lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: marc at chabot.net (Marc Chabot (.net))
Subject: exploit SMTP to relay mail 24.201.15.218

Hello Marijn

ssnc> Hi, just checking how your trial of SurgeMail is going.

Sorry for this super LATE reply, I just didn't had time to test
SurgeMail.  I just re-requested another trial version to test it RIGHT
NOW because communigate pro just failed the most important test.

I've been testing communigate pro, I'm doing this at home
before going ahead a the office...

So just after installing communigate pro, I tested the smtp with a
friend to be 100% sure it can't be used as an open relay and that all
users are forced to used authenticated password for smtp no matter
from where, ip, domain, whatever.  Authenticate or DIE.  With only 2
users and full logs, it's easy to monitor everything.

A few weeks later some rat bastards tried to relay mail and were
denonce to their ISP.  Again, a few weeks after that, which is today, I
was flabbergasted to see a hacker successfully use an exploit to get
communigate pro (trial version) to send a message to kido816@....com
from a fake jamesbn@...xis.com from 24.201.15.218

11-14-2003      15:06:38       @in TCP from 24.201.15.218 (modemcable218.15-201-24.mc.videotron.ca) :4652 to 192.168.1.45 (P450) :25

That freaking WEASEL probably used a buffer overflow of some sort, but
I'll never know exactly how because I was not using snort or running a
packet sniffer at the time.  I which I had all those TCP packets to
analyse and see how it was done.

15:06:38.61 2 SMTPI-00105(24.201.15.218) [20099] received, 759 bytes
15:06:38.62 2 QUEUE([20099]) from <jamesbn@...xis.com>, 759 bytes (<080076058050052046050048049046049053046050049056058048058051048049055052@...201.15.218>)
15:06:38.62 2 ENQUEUER-01([20099]) enqueued
15:06:38.85 3 SMTP-00377(aol.com) Expected '220 ...' at [64.12.137.152], got:554- (RTR:BB)  The IP address you are using to connect to AOL is a dynamic

18:16:43.25 2 DEQUEUER [20099] SMTP(aol.com)kido816@....com delayed
18:16:58.25 2 DEQUEUER-01 [20099] generating a 'WARNING. Mail Delayed' message
18:16:58.26 2 QUEUE([20100]) from <>, 1594 bytes (<receipt-20100@...0>)
18:16:58.26 2 ENQUEUER-01([20100]) enqueued
18:16:58.26 2 DEQUEUER-01 report [20100] is composed for [20099]
18:16:59.42 3 SMTP-00384(utaxis.com) failed to connect to utaxis.com [66.96.1.29]:Error Code=connection refused

At 15:06:38.61 the weasel got the exploit to work on the first
attempt, my firewall and snpm logs confirm he connected only once.

at 15:06:38.85 AOL gives the finger to the mail server because my IP
is dynamic and not supposed to be relaying mail, at the office with a
static IP it would have worked, but here, AOL's spam fighting
technique worked and told my mail server to go to hell.

at 18:16:43.25 communigate try to send a delay warning to the fake
sender jamesbn@...xis.com but fails because UTAXIS.COM is a parked
domain with no MX record.

I retested it with somebody else, again, and again and again and again
and again and again and again, it really is configured correctly NOT
to relay, and all users must authenticate to use the smtp...  yet,
there IS an exploit for communigate pro, or communigate amateur to
rename it correctly.

Conclusion: Communigate Pro is phoque king GARBAGE!

I will NOT denounce this hacker to is ISP because I hope to see him do
it again (or try to do it) on your SurgeMail, so let's see how
SurgeMail can perform...


Saturday, September 13, 2003, 12:41:46 AM, a ?crit:

ssnc> Return-Path: <surgemail-support@...winsite.com>
ssnc> Delivered-To: chabot.net%marc@...bot.net
ssnc> Received: (cpmta 22560 invoked from network); 12 Sep 2003 23:00:12 -0700
ssnc> Received: from 216.65.3.228 (HELO netwinsite.com)
ssnc>   by smtp.c000.snv.cp.net (209.228.33.184) with SMTP; 12 Sep 2003 23:00:12 -0700
ssnc> X-Received: 13 Sep 2003 06:00:12 GMT
ssnc> Received: from netwin (unverified [127.0.0.1]) 
ssnc>         by netwinsite.com (SurgeMail 1.4a) with ESMTP id 1289423
ssnc>         for <marc@...bot.net>; Fri, 12 Sep 2003 22:41:46 -0700
ssnc> Return-Path: <surgemail-support@...winsite.com>
ssnc> From: surgemail-support@...winsite.com
ssnc> Subject: Trial of SurgeMail
ssnc> To: marc@...bot.net
ssnc> Date: Fri, 12 Sep 2003 22:41:46 -0700
ssnc> X-Server: High Performance Mail Server - http://surgemail.com
ssnc> Message-ID: <1063431706_11437@...win>
ssnc> Status: U
ssnc> X-UIDL: P2KybdHkIbhYJAE

ssnc> Hi, just checking how your trial of SurgeMail is going.
ssnc> If you have any problems or questions don't hesitate to email me.

ssnc> Marijn

ssnc> Also if you have questions or problems try the online manual search feature:
ssnc>   http://netwinsite.com/surgemail/help

-- 
Yours Digitally,
 CanonBall                            mailto: marc@...bot.net

We don't just delete spam, we delete spammers.
http://www.spammerhunters.com

Powered by blists - more mailing lists