[Dshield] User Agent

jayjwa jayjwa at atr2.ath.cx
Fri Feb 3 09:58:33 GMT 2006


On Wed, 1 Feb 2006, KrogNetix wrote:

-> 
-> Seems to be a lot of this "HTTP_Connect_Proxy_Bypass_SMTP" attempts lately.
-> They are all coming for "hinet.net" based IP addresses.
-> 
-> ---------------------------------------------
-> HTTP_Connect_Proxy_Bypass_SMTP, 220.137.78.148,
-> 220-137-78-148.dynamic.hinet.net, 65.x.x.x, ,
-> Proxy_Target=msa-mx10.hinet.net&Port=25
-> ---------------------------------------------
-> 
-> I am assuming this hack only works if MS SMTP is up and running on a Windows
-> box? We of course do not use MS SMTP, so this activity is useless in our
-> case. Has anyone seem any examples of attempts like that that have
-> succeeded? Has anyone ever reported this activity to "hinet.net" with any
-> response? It seems it would be difficult to block this activity, as it is
-> inbound on TCP 80.


>From what I understand, these are attempts to hide behind a proxy to dump SPAM 
to a mailserver. They use proxy connect, then dump the full smpt traffic in 
one shot. If you're using an intelligent mailer, you can stop these because 
they violate the smtp protocol. Sendmail's "greet pause" feature works on this 
basis if I'm not mistaken:

normal transaction:

client connects -> (must wait for smtp greeting)

                 <- smtpd (responds after a bit)

client sends HELO, and begins transaction


spammers behind connect proxies:

client connects -> (dumps full load, greeting, message and all)

                 <- smtpd (didn't wait for server greeting, ignores spammer)


Looks like this in the logs:

maillog.1.gz:Feb  2 01:23:06 atr2 sm-mta[1333]: k126N6RH001333: rejecting 
commands from map171.network49.178.amigo.net.gt [200.49.178.171] due to 
pre-greeting traffic

maillog.5.gz:Jan 28 23:05:16 atr2 sm-mta[22461]: k0T45Ggc022461: rejecting 
commands from chello062178193083.3.15.vie.surfer.at [62.178.193.83] due to 
pre-greeting traffic

maillog.5.gz:Jan 28 23:06:21 atr2 sm-mta[22466]: k0T46Lc7022466: rejecting 
commands from chello084010152072.chello.pl [84.10.152.72] due to pre-greeting 
traffic

maillog.6.gz:Jan 27 08:55:50 atr2 sm-mta[31047]: k0RDtocM031047: 
rejecting commands from [84.7.193.133] [84.7.193.133] due to pre-greeting 
traffic

maillog.7.gz:Jan 27 01:46:10 atr2 sm-mta[27490]: k0R6kAaN027490: rejecting 
commands from cpc2-runc1-5-0-cust209.bagu.cable.ntl.com [82.0.145.209] due to 
pre-greeting traffic

maillog.7.gz:Jan 27 01:49:39 atr2 sm-mta[27501]: k0R6ndbW027501: rejecting 
commands from host201248.burgasnet.com [87.227.201.248] due to pre-greeting 
traffic

maillog.7.gz:Jan 27 01:49:39 atr2 sm-mta[27500]: k0R6ndJI027500: rejecting 
commands from ip-85-198-228-116.broker.com.pl [85.198.228.116] due to 
pre-greeting traffic

maillog.7.gz:Jan 27 01:50:14 atr2 sm-mta[27511]: k0R6oE5F027511: rejecting 
commands from cp560119-a.venra1.lb.home.nl [84.30.227.223] due to pre-greeting 
traffic

maillog.7.gz:Jan 27 01:50:34 atr2 sm-mta[27513]: k0R6oYKM027513: rejecting 
commands from AToulon-151-1-129-197.w86-206.abo.wanadoo.fr [86.206.36.197] due 
to pre-greeting traffic

maillog.7.gz:Jan 27 01:50:36 atr2 sm-mta[27510]: k0R6oadv027510: rejecting 
commands from dsl-53-3-24.monet.no [84.53.3.24] due to pre-greeting traffic

maillog.7.gz:Jan 27 01:52:50 atr2 sm-mta[27517]: k0R6qnrq027517: rejecting 
commands from host-81-190-255-24.elk.mm.pl [81.190.255.24] due to pre-greeting 
traffic

maillog.7.gz:Jan 27 02:15:45 atr2 sm-mta[27639]: k0R7Fi7a027639: rejecting 
commands from host-87-99-35-61.lanet.net.pl [87.99.35.61] due to pre-greeting

trafficmaillog.7.gz:Jan 27 02:16:53 atr2 sm-mta[27643]: k0R7GrIf027643: 
rejecting commands from pc-192-200-104-200.cm.vtr.net [200.104.200.192] due to 
pre-greeting traffic

maillog.9.gz:Jan 24 13:46:32 atr2 sm-mta[3186]: k0OIkW33003186: rejecting 
commands from 221-169-56-134.adsl.static.seed.net.tw [221.169.56.134] due to 
pre-greeting traffic



Since most of the above look like home DSL accounts, I'm guessing they have 
either misconfigured httpd's that are also proxying, intentional proxies that 
aren't secured right, or are infected with any one of the variety of malware 
that allows socks/proxy nowdays, which includes alot of irc bots.

As I understand it, your log is from someone trying to connect thru you to 
msa-mx10.hinet.net:25? If so, they were probably trying to turn you into one 
of the above machines. I may set the sniffer on that port so I can get a 
better look at what one of these attempts looks like.

As far as hinet.net, they've been banned from my servers for over 3 years now. 
They are one of the most prolific spamming networks, and they *never* answer a 
single abuse complaint (at least none of the ones I sent).



jay


More information about the list mailing list