Re: [courier-users] RESOLVED: ESMTP command error - a LOT of them

[Randall Shaw]

This is a compilation email as they are all related.

Rodrigo Severo wrote:

> I bet so. I have a lot of these situations here. Always around message
> with strange, non-existent destinations. I always assumed that the other
> end of the connection was a badly enginered spam source.

That was actually going to be my conclusion, that since spammers are trying
to send as much as they can as quickly as they can, that their scripts
simply 'jam' their data onto a server with complete disregard to proper
connection procedures.

It may go down considerably in a few days, as we dropped a client domain
that was receiving a good 80% of all incoming spam attempts. Their domain
alone was causing about 100mb of logfile data each day.


Sam Varshavchik then informed:

> A spammer has hacked some open web proxy (whose IP address you've logged, by
> the way) administered by some moron who has no clue about system security,
> and is trying to use the proxy to spam.
> 
> The proxy receives what it thinks is an HTTP request, which it tries to
> forward to the target "web site".  The spammer puts an SMTP dialog in the
> payload.  The spammer's http request looks something like this:
> 
> POST mail.example.com:25 HTTP/1.0
> Content-Length: 8923
> EHLO mail.hotmail.com
> MAIL FROM:<[EMAIL PROTECTED]>
> RCPT TO:<[EMAIL PROTECTED]>
> DATA
> From: Hot Suzie <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Fr33 pR0n w38cAm
> 
> <html>
> <body>
> Š
> 
> The proxy then turns around and connects to your port 25 and tries to dump
> all of the above, as a single blob.
> 
> This trick is designed to work with sendmail, or perhaps some NT-based
> garbage, that quickly ignores the initial http header garbage, as errors,
> then mindlessly processes the rest of the input, one line at a time.
> 
> Sadly, this trick won't work with Courier, which expects everyone who
> connects to be a proper SMTP client, that waits for a reply from EHLO, and
> each subsequent command (taking into account ESMTP PIPELINING), before
> sending the next command.  If whoever connects sends some glop of garbage,
> without waiting for a response, it gets flushed.  So, the initial set of
> SMTP commands gets flushed down the toilet, and if there's anything left,
> which by this time gives you somewhere within the HTML payload, it gets
> logged as additional errors, with tarpitting making sure the whole process
> goes sloooowly.

Well, now that is very nice to know.

A while back, a company I work with had an 'old' redhat machine that
basically got neglected, to say the least. It had been compromised through a
client's phpBB html package, using r0nin. The person proceeded to do pretty
much exactly what you mentioned above with a few php scripts. Luckily at the
time, the company had courier installed on that machine, instead of
sendmail, and courier flat out refused to send the hundreds of thousands of
emails. However, being the OLD courier it was, it simply threw all the
emails into the mailq dirs, and sat on them forever in deferral. You need
not concern yourself with that though.

Too bad not everyone uses Courier. I try and try to persuade people away
from sendmail and 'other apps not to be named here'... But they don't
listen. I read your article on FUD, very nice =)

I didn't mean for this to go off topic or into a butt-kissing email... It's
just when you have something like you mentioned above programmed into your
masterpiece, it just makes me enjoy my decision to go with courier even
more.



After reading a childish email, and coming to the conclusion it sounded like
a spammer trying to justify themselves, I did a quick grep on the maillog. I
found that a large percentage of the spam and failed deliveries, rejections,
relay denials, were emails with a from of "[EMAIL PROTECTED]".

Also, searching back through the logs for a month, I saw no 'valid' emails
from that domain.

Seeing that, I added safe-mail.net to the /etc/courier/bofh file as a
"badfrom".

The server appears to be humming along and whistling a happy tune now. Thank
you for bringing it to my attention. But if it's any consolation, I had
already switched courier back to reject junk instead of quietly
accept-and-pitch, which I had done ages ago for the older versions of
courier.

Things are all working nicely now, and I thank everyones input and help.


-Randall Shaw



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users