.com.smtp: . ack 1 win 33304 (DF) 0x0000 4500 0034 7eee 4000 4006 8eda 81aa f96a E..4~.@.@......j 0x0010 423b 6fab c885 0019 f69a 24da 6f82 e784 B;o.......$.o... 0x0020 8010 8218 2d22 0000 0101 080a d694 25d4 ....-"........%. 0x0030 0242 7a76 .Bzv 14:54:46.169249 my.mailserver.com.smtp > my.client.computer.com.51333: P 1:80(79) ack 1 win 5792 (DF) 0x0000 4500 0083 9df8 4000 3006 7f81 423b 6fab E.....@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e784 f69a 24da ...j....o.....$. 0x0020 8018 16a0 b124 0000 0101 080a 0242 7a7c .....$.......Bz| 0x0030 d694 25d4 3232 3020 7768 6f6f 7069 732e ..%.220.mailserver. 0x0040 636f 6d20 4553 4d54 5020 5365 6e64 6d61 com.ESMTP.Sendma 0x0050 696c 2038 2e31 322e 382f 382e 3132 2e38 il.8.12.8/8.12.8 0x0060 3b20 5361 742c 2031 3920 4170 7220 3230 ;.Sat,.19.Apr.20 0x0070 3033 2031 343a 3534 3a32 3320 2d30 3430 03.14:54:23.-040 0x0080 300d 0a29 5101 02 0..)Q.. 14:54:46.172578 my.client.computer.com.51333 > my.mailserver.com.smtp: P 1:19(18) ack 80 win 33304 (DF) 0x0000 4500 0046 7eef 4000 4006 8ec7 81aa f96a E..F~.@.@......j 0x0010 423b 6fab c885 0019 f69a 24da 6f82 e7d3 B;o.......$.o... 0x0020 8018 8218 2d34 0000 0101 080a d694 25d5 ....-4........%. 0x0030 0242 7a7c 4548 4c4f 2077 686f 6f70 6973 .Bz|EHLO.mailserver 0x0040 2e63 6f6d 0d0a .com.. 14:54:46.307849 my.mailserver.com.smtp > my.client.computer.com.51333: . ack 19 win 5792 (DF) 0x0000 4500 0034 9df9 4000 3006 7fcf 423b 6fab E..4..@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e7d3 f69a 24ec ...j....o.....$. 0x0020 8010 16a0 7e77 0000 0101 080a 0242 7a82 ....~w.......Bz. 0x0030 d694 25d5 9537 6e23 ..%..7n# 14:54:46.312970 my.mailserver.com.smtp > my.client.computer.com.51333: P 80:300(220) ack 19 win 5792 (DF) 0x0000 4500 0110 9dfa 4000 3006 7ef2 423b 6fab E.....@.0.~.B;o. 0x0010 81aa f96a 0019 c885 6f82 e7d3 f69a 24ec ...j....o.....$. 0x0020 8018 16a0 2f90 0000 0101 080a 0242 7a82 ..../........Bz. 0x0030 d694 25d5 3235 302d 7768 6f6f 7069 732e ..%.250-mailserver. 0x0040 636f 6d20 4865 6c6c 6f20 676f 6e7a 6f20 com.Hello.gonzo. 0x0050 5b31 3239 2e31 3730 2e32 3439 2e31 3036 [129.170.249.106 0x0060 5d2c 2070 6c65 6173 6564 2074 6f20 6d65 ],.pleased.to.me 0x0070 6574 2079 6f75 0d0a 3235 302d 454e 4841 et.you..250-ENHA 0x0080 4e43 4544 5354 4154 5553 434f 4445 530d NCEDSTATUSCODES. 0x0090 0a32 3530 2d50 4950 454c 494e 494e 470d .250-PIPELINING. 0x00a0 0a32 3530 2d38 4249 544d 494d 450d 0a32 .250-8BITMIME..2 0x00b0 3530 2d53 495a 450d 0a32 3530 2d44 534e 50-SIZE..250-DSN 0x00c0 0d0a 3235 302d 4554 524e 0d0a 3235 302d ..250-ETRN..250- 0x00d0 4155 5448 2047 5353 4150 4920 4c4f 4749 AUTH.GSSAPI.LOGI 0x00e0 4e20 504c 4149 4e0d 0a32 3530 2d53 5441 N.PLAIN..250-STA 0x00f0 5254 544c 530d 0a32 3530 2d44 454c 4956 RTTLS..250-DELIV 0x0100 4552 4259 0d0a 3235 3020 4845 4c50 0d0a ERBY..250.HELP.. 0x0110 68e7 2f9e h./. 14:54:46.355539 my.client.computer.com.51333 > my.mailserver.com.smtp: . ack 300 win 33304 (DF) 0x0000 4500 0034 7ef0 4000 4006 8ed8 81aa f96a E..4~.@.@......j 0x0010 423b 6fab c885 0019 f69a 24ec 6f82 e8af B;o.......$.o... 0x0020 8010 8218 2d22 0000 0101 080a d694 25d5 ....-"........%. 0x0030 0242 7a82 .Bz. 14:54:46.364839 my.client.computer.com.51333 > my.mailserver.com.smtp: P 19:56(37) ack 300 win 33304 (DF) 0x0000 4500 0059 7ef1 4000 4006 8eb2 81aa f96a E..Y~.@.@......j 0x0010 423b 6fab c885 0019 f69a 24ec 6f82 e8af B;o.......$.o... 0x0020 8018 8218 2d47 0000 0101 080a d694 25d5 ....-G........%. 0x0030 0242 7a82 4155 5448 2050 4c41 494e xxxx .Bz.AUTH.PLAIN.A 0x0040 xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx G1ij6u7x3k92nfla 0x0050 xxxx xxxx xxxx xxxx xx J7g2xn=.. 14:54:46.530943 my.mailserver.com.smtp > my.client.computer.com.51333: P 300:328(28) ack 56 win 5792 (DF) 0x0000 4500 0050 9dfb 4000 3006 7fb1 423b 6fab E..P..@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e8af f69a 2511 ...j....o.....%. 0x0020 8018 16a0 8a57 0000 0101 080a 0242 7a8c .....W.......Bz. 0x0030 d694 25d5 3233 3520 322e 302e 3020 4f4b ..%.235.2.0.0.OK 0x0040 2041 7574 6865 6e74 6963 6174 6564 0d0a .Authenticated.. 0x0050 ae16 b20f .... 14:54:46.533820 my.client.computer.com.51333 > my.mailserver.com.smtp: P 56:88(32) ack 328 win 33304 (DF) 0x0000 4500 0054 7ef2 4000 4006 8eb6 81aa f96a E..T~.@.@......j 0x0010 423b 6fab c885 0019 f69a 2511 6f82 e8cb B;o.......%.o... 0x0020 8018 8218 2d42 0000 0101 080a d694 25d5 ....-B........%. 0x0030 0242 7a8c 4d41 494c 2046 524f 4d3a 3c6d .Bz.MAIL.FROM:.. 14:54:46.727320 my.mailserver.com.smtp > my.client.computer.com.51333: P 328:373(45) ack 88 win 5792 (DF) 0x0000 4500 0061 9dfc 4000 3006 7f9f 423b 6fab E..a..@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e8cb f69a 2531 ...j....o.....%1 0x0020 8018 16a0 4c89 0000 0101 080a 0242 7a93 ....L........Bz. 0x0030 d694 25d5 3235 3020 322e 312e 3020 3c6d ..%.250.2.1.0.....Sender.ok. 0x0060 0a33 d6ff 72 .3..r 14:54:46.730328 my.client.computer.com.51333 > my.mailserver.com.smtp: P 88:117(29) ack 373 win 33304 (DF) 0x0000 4500 0051 7ef3 4000 4006 8eb8 81aa f96a E..Q~.@.@......j 0x0010 423b 6fab c885 0019 f69a 2531 6f82 e8f8 B;o.......%1o... 0x0020 8018 8218 2d3f 0000 0101 080a d694 25d6 ....-?........%. 0x0030 0242 7a93 5243 5054 2054 4f3a 3c77 6f7a .Bz.RCPT.TO:. 0x0050 0a . 14:54:46.886737 my.mailserver.com.smtp > my.client.computer.com.51333: P 373:420(47) ack 117 win 5792 (DF) 0x0000 4500 0063 9dfd 4000 3006 7f9c 423b 6fab E..c..@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e8f8 f69a 254e ...j....o.....%N 0x0020 8018 16a0 8005 0000 0101 080a 0242 7a9c .............Bz. 0x0030 d694 25d6 3235 3020 322e 312e 3520 3c77 ..%.250.2.1.5.....Recipient.o 0x0060 6b0d 0ae0 a041 88 k....A. 14:54:46.889670 my.client.computer.com.51333 > my.mailserver.com.smtp: P 117:123(6) ack 420 win 33304 (DF) 0x0000 4500 003a 7ef4 4000 4006 8ece 81aa f96a E..:~.@.@......j 0x0010 423b 6fab c885 0019 f69a 254e 6f82 e927 B;o.......%No..' 0x0020 8018 8218 2d28 0000 0101 080a d694 25d6 ....-(........%. 0x0030 0242 7a9c 4441 5441 0d0a .Bz.DATA.. 14:54:47.024532 my.mailserver.com.smtp > my.client.computer.com.51333: P 420:470(50) ack 123 win 5792 (DF) 0x0000 4500 0066 9dfe 4000 3006 7f98 423b 6fab E..f..@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e927 f69a 2554 ...j....o..'..%T 0x0020 8018 16a0 2836 0000 0101 080a 0242 7aa4 ....(6.......Bz. 0x0030 d694 25d6 3335 3420 456e 7465 7220 6d61 ..%.354.Enter.ma 0x0040 696c 2c20 656e 6420 7769 7468 2022 2e22 il,.end.with."." 0x0050 206f 6e20 6120 6c69 6e65 2062 7920 6974 .on.a.line.by.it 0x0060 7365 6c66 0d0a df98 38f9 self....8. 14:54:47.027680 my.client.computer.com.51333 > my.mailserver.com.smtp: P 123:528(405) ack 470 win 33304 (DF) 0x0000 4500 01c9 7ef5 4000 4006 8d3e 81aa f96a E...~.@.@..>...j 0x0010 423b 6fab c885 0019 f69a 2554 6f82 e959 B;o.......%To..Y 0x0020 8018 8218 2eb7 0000 0101 080a d694 25d6 ..............%. 0x0030 0242 7aa4 4461 7465 3a20 5361 742c 2031 .Bz.Date:.Sat,.1 0x0040 3920 4170 7220 3230 3033 2031 343a 3534 9.Apr.2003.14:54 0x0050 3a34 3520 2d30 3430 300d 0a4d 696d 652d :45.-0400..Mime- 0x0060 5665 7273 696f 6e3a 2031 2e30 2028 4170 Version:.1.0.(Ap 0x0070 706c 6520 4d65 7373 6167 6520 6672 616d ple.Message.fram 0x0080 6577 6f72 6b20 7635 3532 290d 0a43 6f6e ework.v552)..Con 0x0090 7465 6e74 2d54 7970 653a 2074 6578 742f tent-Type:.text/ 0x00a0 706c 6169 6e3b 2063 6861 7273 6574 3d55 plain;.charset=U 0x00b0 532d 4153 4349 493b 2066 6f72 6d61 743d S-ASCII;.format= 0x00c0 666c 6f77 6564 0d0a 5375 626a 6563 743a flowed..Subject: 0x00d0 204f 4f4f 4f4f 4f4f 4f4f 4f4f 4f4f 4f4f .OOOOOOOOOOOOOOO 0x00e0 4f4f 4f4f 4f4f 4f4f 0d0a 4672 6f6d 3a20 OOOOOOOO..From:. 0x00f0 4d61 7269 6f6e 2042 6174 6573 203c 6d62 Marion.Bates...To:.joeschmoe@dartm 0x0120 6f75 7468 2e65 6475 0d0a 436f 6e74 656e outh.edu..Conten 0x0130 742d 5472 616e 7366 6572 2d45 6e63 6f64 t-Transfer-Encod 0x0140 696e 673a 2037 6269 740d 0a4d 6573 7361 ing:.7bit..Messa 0x0150 6765 2d49 643a 203c 3632 4635 3444 4130 ge-Id:.<62F54DA0 0x0160 2d37 3239 382d 3131 4437 2d39 3139 442d -7298-11D7-919D- 0x0170 3030 3330 3635 3431 3734 3336 4077 686f 003065417436@who 0x0180 6f70 6973 2e63 6f6d 3e0d 0a58 2d4d 6169 opis.com>..X-Mai 0x0190 6c65 723a 2041 7070 6c65 204d 6169 6c20 ler:.Apple.Mail. 0x01a0 2832 2e35 3532 290d 0a0d 0a55 5555 5555 (2.552)....UUUUU 0x01b0 5555 5555 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUUUUUU 0x01c0 5555 5555 550d 0a0d 0a UUUUU.... 14:54:47.184406 my.mailserver.com.smtp > my.client.computer.com.51333: . ack 528 win 6432 (DF) 0x0000 4500 0034 9dff 4000 3006 7fc9 423b 6fab E..4..@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e959 f69a 26e9 ...j....o..Y..&. 0x0020 8010 1920 7846 0000 0101 080a 0242 7aaf ....xF.......Bz. 0x0030 d694 25d6 2c9f 4e80 ..%.,.N. 14:54:47.184543 my.client.computer.com.51333 > my.mailserver.com.smtp: P 528:531(3) ack 470 win 33304 (DF) 0x0000 4500 0037 7ef6 4000 4006 8ecf 81aa f96a E..7~.@.@......j 0x0010 423b 6fab c885 0019 f69a 26e9 6f82 e959 B;o.......&.o..Y 0x0020 8018 8218 2d25 0000 0101 080a d694 25d7 ....-%........%. 0x0030 0242 7aaf 2e0d 0a .Bz.... 14:54:47.233405 my.mailserver.com.smtp > my.client.computer.com.51333: . ack 531 win 6432 (DF) 0x0000 4500 0034 9e00 4000 3006 7fc8 423b 6fab E..4..@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e959 f69a 26ec ...j....o..Y..&. 0x0020 8010 1920 783f 0000 0101 080a 0242 7ab2 ....x?.......Bz. 0x0030 d694 25d7 f863 6131 ..%..ca1 14:54:47.296462 my.mailserver.com.smtp > my.client.computer.com.51333: P 470:526(56) ack 531 win 6432 (DF) 0x0000 4500 006c 9e01 4000 3006 7f8f 423b 6fab E..l..@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e959 f69a 26ec ...j....o..Y..&. 0x0020 8018 1920 d010 0000 0101 080a 0242 7ab2 .............Bz. 0x0030 d694 25d7 3235 3020 322e 302e 3020 6833 ..%.250.2.0.0.h3 0x0040 4a49 734e 3730 3033 3133 3331 204d 6573 JIsN70031331.Mes 0x0050 7361 6765 2061 6363 6570 7465 6420 666f sage.accepted.fo 0x0060 7220 6465 6c69 7665 7279 0d0a eec8 c7c4 r.delivery...... 14:54:47.299630 my.client.computer.com.51333 > my.mailserver.com.smtp: P 531:537(6) ack 526 win 33304 (DF) 0x0000 4500 003a 7ef7 4000 4006 8ecb 81aa f96a E..:~.@.@......j 0x0010 423b 6fab c885 0019 f69a 26ec 6f82 e991 B;o.......&.o... 0x0020 8018 8218 2d28 0000 0101 080a d694 25d7 ....-(........%. 0x0030 0242 7ab2 5155 4954 0d0a .Bz.QUIT.. 14:54:47.299793 my.client.computer.com.51333 > my.mailserver.com.smtp: F 537:537(0) ack 526 win 33304 (DF) 0x0000 4500 0034 7ef8 4000 4006 8ed0 81aa f96a E..4~.@.@......j 0x0010 423b 6fab c885 0019 f69a 26f2 6f82 e991 B;o.......&.o... 0x0020 8011 8218 2d22 0000 0101 080a d694 25d7 ....-"........%. 0x0030 0242 7ab2 .Bz. 14:54:47.381559 my.mailserver.com.smtp > my.client.computer.com.51333: P 526:568(42) ack 537 win 6432 (DF) 0x0000 4500 005e 9e02 4000 3006 7f9c 423b 6fab E..^..@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e991 f69a 26f2 ...j....o.....&. 0x0020 8018 1920 1b6c 0000 0101 080a 0242 7ab5 .....l.......Bz. 0x0030 d694 25d7 3232 3120 322e 302e 3020 7768 ..%.221.2.0.0.wh 0x0040 6f6f 7069 732e 636f 6d20 636c 6f73 696e oopis.com.closin 0x0050 6720 636f 6e6e 6563 7469 6f6e 0d0a d727 g.connection...' 0x0060 0253 .S 14:54:47.381706 my.client.computer.com.51333 > my.mailserver.com.smtp: R 4137297650:4137297650(0) win 0 0x0000 4500 0028 7efc 0000 4006 ced8 81aa f96a E..(~...@......j 0x0010 423b 6fab c885 0019 f69a 26f2 0000 0000 B;o.......&..... 0x0020 5004 0000 9cb9 0000 P....... 14:54:47.382938 my.mailserver.com.smtp > my.client.computer.com.51333: F 568:568(0) ack 537 win 6432 (DF) 0x0000 4500 0034 9e03 4000 3006 7fc5 423b 6fab E..4..@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e9bb f69a 26f2 ...j....o.....&. 0x0020 8011 1920 77d3 0000 0101 080a 0242 7ab5 ....w........Bz. 0x0030 d694 25d7 a5c7 3955 ..%...9U 14:54:47.383008 my.client.computer.com.51333 > my.mailserver.com.smtp: R 4137297650:4137297650(0) win 0 0x0000 4500 0028 7efd 0000 4006 ced7 81aa f96a E..(~...@......j 0x0010 423b 6fab c885 0019 f69a 26f2 0000 0000 B;o.......&..... 0x0020 5004 0000 9cb9 0000 P....... 14:54:47.384294 my.mailserver.com.smtp > my.client.computer.com.51333: . ack 538 win 6432 (DF) 0x0000 4500 0034 9e04 4000 3006 7fc4 423b 6fab E..4..@.0...B;o. 0x0010 81aa f96a 0019 c885 6f82 e9bc f69a 26f3 ...j....o.....&. 0x0020 8010 1920 77d2 0000 0101 080a 0242 7ab5 ....w........Bz. 0x0030 d694 25d7 f845 a347 ..%..E.G 14:54:47.384363 my.client.computer.com.51333 > my.mailserver.com.smtp: R 4137297651:4137297651(0) win 0 0x0000 4500 0028 7efe 0000 4006 ced6 81aa f96a E..(~...@......j 0x0010 423b 6fab c885 0019 f69a 26f3 0000 0000 B;o.......&..... 0x0020 5004 0000 9cb8 0000 P.......