Nope, I thought it might be operational in nature. ergo spammers and others now scanning for qmail-smtp-auth patch users and using those weak sites as a relay. the issue is that those sites will PASS the current "open relay" check tools and thus not be BLACK LISTED. Hey, what a cool feature. Passes open-relay test, won't get black listed, and can be used to relay spam. this might cause more traffic,, more abuse complaints, more headaches for those in operations... ps: the URL is *from* the qmail list. cheers, john On Mon, Jul 14, 2003 at 08:45:44PM -0800, W.D. McKinney wrote:
John,
Did you mean to post this on the qmail list per chance ?
Dee
On Mon, 2003-07-14 at 08:34, John Brown wrote:
seems that there are installs of the smtp-auth patch to qmail that accept anything as a user name and password and thus allow you to connect.
http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2
is one URL that talks about this.
There has been an increase is what appears to be qmail based open-relays over the last 5 days. Each of these servers pass the normal suite of open-relay tests.
Spammers are scanning for SMTP-AUTH and STARTTLS based mail servers that may be misconfigured. Then using them to send out their trash.
Some early docs on setting up qmail based smtp-auth systems had the config infor incorrect. This leads to /usr/bin/true being used as the password checker. :(
From an operational perspective, I suspect we will see more SMTP scans
The basic test (see URL above) should get incorporated into various open-relay testing scripts.
cheers
john brown chagres technologies, inc