Re: Providers removing blocks on port 135?

[Margie <margie () mail-abuse org>]

--On Saturday, September 20, 2003 6:36 PM -0500 Andy Walden
<andy () tigerteam net> wrote:

> Would this be a reference to the qmail-smtp-auth patch that
> recently was discovered, that if misconfigured, could allow
> incorrect relays? 

No, that was the tip of the iceberg.

> If so, I would say that this was an isolated
> incident for a single patch for a specific MTA and only when it was
> misconfigured. I'm not sure I would describe that as "secure by
> normal mechanisms" nor quite the epidemic it was the first week or
> two.

We've seen the same behavior out of Postfix, QMail, Imail, Mdaemon,
Exchange, Sendmail, Mercury, Merak, NTMail, and others that I can't
recall off the top of my head.

In some cases, the relaying was fixed with the release of a new patch
or a conf change. In others, particulary Exchange, the guest account
was enabled, allowing open authentication. The big "BUT" is that
there is a not insignificant number of other machines that have
either been shown to have been brute forced or we've yet to determine
the mechanism that allows the relay.

The problem is not small.

> I'm not necessarily making a statement one way or the other on port
> 25 filtering, but SMTP Auth, when properly configured and protected
> against brute force attacks is certainly a useful thing. YMMV of
> course.

Yes, it is a useful thing. It's not the ultimate answer.

A machine that tests secure by any test we are willing to run, that
requires fifteen character passwords, with mulitple special
characters required, that is STILL relaying indicates there is a bad
thing happening somewhere.

-- 
Margie