[Dshield] Change your passwords! + Multi-Stage Open Relayscaused by spamware

Jon R. Kibler Jon.Kibler at aset.com
Fri Jul 18 17:48:06 GMT 2003


Jeff:

I did not mention the possibility that the MTA is insecure because in the instances where this has been a problem, the MTA has been confirmed as secure. Usually, MTAs that send spam are insecure, but not in these cases (at least none I have heard of).

I should probably again state in a posting to this list "ANYTIME you change your MTA software and/or configuration, RETEST IT!"
(That is, submit it to ORDB.ORG, NJABL.ORG, etc.)

Jon


Jeff wrote:
> 
> On Fri, 18 Jul 2003, Jon R. Kibler wrote:
> 
> >
> [snip]
> > Both these exploits make secure MTAs appear to be open relays because
> > they are forwarding spam. However, the MTA itself is secure, but is
> > still being used to send spam.
> >
> > In the first exploit, spammers are somehow capturing email passwords and
> > using them to authenticate a remote user, thus allowing that remote user
> > to relay mail. How are the passwords being captured? No one I have
> > discussed this problem with is quite sure what is going on, but the
> > following appear to be candidates:
> [snip]
> 
> You seem to have overlooked the possibility that the MTA *could be*
> improperly secured.
> 
> Default passwords in MDaemon and a common qmail SMTP AUTH configuration
> error seem to be two possibilities that were not covered in your original
> message.
> 
> For a starting point, see this message from the qmail mailing list:
> http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2
> 
> There is further discussion of the qmail problem on other lists,
> indicating that a documentation error may have resulted in /usr/bin/true
> being used to verify password validity.
> 
> A rise in qmail MTAs being used to relay spam has been noted, and I have
> seen it proposed that various open relay testing scripts be modified to
> attempt to relay with a set of bogus SMTP AUTH credentials to detect
> mis-configured installations.
> 
> This is not to discredit any of the other possibilities mentioned in your
> original post, but to offer additional possible explanations for the
> behavior you are observing.
> 
> I do not have direct experience with the problems stated above, I am just
> passing on information from other sources.
> 
> hth,
> 
> -jeff
> 
> --
> Jeff Godin
> Network Specialist
> Traverse Area District Library / Traverse Community Network
> jeff at tcnet.org
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list