[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MORE 3rd party relay troubles
Hi Matti,
Zmailer 2.99.50-s5
Today I received a notice from ORBS today that our MTA was allowing
relaying. Gad! - and to be put into the MAPS db - yikes!
Could auto-anti-spam robots eventually close everything down???
It appears that some tests which use dotted quad form are successful
at 3rd party relaying (even though a normal FQDN passes the test and
does not indicate a relaying vulnerability).
Evidently the testers are using MAIL FROM: formats which are very hard to
reject, i.e.
nobody@[129.128.7.238]
or postmaster@[129.128.7.238]
or even root@[129.128.7.238]
( here 129.128.7.238 i.e. relay.phys.ualberta.ca is our MTA )
Case in point: specify dotted quad as the host to query at
http://maps.vix.com/tsi/ar-test.html
Initiating Third-Party Mail Relay Test ...
Target Host = 129.128.7.238
------------------------------------------------------------
Launching rlytest ...
Connecting to 129.128.7.238 ...
<<< 220 relay.phys.ualberta.ca ZMailer Server 2.99.50-s5 #1 ESMTP+IDENT ready at Tue, 25 May 1999 22:51:32 -0600
>>> HELO maps1.pa.vix.com
<<< 250 relay.phys.ualberta.ca Hello maps1.pa.vix.com
>>> MAIL FROM:<nobody@[129.128.7.238]>
<<< 250 2.1.0 Sender syntax Ok
>>> RCPT TO:<nobody@maps1.pa.vix.com>
<<< 250 2.1.5 Recipient address syntax Ok
>>> DATA
<<< 354 Start mail input; end with <CRLF>.<CRLF>
>>> (message body)
<<< 250 2.6.0 S.rGrrO88094 message accepted
>>> QUIT
<<< 221 2.0.0 relay.phys.ualberta.ca Out
rlytest: relay accepted - final response code 221
------------------------------------------------------------
Test complete.
PROBLEM! Host [129.128.7.238] may be vulnerable to mail relay.
----------------------
Whereas if one tests with the FQDN, it passes:
Initiating Third-Party Mail Relay Test ...
Target Host = relay.phys.ualberta.ca
------------------------------------------------------------
Looking up relay.phys.ualberta.ca ...
Launching rlytest ...
Connecting to 129.128.7.238 ...
<<< 220 relay.phys.ualberta.ca ZMailer Server 2.99.50-s5 #1 ESMTP+IDENT ready at Tue, 25 May 1999 22:52:30 -0600
>>> HELO maps1.pa.vix.com
<<< 250 relay.phys.ualberta.ca Hello maps1.pa.vix.com
>>> MAIL FROM:<nobody@relay.phys.ualberta.ca>
<<< 250 2.1.0 Sender syntax Ok
>>> RCPT TO:<nobody@maps1.pa.vix.com>
<<< 453-4.7.1 This target address is not our MX service
<<< 453-4.7.1 client, nor you are connecting from address
<<< 453-4.7.1 that is allowed to openly use us to relay
<<< 453-4.7.1 to any arbitary address thru us.
<<< 453 4.7.1 We don't accept this recipient.
rlytest: relay rejected - final response code 453
------------------------------------------------------------
Test complete.
GOOD NEWS! Host relay.phys.ualberta.ca refuses to relay mail.
----------------------
I was shocked to say the least!
I cleaned this up a bit in a general way by adding nobody@ to
smtp-policy, but...
On some testers, ZMailer does not close on policy rejections,
and/or the sender continues to pass DATA (although it is dropped
due to syntax errors):
12244# connection from [209.207.228.48] ipcnt 1 ident:
NO-IDENT-SERVICE[2]
12244w 220 relay.phys.ualberta.ca ZMailer Server 2.99.50-s5 #1 ESMTP+IDENT ready at Tue, 25 May 1999 22:36:48 -0600
12244# remote from [209.207.228.48]:20484
12244# -- policyresult=0 initial policy msg: <NONE!>
12244r HELO network-tools.com
12244w 250 relay.phys.ualberta.ca Hello network-tools.com
12244r MAIL FROM:<relay@network-tools.com>
12244w 250 2.1.0 Sender syntax Ok
12244r RCPT TO:<relay-test@network-tools.com>
12244# -- policy result=-103, msg: <NONE!>
12244w 453-4.7.1 This target address is not our MX service
12244w 453-4.7.1 client, nor you are connecting from address
12244w 453-4.7.1 that is allowed to openly use us to relay
12244w 453-4.7.1 to any arbitary address thru us.
12244w 453 4.7.1 We don't accept this recipient.
12244r DATA
12244w 503 5.5.2 Waiting for RCPT command
12244r Subject: This is an open e-mail relay test. See http://Network-Tools.com
12244w 550 5.5.2 Syntax error
12244# -- pipeline input exists 161 bytes
12244r To: Relay-Test <relay-test@network-tools.com>
12244w 550 5.5.2 Unknown command 'To: Relay-Test <relay-test@network-tools.com>'
12244# -- pipeline input exists 114 bytes
12244r From: Relay <relay@network-tools.com>
12244w 550 5.5.2 Unknown command 'From: Relay <relay@network-tools.com>'
12244# -- pipeline input exists 75 bytes
12244r
12244w 550 5.5.2 Unknown command ''
12244# -- pipeline input exists 73 bytes
12244r The relay is open if this message gets through! 129.128.7.238
12244w 550 5.5.2 Unknown command 'The relay is open if this message gets through! 129.128.7.238'
12244# -- pipeline input exists 9 bytes
12244r .
12244w 550 5.5.2 Unknown command '.'
12244# -- pipeline input exists 6 bytes
12244r Quit
12244w 221 2.0.0 relay.phys.ualberta.ca Out
What's worse is the tester at http://www.samspade.org/t/
(the third party relay - "steal" button)
What he does is provide a MAIL FROM: which cannot be filtered
in smtp-policy:
14306r MAIL FROM:<Read_www.blighty.com_slash_relay.html@[129.128.7.238]>
14306w 250 2.1.0 Sender syntax Ok
14306r RCPT TO:<read_www.blighty.com_slash_relay.html@blighty.com>
14306w 250 2.1.5 Recipient address syntax Ok
14306r DATA
14306w 354 Start mail input; end with <CRLF>.<CRLF>
14306w 250 2.6.0 S.rGsBK88094 message accepted
14306# S.rGsBK88094: 459 bytes
14306r QUIT
I explicitly added to smtp-policy.src the follogin line:
Read_www.blighty.com_slash_relay.html@[129.128.7.238] = _bulk_mail
and it still got through...so I tried blocking it in smtpserver.conf,
but the tester is tricky:
here, blighty.com sends out 'EHLO blighty.com' BUT if that
is disallowed in smtpserver.conf, it immediately sends out
EHLO [129.128.7.238], i.e. the IP under test, which is typically
accepted (quite a natural thing to do, but the policy rules do seem
to fail when this response is coming from some other machine):
15712# connection from blighty.com ipcnt 0 ident: nobody
15712w 220 relay.phys.ualberta.ca ZMailer Server 2.99.50-s5 #1
ESMTP+IDENT ready at Tue, 25 May 1999 23:37:44 -0600
15712# remote from [206.117.161.80]:13876
15712# -- policyresult=0 initial policy msg: <NONE!>
15712r EHLO blighty.com
15712w 501 NO EMAIL TRANSACTIONS ALLOWED
15712r HELO blighty.com
15712w 501 NO EMAIL TRANSACTIONS ALLOWED
15712# Session closed w/o QUIT
15713# connection from blighty.com ipcnt 2 ident: nobody
15713w 220 relay.phys.ualberta.ca ZMailer Server 2.99.50-s5 #1
ESMTP+IDENT ready at Tue, 25 May 1999 23:37:45 -0600
15713# remote from [206.117.161.80]:30516
15713# -- policyresult=0 initial policy msg: <NONE!>
15713r EHLO [129.128.7.238]
14266w 250-relay.phys.ualberta.ca expected "EHLO blighty.com"
14266w 250-SIZE 100000000
14266w 250-8BITMIME
....
My only defense until I build a newer ZMailer was to add may own MTA's
dotted quad in smptserver.conf to disallow it:
\[129.128.7.238\] 999 !NO EMAIL TRANSACTIONS ALLOWED ON DOTTED QUAD
Geeze... that stopped it cold - but it's a poor way - I can't be
aware of the zillions of potential spammers that could try this trick...
There seems indeed to be a weak point when the sender fakes
the EHO response to be that of the receiving MTA , and then the policy
rules fall apart.
I'm sure hoping that the latest-greatest ZMailer can handle these.
Cheers,
--
James S. MacKinnon Office: P-139 Avadh-Bhatia Physics Lab
Team Physics Voice : (780) 492-8226 [old AC 403]
University of Alberta email : Jim.MacKinnon@Phys.UAlberta.CA
Edmonton, Canada T6G 2N5 WWW : http://www.phys.ualberta.ca/