On Fri, Jun 16, 2006 at 01:24:25PM +0300, Odhiambo G. Washington wrote: > > Hi, > > PS: This is a bit OT, but there is an Exim bit. > > > I have a server that I use for hosting websites. I simply give ftp > access and the customer just uploads their web content. The problem > comes in the name of some code used in these websites - they allow > http-put and http-post by spammers. > > Information about my blacklisted server is here: > > http://dsbl.org/listing?62.8.64.6 > > Now, since I am running Exim on this server, is there a way to take > care of (prevent the spamming) such a situation within Exim itself? > > So far, this server is almost permanently blacklisted. > > I'd appreciate if anyone knows a better way to audit the web data > content stored on the server, even ;)
hang on, the claim in the above link is that your server is an open web proxy, not that there's a specific script on it that's exploitable (though of course there may be one of those too). I'm a bit surprised by that because your server (a) appears to be apache; but (b) doesn't list mod_proxy in the Server: header. It also doesn't appear to permit the types of exploits that the above link talks about: : [EMAIL PROTECTED] ~/sof*/mythic-u* \$; telnet 62.8.64.6 80 Trying 62.8.64.6... Connected to 62.8.64.6. Escape character is '^]'. POST http://sphinx.mythic-beasts.com:25/ HTTP/1.0 Host: sphinx.mythic-beasts.com Content-Length: 112 HELO fish MAIL FROM: <[EMAIL PROTECTED]> RCPT TO: <[EMAIL PROTECTED]> DATA Fish soup is good for you . QUIT HTTP/1.1 404 Not Found Date: Fri, 16 Jun 2006 11:38:55 GMT Server: Apache/1.3.33 (Darwin) mod_jk/1.2.4 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7i PHP/4.3.11 mod_perl/1.26 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1>Not Found</H1> The requested URL / was not found on this server.<P> <HR> <ADDRESS>Apache/1.3.33 Server at sphinx.mythic-beasts.com Port 25</ADDRESS> </BODY></HTML> -- the results there indicate that it's just accepting HTTP requests for any hostname and returning a `not found' result (I guess you use the apache mass hosting mode?). I see from the blacklist page above that the emails which were passed through the machine were sent almost a year ago; perhaps the configuration of the machine has been changed to fix this problem since then? In any case I don't understand why the removal request hasn't been processed, though of course the operators of the blacklist are permitted to put whatever information they want into it, whether or not it's correct (module local law on defamation etc.). If they continue to be intransigent, forward mail via a second IP address and chalk this one up to the general idiocy of people trying to do spam filtering on IP address only. -- ``It's not our fault we have to grab your crotch to make sure your balls aren't made of plastic explosives -- the government made us do it!'' (Colin Teubner summarises a security notice at Heathrow Airport) -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
