Full Disclosure mailing list archives
exploit SMTP to relay mail 24.201.15.218
From: "Marc Chabot (.net)" <marc () chabot net>
Date: Sat, 15 Nov 2003 02:18:16 -0500
Hello Marijn ssnc> Hi, just checking how your trial of SurgeMail is going. Sorry for this super LATE reply, I just didn't had time to test SurgeMail. I just re-requested another trial version to test it RIGHT NOW because communigate pro just failed the most important test. I've been testing communigate pro, I'm doing this at home before going ahead a the office... So just after installing communigate pro, I tested the smtp with a friend to be 100% sure it can't be used as an open relay and that all users are forced to used authenticated password for smtp no matter from where, ip, domain, whatever. Authenticate or DIE. With only 2 users and full logs, it's easy to monitor everything. A few weeks later some rat bastards tried to relay mail and were denonce to their ISP. Again, a few weeks after that, which is today, I was flabbergasted to see a hacker successfully use an exploit to get communigate pro (trial version) to send a message to kido816 () aol com from a fake jamesbn () utaxis com from 24.201.15.218 11-14-2003 15:06:38 @in TCP from 24.201.15.218 (modemcable218.15-201-24.mc.videotron.ca) :4652 to 192.168.1.45 (P450) :25 That freaking WEASEL probably used a buffer overflow of some sort, but I'll never know exactly how because I was not using snort or running a packet sniffer at the time. I which I had all those TCP packets to analyse and see how it was done. 15:06:38.61 2 SMTPI-00105(24.201.15.218) [20099] received, 759 bytes 15:06:38.62 2 QUEUE([20099]) from <jamesbn () utaxis com>, 759 bytes (<080076058050052046050048049046049053046050049056058048058051048049055052@24.201.15.218>) 15:06:38.62 2 ENQUEUER-01([20099]) enqueued 15:06:38.85 3 SMTP-00377(aol.com) Expected '220 ...' at [64.12.137.152], got:554- (RTR:BB) The IP address you are using to connect to AOL is a dynamic 18:16:43.25 2 DEQUEUER [20099] SMTP(aol.com)kido816 () aol com delayed 18:16:58.25 2 DEQUEUER-01 [20099] generating a 'WARNING. Mail Delayed' message 18:16:58.26 2 QUEUE([20100]) from <>, 1594 bytes (<receipt-20100@p450>) 18:16:58.26 2 ENQUEUER-01([20100]) enqueued 18:16:58.26 2 DEQUEUER-01 report [20100] is composed for [20099] 18:16:59.42 3 SMTP-00384(utaxis.com) failed to connect to utaxis.com [66.96.1.29]:Error Code=connection refused At 15:06:38.61 the weasel got the exploit to work on the first attempt, my firewall and snpm logs confirm he connected only once. at 15:06:38.85 AOL gives the finger to the mail server because my IP is dynamic and not supposed to be relaying mail, at the office with a static IP it would have worked, but here, AOL's spam fighting technique worked and told my mail server to go to hell. at 18:16:43.25 communigate try to send a delay warning to the fake sender jamesbn () utaxis com but fails because UTAXIS.COM is a parked domain with no MX record. I retested it with somebody else, again, and again and again and again and again and again and again, it really is configured correctly NOT to relay, and all users must authenticate to use the smtp... yet, there IS an exploit for communigate pro, or communigate amateur to rename it correctly. Conclusion: Communigate Pro is phoque king GARBAGE! I will NOT denounce this hacker to is ISP because I hope to see him do it again (or try to do it) on your SurgeMail, so let's see how SurgeMail can perform... Saturday, September 13, 2003, 12:41:46 AM, a écrit: ssnc> Return-Path: <surgemail-support () netwinsite com> ssnc> Delivered-To: chabot.net%marc () chabot net ssnc> Received: (cpmta 22560 invoked from network); 12 Sep 2003 23:00:12 -0700 ssnc> Received: from 216.65.3.228 (HELO netwinsite.com) ssnc> by smtp.c000.snv.cp.net (209.228.33.184) with SMTP; 12 Sep 2003 23:00:12 -0700 ssnc> X-Received: 13 Sep 2003 06:00:12 GMT ssnc> Received: from netwin (unverified [127.0.0.1]) ssnc> by netwinsite.com (SurgeMail 1.4a) with ESMTP id 1289423 ssnc> for <marc () chabot net>; Fri, 12 Sep 2003 22:41:46 -0700 ssnc> Return-Path: <surgemail-support () netwinsite com> ssnc> From: surgemail-support () netwinsite com ssnc> Subject: Trial of SurgeMail ssnc> To: marc () chabot net ssnc> Date: Fri, 12 Sep 2003 22:41:46 -0700 ssnc> X-Server: High Performance Mail Server - http://surgemail.com ssnc> Message-ID: <1063431706_11437@netwin> ssnc> Status: U ssnc> X-UIDL: P2KybdHkIbhYJAE ssnc> Hi, just checking how your trial of SurgeMail is going. ssnc> If you have any problems or questions don't hesitate to email me. ssnc> Marijn ssnc> Also if you have questions or problems try the online manual search feature: ssnc> http://netwinsite.com/surgemail/help -- Yours Digitally, CanonBall mailto: marc () chabot net We don't just delete spam, we delete spammers. http://www.spammerhunters.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- exploit SMTP to relay mail 24.201.15.218 Marc Chabot (.net) (Nov 14)