lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
From: marc at chabot.net (Marc Chabot (.net)) Subject: exploit SMTP to relay mail 24.201.15.218 Hello Marijn ssnc> Hi, just checking how your trial of SurgeMail is going. Sorry for this super LATE reply, I just didn't had time to test SurgeMail. I just re-requested another trial version to test it RIGHT NOW because communigate pro just failed the most important test. I've been testing communigate pro, I'm doing this at home before going ahead a the office... So just after installing communigate pro, I tested the smtp with a friend to be 100% sure it can't be used as an open relay and that all users are forced to used authenticated password for smtp no matter from where, ip, domain, whatever. Authenticate or DIE. With only 2 users and full logs, it's easy to monitor everything. A few weeks later some rat bastards tried to relay mail and were denonce to their ISP. Again, a few weeks after that, which is today, I was flabbergasted to see a hacker successfully use an exploit to get communigate pro (trial version) to send a message to kido816@....com from a fake jamesbn@...xis.com from 24.201.15.218 11-14-2003 15:06:38 @in TCP from 24.201.15.218 (modemcable218.15-201-24.mc.videotron.ca) :4652 to 192.168.1.45 (P450) :25 That freaking WEASEL probably used a buffer overflow of some sort, but I'll never know exactly how because I was not using snort or running a packet sniffer at the time. I which I had all those TCP packets to analyse and see how it was done. 15:06:38.61 2 SMTPI-00105(24.201.15.218) [20099] received, 759 bytes 15:06:38.62 2 QUEUE([20099]) from <jamesbn@...xis.com>, 759 bytes (<080076058050052046050048049046049053046050049056058048058051048049055052@...201.15.218>) 15:06:38.62 2 ENQUEUER-01([20099]) enqueued 15:06:38.85 3 SMTP-00377(aol.com) Expected '220 ...' at [64.12.137.152], got:554- (RTR:BB) The IP address you are using to connect to AOL is a dynamic 18:16:43.25 2 DEQUEUER [20099] SMTP(aol.com)kido816@....com delayed 18:16:58.25 2 DEQUEUER-01 [20099] generating a 'WARNING. Mail Delayed' message 18:16:58.26 2 QUEUE([20100]) from <>, 1594 bytes (<receipt-20100@...0>) 18:16:58.26 2 ENQUEUER-01([20100]) enqueued 18:16:58.26 2 DEQUEUER-01 report [20100] is composed for [20099] 18:16:59.42 3 SMTP-00384(utaxis.com) failed to connect to utaxis.com [66.96.1.29]:Error Code=connection refused At 15:06:38.61 the weasel got the exploit to work on the first attempt, my firewall and snpm logs confirm he connected only once. at 15:06:38.85 AOL gives the finger to the mail server because my IP is dynamic and not supposed to be relaying mail, at the office with a static IP it would have worked, but here, AOL's spam fighting technique worked and told my mail server to go to hell. at 18:16:43.25 communigate try to send a delay warning to the fake sender jamesbn@...xis.com but fails because UTAXIS.COM is a parked domain with no MX record. I retested it with somebody else, again, and again and again and again and again and again and again, it really is configured correctly NOT to relay, and all users must authenticate to use the smtp... yet, there IS an exploit for communigate pro, or communigate amateur to rename it correctly. Conclusion: Communigate Pro is phoque king GARBAGE! I will NOT denounce this hacker to is ISP because I hope to see him do it again (or try to do it) on your SurgeMail, so let's see how SurgeMail can perform... Saturday, September 13, 2003, 12:41:46 AM, a ?crit: ssnc> Return-Path: <surgemail-support@...winsite.com> ssnc> Delivered-To: chabot.net%marc@...bot.net ssnc> Received: (cpmta 22560 invoked from network); 12 Sep 2003 23:00:12 -0700 ssnc> Received: from 216.65.3.228 (HELO netwinsite.com) ssnc> by smtp.c000.snv.cp.net (209.228.33.184) with SMTP; 12 Sep 2003 23:00:12 -0700 ssnc> X-Received: 13 Sep 2003 06:00:12 GMT ssnc> Received: from netwin (unverified [127.0.0.1]) ssnc> by netwinsite.com (SurgeMail 1.4a) with ESMTP id 1289423 ssnc> for <marc@...bot.net>; Fri, 12 Sep 2003 22:41:46 -0700 ssnc> Return-Path: <surgemail-support@...winsite.com> ssnc> From: surgemail-support@...winsite.com ssnc> Subject: Trial of SurgeMail ssnc> To: marc@...bot.net ssnc> Date: Fri, 12 Sep 2003 22:41:46 -0700 ssnc> X-Server: High Performance Mail Server - http://surgemail.com ssnc> Message-ID: <1063431706_11437@...win> ssnc> Status: U ssnc> X-UIDL: P2KybdHkIbhYJAE ssnc> Hi, just checking how your trial of SurgeMail is going. ssnc> If you have any problems or questions don't hesitate to email me. ssnc> Marijn ssnc> Also if you have questions or problems try the online manual search feature: ssnc> http://netwinsite.com/surgemail/help -- Yours Digitally, CanonBall mailto: marc@...bot.net We don't just delete spam, we delete spammers. http://www.spammerhunters.com
Powered by blists - more mailing lists