I just tried this little "exploit" on the qmail 1.01 machine at my
house:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.soffen.com ESMTP
HELO testing
250-mail.soffen.com
250-PIPELINING
250 8BITMIME
MAIL FROM:<testing>
250 ok
RCPT TO: <[EMAIL PROTECTED]>
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
MAIL TO: <[EMAIL PROTECTED]>
503 one MAIL per message (#5.5.1)
So between this exmaple and the fact that his qmail seems to have been
hacked so that it allows the directive MAIL TO to work, I don't know
what to believe. This is a vanilla qmail setup with only the GMT to
LOCAL time patch applied.
Matt Soffen
Webmaster - http://www.iso-ne.com/
==============================================
Boss - "My boss says we need some eunuch programmers."
Dilbert - "I think he means UNIX and I already know UNIX."
Boss - "Well, if the company nurse comes by, tell her I said
never mind."
- Dilbert -
==============================================
> ----------
> From: Adam D. McKenna[SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, January 21, 1999 10:49 AM
> To: [EMAIL PROTECTED]
> Subject: Fw: ORBS Returns
>
> For those who are not fans of obscurity, here is the news post that
> was
> referred to RE: ORBS
>
> --Adam
>
> -----Original Message-----
> From: Paul Schmehl <TINLC#[EMAIL PROTECTED]>
> Newsgroups: news.admin.net-abuse.email
> Date: Wednesday, January 20, 1999 7:02 PM
> Subject: Re: ORBS Returns
>
>
> :On 21 Jan 1999 00:24:10 GMT, [EMAIL PROTECTED]
> (Andrew
> :Gideon) felt it essential to add to the discussion:
> :
> :[snip]
> :
> :> 2. Why is scam.xcf.berkeley.edu (128.32.43.201) listed?
> :
> :Perhaps because all it takes is a little creativity to relay through
> :it? All I'd have to do is find a legitimate party for the RCPT TO:
> :line, and I can mail to as many people as I want.
> :
> :>telnet 128.32.43.201 25
> :>Trying 128.32.43.201...
> :>Connected to 128.32.43.201.
> :>Escape character is '^]'.
> :>220 scam.xcf.berkeley.edu ESMTP
> :>HELO testing
> :>250 scam.xcf.berkeley.edu
> :>MAIL FROM: testing
> :>250 ok
> :>RCPT TO: [EMAIL PROTECTED]
> :>553 sorry, that domain isn't in my list of allowed rcpthosts
> (#5.7.1)
> :>MAIL TO: [EMAIL PROTECTED]
> :>250 ok
> :>DATA
> :>503 RCPT first (#5.5.1)
> :>RCPT TO: testing
> :>250 ok
> :>DATA
> :>354 go ahead
> :>Testing for open relay
> :>.
> :>250 ok 916876400 qp 11121
> :>QUIT
> :>221 scam.xcf.berkeley.edu
> :>Connection closed by foreign host.
> :>
> :>Return-Path: <>
> :>Received: from poteidaia.utdallas.edu (null-smtp.utdallas.edu
> [192.168.1.1])
> :> by area51.utdallas.edu (8.9.1/8.9.1/cyrus-2.1) with ESMTP id
> RAA20900
> :> for <[EMAIL PROTECTED]>; Wed, 20 Jan 1999 17:47:59 -0600
> (CST)
> :>Received: from scam.xcf.berkeley.edu (scam.XCF.Berkeley.EDU
> [128.32.43.201])
> :> by poteidaia.utdallas.edu (8.9.1/8.9.1/null-3.5) with SMTP id
> RAA12136
> :> for <[EMAIL PROTECTED]>; Wed, 20 Jan 1999 17:52:08 -0600 (CST)
> :>Message-Id: <[EMAIL PROTECTED]>
> :>Received: (qmail 11129 invoked for bounce); 20 Jan 1999 23:53:20
> -0000
> :>Date: 20 Jan 1999 23:53:20 -0000
> :>From: [EMAIL PROTECTED]
> :>To: [EMAIL PROTECTED]
> :>Subject: failure notice
> :>
> :>Hi. This is the qmail-send program at scam.xcf.berkeley.edu.
> :>I'm afraid I wasn't able to deliver your message to the following
> addresses.
> :>This is a permanent error; I've given up. Sorry it didn't work out.
> :>
> :><[EMAIL PROTECTED]>:
> :>Sorry, no mailbox here by that name. (#5.1.1)
> :>
> :>--- Below this line is a copy of the message.
> :>
> :>Return-Path: <[EMAIL PROTECTED]>
> :>Received: (qmail 11121 invoked from network); 20 Jan 1999 23:53:10
> -0000
> :>Received: from inca.utdallas.edu (HELO testing)
> ([EMAIL PROTECTED])
> :> by scam.xcf.berkeley.edu with SMTP; 20 Jan 1999 23:53:10 -0000
> :>Testing for open relay
> :
> :http://www.utdallas.edu/~pauls/ (Paul Schmehl)
> :Technical Support Services Manager
> :University of Texas at Dallas
> :Texas resident. Don't mess with Texas.
>
>
>
>
