AW: [Dshield] New Relay Exploit?

Freddie Sorensen freddie at parawebic.com
Wed Jan 7 18:11:38 GMT 2004


John

What do you mean SMTP open relay exploitation is more a thing of yesterday's
spammers ?

And how would you use an open proxy for sending email ?

Freddie

-----Ursprüngliche Nachricht-----
Von: list-bounces at dshield.org [mailto:list-bounces at dshield.org] Im Auftrag
von Coxe, John B.
Gesendet: Mittwoch, 7. Januar 2004 00:13
An: 'General DShield Discussion List'
Betreff: RE: [Dshield] New Relay Exploit?

Sue,

As long as your clients are all MAPI (not POP or IMAP), turning off relay
completely should work for you.  The problem arises when they use those open
protocols, as they need to define an SMTP server, generally the same as
their mail server in a LAN environment, and would then not be able to send
mail outside of their backbone.

SMTP open relay exploitation is more a thing of yesterday's spammers, though
still popular.  Open proxies are more commonly exploited now.  Are you
running any other services on that host?  Specifically, do you have a web
server configured on it?  If so, telnet to it on port 80 and send a "CONNECT
mx1.hotmail.com:25 HTTP/1.0" (followed by two carriage returns) command and
see if you get a 5xx or a 2xx code back.  (Should return a 501 html page
saying it is not supported.)

Socks and other proxies, commonly on ports 1080 and 8080, are also often
exploited.  I'd suggest running (at a command prompt on that server) netstat
-an | find "LISTEN".  That will show you definitively what ports you have
services listening on.

Also, I have noted before spamcop misattributing the sources of problems
based on submissions.  I thought all of that was fixed ages ago though.  But
the experience I had was that a user in Exchange sent off spam they received
to spamcop.  The architecture for that network involved three enterprise
MTAs for the receiving domain handling the mail before it went to Exchange.
Spamcop had determined inappropriately from the Received headers, presumably
automatically, that the first gateway server was a spam source, when it was
actually the server that received it from the real spam source and never
failed any relay tests.

John C

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Sue Young
Sent: Tuesday, January 06, 2004 2:27 PM
To: list at dshield.org
Subject: [Dshield] New Relay Exploit?

In the past few days, someone has been able to relay through my site, even
though whenever I test it from the abuse.net website, relaying seems to be
blocked correctly.  Luckily, it hasn't been a lot of messages but it has
been enough to get us blacklisted by spamcop.

I've reset our exchange server to not allow relaying.  I did have it set to
only relay for authenticated hosts, then I realized  there would be no
reason for anyone to relay so I set it to only relay from a list of IP
addresses and left the list blank.
After I did that, it looked like the following message came through anyway.
I blocked their class C and it seemed to stop it.  Before I made this
change, I tested for a relay on abuse.net and it was ok.  The only thing my
server will relay is mail to an internal domain.

Can anyone tell me what they're exploiting?  The headers on the messages
look normal - it's getting the message from a dsl connection in Mexico and
relaying all over the world.  This should not be possible.

Thanks,

Sue Young

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list