qmail smtp-auth bug allows open relay
seems that there are installs of the smtp-auth patch to qmail that accept anything as a user name and password and thus allow you to connect. http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2 is one URL that talks about this. There has been an increase is what appears to be qmail based open-relays over the last 5 days. Each of these servers pass the normal suite of open-relay tests. Spammers are scanning for SMTP-AUTH and STARTTLS based mail servers that may be misconfigured. Then using them to send out their trash. Some early docs on setting up qmail based smtp-auth systems had the config infor incorrect. This leads to /usr/bin/true being used as the password checker. :(
From an operational perspective, I suspect we will see more SMTP scans
The basic test (see URL above) should get incorporated into various open-relay testing scripts. cheers john brown chagres technologies, inc
John, Did you mean to post this on the qmail list per chance ? Dee On Mon, 2003-07-14 at 08:34, John Brown wrote:
seems that there are installs of the smtp-auth patch to qmail that accept anything as a user name and password and thus allow you to connect.
http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2
is one URL that talks about this.
There has been an increase is what appears to be qmail based open-relays over the last 5 days. Each of these servers pass the normal suite of open-relay tests.
Spammers are scanning for SMTP-AUTH and STARTTLS based mail servers that may be misconfigured. Then using them to send out their trash.
Some early docs on setting up qmail based smtp-auth systems had the config infor incorrect. This leads to /usr/bin/true being used as the password checker. :(
From an operational perspective, I suspect we will see more SMTP scans
The basic test (see URL above) should get incorporated into various open-relay testing scripts.
cheers
john brown chagres technologies, inc
On Mon, 14 Jul 2003 20:45:44 -0800, "W.D. McKinney" <dee@akwireless.net> said:
Did you mean to post this on the qmail list per chance ?
On Mon, 2003-07-14 at 08:34, John Brown wrote:
Doubtful, he's *citing* a posting from an archive of the qmail list. ;) It's a heads-up for your abuse desk, that the trojaned DSL/cablemodem customers of yours that have been acting as spam relays are likely to start scanning for open qmail servers to abuse....
Yup, what he said. yeah, all those lovely home based DSL/Cable/Wireless users with Linux/BSD qmail-smtp-auth setups thinking they are safe and can relay off of their nifty box at home / soho. Weeeee john On Tue, Jul 15, 2003 at 01:53:38AM -0400, Valdis.Kletnieks@vt.edu wrote:
On Mon, 14 Jul 2003 20:45:44 -0800, "W.D. McKinney" <dee@akwireless.net> said:
Did you mean to post this on the qmail list per chance ?
On Mon, 2003-07-14 at 08:34, John Brown wrote:
Doubtful, he's *citing* a posting from an archive of the qmail list. ;)
It's a heads-up for your abuse desk, that the trojaned DSL/cablemodem customers of yours that have been acting as spam relays are likely to start scanning for open qmail servers to abuse....
Nope, I thought it might be operational in nature. ergo spammers and others now scanning for qmail-smtp-auth patch users and using those weak sites as a relay. the issue is that those sites will PASS the current "open relay" check tools and thus not be BLACK LISTED. Hey, what a cool feature. Passes open-relay test, won't get black listed, and can be used to relay spam. this might cause more traffic,, more abuse complaints, more headaches for those in operations... ps: the URL is *from* the qmail list. cheers, john On Mon, Jul 14, 2003 at 08:45:44PM -0800, W.D. McKinney wrote:
John,
Did you mean to post this on the qmail list per chance ?
Dee
On Mon, 2003-07-14 at 08:34, John Brown wrote:
seems that there are installs of the smtp-auth patch to qmail that accept anything as a user name and password and thus allow you to connect.
http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2
is one URL that talks about this.
There has been an increase is what appears to be qmail based open-relays over the last 5 days. Each of these servers pass the normal suite of open-relay tests.
Spammers are scanning for SMTP-AUTH and STARTTLS based mail servers that may be misconfigured. Then using them to send out their trash.
Some early docs on setting up qmail based smtp-auth systems had the config infor incorrect. This leads to /usr/bin/true being used as the password checker. :(
From an operational perspective, I suspect we will see more SMTP scans
The basic test (see URL above) should get incorporated into various open-relay testing scripts.
cheers
john brown chagres technologies, inc
--On Tuesday, July 15, 2003 8:17 PM -0600 John Brown <jmbrown@chagresventures.com> wrote:
Nope, I thought it might be operational in nature. ergo spammers and others now scanning for qmail-smtp-auth patch users and using those weak sites as a relay.
I think this *is* operational in nature. FYI, we have found this hack actively being used on seemingly secure qmail, exchange, IMail, postfix servers run by admins with clue. And we have a pattern of the same content and an apparent small set of source IPs. (I'm working on that angle now) Check your mail logs campers. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -= Margie Arbon Mail Abuse Prevention System, LLC margie@mail-abuse.org http://mail-abuse.org
Thus spake "John Brown" <jmbrown@chagresventures.com>
seems that there are installs of the smtp-auth patch to qmail that accept anything as a user name and password and thus allow you to connect.
http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2
is one URL that talks about this. ... Some early docs on setting up qmail based smtp-auth systems had the config infor incorrect. This leads to /usr/bin/true being used as the password checker. :(
That isn't a bug; it's a documentation problem and/or incompetent admin, depending on how generous you're feeling. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
participants (6)
-
Jack Bates -
John Brown -
Margie Arbon -
Stephen Sprunk -
Valdis.Kletnieks@vt.edu -
W.D. McKinney