[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MORE 3rd party relay troubles



Hi Matti,

Zmailer 2.99.50-s5

Today I received a notice from ORBS today that our MTA was allowing
relaying. Gad! - and to be put into the MAPS db - yikes!

Could auto-anti-spam robots eventually close everything down???


It appears that some tests which use dotted quad form are successful
at 3rd party relaying (even though a normal FQDN passes the test and
does not indicate a relaying vulnerability).

Evidently the testers are using MAIL FROM: formats which are very hard to
reject, i.e.

		nobody@[129.128.7.238]
or		postmaster@[129.128.7.238]

or even 	root@[129.128.7.238]

( here 129.128.7.238 i.e. relay.phys.ualberta.ca is our MTA )


Case in point: specify dotted quad as the host to query at 
http://maps.vix.com/tsi/ar-test.html


Initiating Third-Party Mail Relay Test ...

Target Host = 129.128.7.238

------------------------------------------------------------

Launching rlytest ...
Connecting to 129.128.7.238 ...
<<< 220 relay.phys.ualberta.ca ZMailer Server 2.99.50-s5 #1 ESMTP+IDENT ready at Tue, 25 May 1999 22:51:32 -0600
>>> HELO maps1.pa.vix.com
<<< 250 relay.phys.ualberta.ca Hello maps1.pa.vix.com
>>> MAIL FROM:<nobody@[129.128.7.238]>
<<< 250 2.1.0 Sender syntax Ok
>>> RCPT TO:<nobody@maps1.pa.vix.com>
<<< 250 2.1.5 Recipient address syntax Ok
>>> DATA
<<< 354 Start mail input; end with <CRLF>.<CRLF>
>>> (message body)
<<< 250 2.6.0 S.rGrrO88094 message accepted
>>> QUIT
<<< 221 2.0.0 relay.phys.ualberta.ca Out
rlytest: relay accepted - final response code 221

------------------------------------------------------------

Test complete.

PROBLEM!  Host [129.128.7.238] may be vulnerable to mail relay.

----------------------


Whereas if one tests with the FQDN, it passes: 


Initiating Third-Party Mail Relay Test ...

Target Host = relay.phys.ualberta.ca

------------------------------------------------------------

Looking up relay.phys.ualberta.ca ...
Launching rlytest ...
Connecting to 129.128.7.238 ...
<<< 220 relay.phys.ualberta.ca ZMailer Server 2.99.50-s5 #1 ESMTP+IDENT ready at Tue, 25 May 1999 22:52:30 -0600
>>> HELO maps1.pa.vix.com
<<< 250 relay.phys.ualberta.ca Hello maps1.pa.vix.com
>>> MAIL FROM:<nobody@relay.phys.ualberta.ca>
<<< 250 2.1.0 Sender syntax Ok
>>> RCPT TO:<nobody@maps1.pa.vix.com>
<<< 453-4.7.1 This target address is not our MX service
<<< 453-4.7.1 client, nor you are connecting from address
<<< 453-4.7.1 that is allowed to openly use us to relay
<<< 453-4.7.1 to any arbitary address thru us.
<<< 453 4.7.1 We don't accept this recipient.
rlytest: relay rejected - final response code 453

------------------------------------------------------------

Test complete.

GOOD NEWS!  Host relay.phys.ualberta.ca refuses to relay mail.

----------------------


I was shocked to say the least!

I cleaned this up a bit in a general way by adding nobody@  to
smtp-policy, but...


On some testers, ZMailer does not close on policy rejections,
and/or the sender continues to pass DATA (although it is dropped
due to syntax errors):

12244#  connection from [209.207.228.48] ipcnt 1 ident:
NO-IDENT-SERVICE[2]
12244w  220 relay.phys.ualberta.ca ZMailer Server 2.99.50-s5 #1 ESMTP+IDENT ready at Tue, 25 May 1999 22:36:48 -0600
12244#  remote from [209.207.228.48]:20484
12244#  -- policyresult=0 initial policy msg: <NONE!>
12244r  HELO network-tools.com
12244w  250 relay.phys.ualberta.ca Hello network-tools.com
12244r  MAIL FROM:<relay@network-tools.com>
12244w  250 2.1.0 Sender syntax Ok
12244r  RCPT TO:<relay-test@network-tools.com>
12244#  -- policy result=-103, msg: <NONE!>
12244w  453-4.7.1 This target address is not our MX service
12244w  453-4.7.1 client, nor you are connecting from address
12244w  453-4.7.1 that is allowed to openly use us to relay
12244w  453-4.7.1 to any arbitary address thru us.
12244w  453 4.7.1 We don't accept this recipient.
12244r  DATA
12244w  503 5.5.2 Waiting for RCPT command
12244r  Subject: This is an open e-mail relay test.  See http://Network-Tools.com
12244w  550 5.5.2 Syntax error
12244#  -- pipeline input exists 161 bytes
12244r  To: Relay-Test <relay-test@network-tools.com>
12244w  550 5.5.2 Unknown command 'To: Relay-Test <relay-test@network-tools.com>'
12244#  -- pipeline input exists 114 bytes
12244r  From: Relay <relay@network-tools.com>
12244w  550 5.5.2 Unknown command 'From: Relay <relay@network-tools.com>'
12244#  -- pipeline input exists 75 bytes
12244r
12244w  550 5.5.2 Unknown command ''
12244#  -- pipeline input exists 73 bytes
12244r  The relay is open if this message gets through!  129.128.7.238
12244w  550 5.5.2 Unknown command 'The relay is open if this message gets through!  129.128.7.238'
12244#  -- pipeline input exists 9 bytes
12244r  .
12244w  550 5.5.2 Unknown command '.'
12244#  -- pipeline input exists 6 bytes
12244r  Quit
12244w  221 2.0.0 relay.phys.ualberta.ca Out



What's worse is the tester at http://www.samspade.org/t/

	(the third party relay - "steal" button)


What he does is provide a MAIL FROM: which cannot be filtered
in smtp-policy:

14306r  MAIL FROM:<Read_www.blighty.com_slash_relay.html@[129.128.7.238]>
14306w  250 2.1.0 Sender syntax Ok
14306r  RCPT TO:<read_www.blighty.com_slash_relay.html@blighty.com>
14306w  250 2.1.5 Recipient address syntax Ok
14306r  DATA
14306w  354 Start mail input; end with <CRLF>.<CRLF>
14306w  250 2.6.0 S.rGsBK88094 message accepted
14306#  S.rGsBK88094: 459 bytes
14306r  QUIT


I explicitly added to smtp-policy.src the follogin line:


Read_www.blighty.com_slash_relay.html@[129.128.7.238]  = _bulk_mail


and it still got through...so I tried blocking it in smtpserver.conf,
but the tester is tricky:

here, blighty.com sends out 'EHLO blighty.com' BUT if that
is disallowed in smtpserver.conf, it immediately sends out
EHLO [129.128.7.238], i.e. the IP under test, which is typically
accepted (quite a natural thing to do, but the policy rules do seem
to fail when this response is coming from some other machine):

15712#  connection from blighty.com ipcnt 0 ident: nobody
15712w  220 relay.phys.ualberta.ca ZMailer Server 2.99.50-s5 #1
ESMTP+IDENT ready at Tue, 25 May 1999 23:37:44 -0600
15712#  remote from [206.117.161.80]:13876
15712#  -- policyresult=0 initial policy msg: <NONE!>
15712r  EHLO blighty.com
15712w  501 NO EMAIL TRANSACTIONS ALLOWED
15712r  HELO blighty.com
15712w  501 NO EMAIL TRANSACTIONS ALLOWED
15712#  Session closed w/o QUIT
15713#  connection from blighty.com ipcnt 2 ident: nobody
15713w  220 relay.phys.ualberta.ca ZMailer Server 2.99.50-s5 #1
ESMTP+IDENT ready at Tue, 25 May 1999 23:37:45 -0600
15713#  remote from [206.117.161.80]:30516
15713#  -- policyresult=0 initial policy msg: <NONE!>
15713r  EHLO [129.128.7.238]
14266w  250-relay.phys.ualberta.ca expected "EHLO blighty.com"
14266w  250-SIZE 100000000
14266w  250-8BITMIME
....


My only defense until I build a newer ZMailer was to add may own MTA's
dotted quad in smptserver.conf to disallow it:

\[129.128.7.238\]     999     !NO EMAIL TRANSACTIONS ALLOWED ON DOTTED QUAD


Geeze... that stopped it cold - but it's a poor way - I can't be
aware of the zillions of potential spammers that could try this trick...

There seems indeed to be a weak point when the sender fakes
the EHO response to be that of the receiving MTA , and then the policy 
rules fall apart.

I'm sure hoping that the latest-greatest ZMailer can handle these.

Cheers,
--
James S. MacKinnon           Office: P-139 Avadh-Bhatia Physics Lab
Team Physics                 Voice : (780) 492-8226 [old AC 403]
University of Alberta        email : Jim.MacKinnon@Phys.UAlberta.CA
Edmonton, Canada T6G 2N5     WWW   : http://www.phys.ualberta.ca/