-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I just wanted to comment that I had what appears to be a place scanning
me for this exploit yesterday. I use Postfix though, so no issues. You
should look very carefully at your configuration if you use qmail and
the smtp-auth patches.
BTW, some will claim that this is a bug in qmail. No, the code is fine.
The original documentation came with a misconfiguration (which was
changed in pretty short order, but some are afflicted with it). Plus,
this is not an official DJB approved patch. For that matter, there are
*NO* DJB approved patches. His only approved source is the qmail-1.03
tarball. Everything else is done by someone else and _those_ are the
ones with the bugs, never qmail.
Blue skies... Todd
- ----- Forwarded message from John Brown <[EMAIL PROTECTED]> -----
Date: Tue, 15 Jul 2003 20:17:09 -0600
From: John Brown <[EMAIL PROTECTED]>
User-Agent: Mutt/1.2.5i
To: "W.D. McKinney" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: qmail smtp-auth bug allows open relay
X-Spam-Status: No, hits=-40.2 required=5.0
tests=BAYES_01,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,
REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT,X_LOOP
autolearn=ham version=2.50
Nope, I thought it might be operational in nature. ergo
spammers and others now scanning for qmail-smtp-auth patch
users and using those weak sites as a relay.
the issue is that those sites will PASS the current "open relay"
check tools and thus not be BLACK LISTED.
Hey, what a cool feature. Passes open-relay test, won't get
black listed, and can be used to relay spam.
this might cause more traffic,, more abuse complaints, more
headaches for those in operations...
ps: the URL is *from* the qmail list.
cheers,
john
On Mon, Jul 14, 2003 at 08:45:44PM -0800, W.D. McKinney wrote:
>
> John,
>
> Did you mean to post this on the qmail list per chance ?
>
> Dee
>
> On Mon, 2003-07-14 at 08:34, John Brown wrote:
> > seems that there are installs of the smtp-auth patch
> > to qmail that accept anything as a user name and password
> > and thus allow you to connect.
> >
> > http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2
> >
> > is one URL that talks about this.
> >
> > There has been an increase is what appears to be qmail based
> > open-relays over the last 5 days. Each of these servers
> > pass the normal suite of open-relay tests.
> >
> > Spammers are scanning for SMTP-AUTH and STARTTLS based
> > mail servers that may be misconfigured. Then using them
> > to send out their trash.
> >
> > Some early docs on setting up qmail based smtp-auth systems
> > had the config infor incorrect. This leads to /usr/bin/true
> > being used as the password checker. :(
> >
> > >From an operational perspective, I suspect we will see more
> > SMTP scans
> >
> > The basic test (see URL above) should get incorporated into
> > various open-relay testing scripts.
> >
> > cheers
> >
> > john brown
> > chagres technologies, inc
> >
> >
>
- ----- End forwarded message -----
- --
Blue skies... Todd Proprietary Software Licenses: Duping a
person into making a vow of ignorance and then selling them the
fruits of knowledge is like making them believe they benefit from
having their head held under water while someone sells them oxygen.
Linux kernel 2.4.19-24mdk 4 users, load average: 0.08, 0.12, 0.36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: http://www.mrball.net/todd.asc
iD8DBQE/FOnIIBT1264ScBURAv/CAJ4lem/DbyyKkRCINqqvd297f9fN8QCeLdSr
O42WMdYrDhrqf3rtTqP2uZE=
=/CH9
-----END PGP SIGNATURE-----
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
