[Dshield] New Relay Exploit?

Coxe, John B. JOHN.B.COXE at saic.com
Wed Jan 7 21:46:40 GMT 2004


As Brad pointed out, the open proxy is far more attractive to the spammer as
it affords him greater anonymity, which is all the more important with
legislation and penalties out there and coming soon.

61.220.193.58 - - [07/Jan/2004:11:17:02 -0800] "CONNECT
maila.microsoft.com:25 HTTP/1.0" 404 399 "-" "-"

is an example from one of my apache logs of an attempt to http proxy through
this web server.  It got a 404 since the server was properly configured.
(Would get a 5xx code generally for the CONNECT command.  But I disallow
connections to the server by address, only by valid virtual hostnames, which
preemptively throws 4xx codes.)  If it did allow the transaction,
maila.microsoft.com would be sending their spam as if this server of mine
was the originator.

The real originator was homed here:

inetnum:      61.220.193.56 - 61.220.193.63
netname:      CHEN-TZUNG-HUANG-HL-TW
descr:        CHTD, Chunghwa Telecom Co., Ltd.
descr:        Data-Bldg. 6F,  No. 21, Sec. 21, Hsin-Yi Rd.,
descr:        Taipei Taiwan
country:      TW
changed:      fkchung at ms1.hinet.net 20010912

Open smtp relays were the modus operandi for spam not so long ago.  However,
with the explosion of residential broadband, all that has changed.  To
accommodate multiple hosts in a home on a single connected address, folks
put up proxies like socks and wingate.  If not properly done, they offer the
proxy to any host that wants to use them, not just the intended ones inside
their home on unroutable addresses.  Even some linux people unknowingly set
themselves up with poorly configured masquerading firewalls.  This also was
compounded by smaller businesses as they built their onramps to the
information superhighway using cheaper and underqualified system/network
architects.

Even a properly configured proxy or any server that limits relay access to
local hosts can be exploited if a local system is exploited and used as a
middleman.

Now sendmail, apache, redhat, ... come default configured not to allow this
abuse.  One would need to specifically change things to undo that
protection.  But still, there are plenty out there to use so the spammers
really do not have to work hard at all to send anonymous spam.

211.173.25.7 - - [12/Dec/2003:03:33:45 -0800] "CONNECT 1.3.3.7:1337
HTTP/1.0" 404 389 "-" "-"

There is another example of this CONNECT command from the apache logs.  I
seem to recall 1337 proxy is used for anonymous chat.

Also there is the infamous formmail perl cgi that is still showing up in
scans.

Look at spam toolz sites to see what they use.
http://www.mailinglistmaster.com/ is an example.  It is clear that proxies
are where they like to operate.

Another place that might be exploited, though I am not sure, is the MSA port
587 of sendmail.  (See RFC 2476.)  Most people who have it running by
default on their sendmail servers are not even aware of it.

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Freddie Sorensen
Sent: Wednesday, January 07, 2004 10:12 AM
To: 'General DShield Discussion List'
Subject: AW: [Dshield] New Relay Exploit?

John

What do you mean SMTP open relay exploitation is more a thing of yesterday's
spammers ?

And how would you use an open proxy for sending email ?

Freddie





More information about the list mailing list