North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: qmail smtp-auth bug allows open relay

  • From: John Brown
  • Date: Tue Jul 15 22:18:58 2003

Nope, I thought it might be operational in nature.  ergo
spammers and others now scanning for qmail-smtp-auth patch
users and using those weak sites as a relay.

the issue is that those sites will PASS the current "open relay"
check tools and thus not be BLACK LISTED.

Hey, what a cool feature.  Passes open-relay test, won't get
black listed, and can be used to relay spam.

this might cause more traffic,, more abuse complaints, more
headaches for those in operations...

ps:  the URL is *from* the qmail list.

cheers,
john


On Mon, Jul 14, 2003 at 08:45:44PM -0800, W.D. McKinney wrote:
> 
> John,
> 
> Did you mean to post this on the qmail list per chance ?
> 
> Dee
> 
> On Mon, 2003-07-14 at 08:34, John Brown wrote:
> > seems that there are installs of the smtp-auth patch
> > to qmail that accept anything as a user name and password
> > and thus allow you to connect.
> > 
> > http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2
> > 
> > is one URL that talks about this.
> > 
> > There has been an increase is what appears to be qmail based
> > open-relays over the last 5 days.  Each of these servers
> > pass the normal suite of open-relay tests.
> > 
> > Spammers are scanning for SMTP-AUTH and STARTTLS based 
> > mail servers that may be misconfigured. Then using them
> > to send out their trash.
> > 
> > Some early docs on setting up qmail based smtp-auth systems
> > had the config infor incorrect.  This leads to /usr/bin/true
> > being used as the password checker. :(
> > 
> > >From an operational perspective, I suspect we will see more
> > SMTP scans
> > 
> > The basic test (see URL above) should get incorporated into
> > various open-relay testing scripts.
> > 
> > cheers
> > 
> > john brown
> > chagres technologies, inc
> > 
> > 
>