Re: HTTP request with SMTP message

["Lorenzo Hernandez Garcia-Hierro" <lorenzohgh () nsrg-security com>]

Hi Tiago,
This is the same abuse that normally affects Apache ( With Apache you can
use mod_rewrite to redirect this type of abuse to another url )
This is the proof that open source is better :)
In IIS you can set some rules ,or use urlscan , etc .
Try to install a IDS in front of the webserver and filter the requests to
HTTP that contain the headers of  a SMTP transfer.
___snippet of mod_rewrite for apache :)____

If you want to  use Apache instead of IIS :
:) its better of course !

RewriteEngine on

RewriteLog "/[log dir]/fsckers-smtp-t-http.log"

RewriteLogLevel 1

RewritCond  %{THE_REQUEST} CONNECT.*

RewriteRule /$ /youfuckerspammer.html [L]



why this ?

Because attackers normally use a netcat connection to dump the smtp relay
information for trabsfer emails , etc :

trulux@hell /home/trulux:$  netcat www.pooradmintothehell.foo 80 CONNECT
smtp.mail.yahoo.com:25 HTTP/1.0

and the webserver receive the CONNECT line , with mod_rewrite this request
will not work.
If you want to see who is trying this simply check for apache log entries
like this:
127.0.0.1 - - [[date]] "CONNECT smtp.mail.yahoo.com:25 HTTP /1.0" 200 203
"-" "-"

___/snippet___

I hope this post will help you a little to take the correct way for portect
your webserver :)

Best regards to all FD,
-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->\x74\x72\x75\x6c\x75\x78
0x02->The truth is out there,
0x03-> outside your mind .
__________________________________
PGP: Keyfingerprint
4ACC D892 05F9 74F1 F453  7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
**********************************
\x6e\x73\x72\x67
\x73\x65\x63\x75\x72\x69\x74\x79
\x72\x65\x73\x65\x61\x72\x63\x68
http://www.nsrg-security.com
______________________
----- Original Message ----- 
From: "Tiago Halm" <thalm () netcabo pt>
To: <full-disclosure () lists netsys com>
Sent: Monday, November 24, 2003 5:25 PM
Subject: [Full-disclosure] HTTP request with SMTP message


> It's not the first time, but I gave up trying to figure it out.
> My IIS (port 80) received this HTTP request from x.x.x.x.
>
> Any thoughts ?
>
> --------------------------------------------------------------------------
--
> ----------
> POST http://x.x.x.x:25/ HTTP/1.1
> Content-type: application/octet-stream
> Content-length: 540
> Host: x.x.x.x
>
> HELO ps.com
> MAIL FROM:<vsuhfbovuhs () socal rr com>
> RCPT TO: <looc_si_maps () yahoo ie>
> DATA
> Message-ID:
> <080083058050049051046050050046055052046050052052058052058056048 () ps com>
> To: <looc_si_maps () yahoo ie>
> From:vsuhfbovuhs () socal rr com
> Subject: no doubt homie
> Date: Sat, 22 Nov 2003 10:06:34 -0800
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
> X-Mailer: Microsoft Outlook Express 5.00.3018.1300
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
>
> Message Body
> .
> QUIT
> --------------------------------------------------------------------------
--
> ----------
>
> Tiago Halm
> http://www.kodeit.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html