At 2:25 PM -0400 9/17/01, Joseph D'Andrea imposed structure on a
stream of electrons, yielding:
>I just tried sending a message to a client and got it bounced back
>because "i'm on open relay." Well I'm not.. not unless you try and
>trick me. Maybe ORBZ have been doing this a while and I've been
>asleep, or maybe this is a new level of checking for them.
>
>I run 2 mail servers. Both bolted down as tight as can be.
>mail.west21.com at 204.89.131.70 and a secondary mail server named
>ps00.west21.com at 64.21.154.2. Both are SIMS.
>
>ps00 is the "culprit". ORBZ says that it is a "multi-stage relay"
>because it accepts all mail and relays it somewhere else thereby
>creating a sort of back door open relay. How do they know it accepts
>mail for somewhere else? They send mail for acceptable domains for
>this seconday server. In other words they send mail to
>[EMAIL PROTECTED] to this secondary server. Well the mail is
>accepted and sent on to mail.west21.com where it is accepted and
>then bounced. That's the way it's supposed to work, so how come orbz
>thinks otherwise.
>
>Someone help me understand what I'm missing here.
I'd love to say that what you are missing is that the folks running
ORBZ are incompetent idiots. However, they got this one right. The
message you can see on their site which passed through your machines
is not a bounce, but a real relayed message that exploits a mail
'feature' commonly referred to as the "percent hack." Given the right
sorts of servers, one can dictate the routing of mail in the an
e-mail address by replacing the @ with a @ and appending @domainname
to route mail through the mailserver for 'domainname.' You can even
layer this repeatedly and -- as long as all of those servers support
the percent hack and don't have paranoid relay restrictions --
dictate a complex route for mail.
In looking at the ORBZ test sample, I suspect that the fix is simple:
take ps00 out of the trusted client list on mail. As long as ps00
isn't trying to relay to the world through mail, it doesn't need to
be in that list and all you get from adding it is this sort of
openness. Sadly, spammers DO use this exact trick to pipe through
other peoples' mail servers, so ORBZ is not just noting an obscure
vulnerability that isn't a real risk.
--
Bill Cole
[EMAIL PROTECTED]
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
