exploit SMTP to relay mail 24.201.15.218

["Marc Chabot (.net)" <marc () chabot net>]

Hello Marijn

ssnc> Hi, just checking how your trial of SurgeMail is going.

Sorry for this super LATE reply, I just didn't had time to test
SurgeMail.  I just re-requested another trial version to test it RIGHT
NOW because communigate pro just failed the most important test.

I've been testing communigate pro, I'm doing this at home
before going ahead a the office...

So just after installing communigate pro, I tested the smtp with a
friend to be 100% sure it can't be used as an open relay and that all
users are forced to used authenticated password for smtp no matter
from where, ip, domain, whatever.  Authenticate or DIE.  With only 2
users and full logs, it's easy to monitor everything.

A few weeks later some rat bastards tried to relay mail and were
denonce to their ISP.  Again, a few weeks after that, which is today, I
was flabbergasted to see a hacker successfully use an exploit to get
communigate pro (trial version) to send a message to kido816 () aol com
from a fake jamesbn () utaxis com from 24.201.15.218

11-14-2003      15:06:38       @in TCP from 24.201.15.218 (modemcable218.15-201-24.mc.videotron.ca) :4652 to 
192.168.1.45 (P450) :25

That freaking WEASEL probably used a buffer overflow of some sort, but
I'll never know exactly how because I was not using snort or running a
packet sniffer at the time.  I which I had all those TCP packets to
analyse and see how it was done.

15:06:38.61 2 SMTPI-00105(24.201.15.218) [20099] received, 759 bytes
15:06:38.62 2 QUEUE([20099]) from <jamesbn () utaxis com>, 759 bytes 
(<080076058050052046050048049046049053046050049056058048058051048049055052@24.201.15.218>)
15:06:38.62 2 ENQUEUER-01([20099]) enqueued
15:06:38.85 3 SMTP-00377(aol.com) Expected '220 ...' at [64.12.137.152], got:554- (RTR:BB)  The IP address you are 
using to connect to AOL is a dynamic

18:16:43.25 2 DEQUEUER [20099] SMTP(aol.com)kido816 () aol com delayed
18:16:58.25 2 DEQUEUER-01 [20099] generating a 'WARNING. Mail Delayed' message
18:16:58.26 2 QUEUE([20100]) from <>, 1594 bytes (<receipt-20100@p450>)
18:16:58.26 2 ENQUEUER-01([20100]) enqueued
18:16:58.26 2 DEQUEUER-01 report [20100] is composed for [20099]
18:16:59.42 3 SMTP-00384(utaxis.com) failed to connect to utaxis.com [66.96.1.29]:Error Code=connection refused

At 15:06:38.61 the weasel got the exploit to work on the first
attempt, my firewall and snpm logs confirm he connected only once.

at 15:06:38.85 AOL gives the finger to the mail server because my IP
is dynamic and not supposed to be relaying mail, at the office with a
static IP it would have worked, but here, AOL's spam fighting
technique worked and told my mail server to go to hell.

at 18:16:43.25 communigate try to send a delay warning to the fake
sender jamesbn () utaxis com but fails because UTAXIS.COM is a parked
domain with no MX record.

I retested it with somebody else, again, and again and again and again
and again and again and again, it really is configured correctly NOT
to relay, and all users must authenticate to use the smtp...  yet,
there IS an exploit for communigate pro, or communigate amateur to
rename it correctly.

Conclusion: Communigate Pro is phoque king GARBAGE!

I will NOT denounce this hacker to is ISP because I hope to see him do
it again (or try to do it) on your SurgeMail, so let's see how
SurgeMail can perform...


Saturday, September 13, 2003, 12:41:46 AM, a écrit:

ssnc> Return-Path: <surgemail-support () netwinsite com>
ssnc> Delivered-To: chabot.net%marc () chabot net
ssnc> Received: (cpmta 22560 invoked from network); 12 Sep 2003 23:00:12 -0700
ssnc> Received: from 216.65.3.228 (HELO netwinsite.com)
ssnc>   by smtp.c000.snv.cp.net (209.228.33.184) with SMTP; 12 Sep 2003 23:00:12 -0700
ssnc> X-Received: 13 Sep 2003 06:00:12 GMT
ssnc> Received: from netwin (unverified [127.0.0.1]) 
ssnc>         by netwinsite.com (SurgeMail 1.4a) with ESMTP id 1289423
ssnc>         for <marc () chabot net>; Fri, 12 Sep 2003 22:41:46 -0700
ssnc> Return-Path: <surgemail-support () netwinsite com>
ssnc> From: surgemail-support () netwinsite com
ssnc> Subject: Trial of SurgeMail
ssnc> To: marc () chabot net
ssnc> Date: Fri, 12 Sep 2003 22:41:46 -0700
ssnc> X-Server: High Performance Mail Server - http://surgemail.com
ssnc> Message-ID: <1063431706_11437@netwin>
ssnc> Status: U
ssnc> X-UIDL: P2KybdHkIbhYJAE

ssnc> Hi, just checking how your trial of SurgeMail is going.
ssnc> If you have any problems or questions don't hesitate to email me.

ssnc> Marijn

ssnc> Also if you have questions or problems try the online manual search feature:
ssnc>   http://netwinsite.com/surgemail/help

-- 
Yours Digitally,
 CanonBall                            mailto: marc () chabot net

We don't just delete spam, we delete spammers.
http://www.spammerhunters.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html