[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42283920756.20031115021816@chabot.net>
From: marc at chabot.net (Marc Chabot (.net))
Subject: exploit SMTP to relay mail 24.201.15.218
Hello Marijn
ssnc> Hi, just checking how your trial of SurgeMail is going.
Sorry for this super LATE reply, I just didn't had time to test
SurgeMail. I just re-requested another trial version to test it RIGHT
NOW because communigate pro just failed the most important test.
I've been testing communigate pro, I'm doing this at home
before going ahead a the office...
So just after installing communigate pro, I tested the smtp with a
friend to be 100% sure it can't be used as an open relay and that all
users are forced to used authenticated password for smtp no matter
from where, ip, domain, whatever. Authenticate or DIE. With only 2
users and full logs, it's easy to monitor everything.
A few weeks later some rat bastards tried to relay mail and were
denonce to their ISP. Again, a few weeks after that, which is today, I
was flabbergasted to see a hacker successfully use an exploit to get
communigate pro (trial version) to send a message to kido816@....com
from a fake jamesbn@...xis.com from 24.201.15.218
11-14-2003 15:06:38 @in TCP from 24.201.15.218 (modemcable218.15-201-24.mc.videotron.ca) :4652 to 192.168.1.45 (P450) :25
That freaking WEASEL probably used a buffer overflow of some sort, but
I'll never know exactly how because I was not using snort or running a
packet sniffer at the time. I which I had all those TCP packets to
analyse and see how it was done.
15:06:38.61 2 SMTPI-00105(24.201.15.218) [20099] received, 759 bytes
15:06:38.62 2 QUEUE([20099]) from <jamesbn@...xis.com>, 759 bytes (<080076058050052046050048049046049053046050049056058048058051048049055052@...201.15.218>)
15:06:38.62 2 ENQUEUER-01([20099]) enqueued
15:06:38.85 3 SMTP-00377(aol.com) Expected '220 ...' at [64.12.137.152], got:554- (RTR:BB) The IP address you are using to connect to AOL is a dynamic
18:16:43.25 2 DEQUEUER [20099] SMTP(aol.com)kido816@....com delayed
18:16:58.25 2 DEQUEUER-01 [20099] generating a 'WARNING. Mail Delayed' message
18:16:58.26 2 QUEUE([20100]) from <>, 1594 bytes (<receipt-20100@...0>)
18:16:58.26 2 ENQUEUER-01([20100]) enqueued
18:16:58.26 2 DEQUEUER-01 report [20100] is composed for [20099]
18:16:59.42 3 SMTP-00384(utaxis.com) failed to connect to utaxis.com [66.96.1.29]:Error Code=connection refused
At 15:06:38.61 the weasel got the exploit to work on the first
attempt, my firewall and snpm logs confirm he connected only once.
at 15:06:38.85 AOL gives the finger to the mail server because my IP
is dynamic and not supposed to be relaying mail, at the office with a
static IP it would have worked, but here, AOL's spam fighting
technique worked and told my mail server to go to hell.
at 18:16:43.25 communigate try to send a delay warning to the fake
sender jamesbn@...xis.com but fails because UTAXIS.COM is a parked
domain with no MX record.
I retested it with somebody else, again, and again and again and again
and again and again and again, it really is configured correctly NOT
to relay, and all users must authenticate to use the smtp... yet,
there IS an exploit for communigate pro, or communigate amateur to
rename it correctly.
Conclusion: Communigate Pro is phoque king GARBAGE!
I will NOT denounce this hacker to is ISP because I hope to see him do
it again (or try to do it) on your SurgeMail, so let's see how
SurgeMail can perform...
Saturday, September 13, 2003, 12:41:46 AM, a ?crit:
ssnc> Return-Path: <surgemail-support@...winsite.com>
ssnc> Delivered-To: chabot.net%marc@...bot.net
ssnc> Received: (cpmta 22560 invoked from network); 12 Sep 2003 23:00:12 -0700
ssnc> Received: from 216.65.3.228 (HELO netwinsite.com)
ssnc> by smtp.c000.snv.cp.net (209.228.33.184) with SMTP; 12 Sep 2003 23:00:12 -0700
ssnc> X-Received: 13 Sep 2003 06:00:12 GMT
ssnc> Received: from netwin (unverified [127.0.0.1])
ssnc> by netwinsite.com (SurgeMail 1.4a) with ESMTP id 1289423
ssnc> for <marc@...bot.net>; Fri, 12 Sep 2003 22:41:46 -0700
ssnc> Return-Path: <surgemail-support@...winsite.com>
ssnc> From: surgemail-support@...winsite.com
ssnc> Subject: Trial of SurgeMail
ssnc> To: marc@...bot.net
ssnc> Date: Fri, 12 Sep 2003 22:41:46 -0700
ssnc> X-Server: High Performance Mail Server - http://surgemail.com
ssnc> Message-ID: <1063431706_11437@...win>
ssnc> Status: U
ssnc> X-UIDL: P2KybdHkIbhYJAE
ssnc> Hi, just checking how your trial of SurgeMail is going.
ssnc> If you have any problems or questions don't hesitate to email me.
ssnc> Marijn
ssnc> Also if you have questions or problems try the online manual search feature:
ssnc> http://netwinsite.com/surgemail/help
--
Yours Digitally,
CanonBall mailto: marc@...bot.net
We don't just delete spam, we delete spammers.
http://www.spammerhunters.com
Powered by blists - more mailing lists