qmail smtp-auth bug allows open relay

John_Brown · July 14, 2003, 4:34pm

seems that there are installs of the smtp-auth patch
to qmail that accept anything as a user name and password
and thus allow you to connect.

http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2

is one URL that talks about this.

There has been an increase is what appears to be qmail based
open-relays over the last 5 days. Each of these servers
pass the normal suite of open-relay tests.

Spammers are scanning for SMTP-AUTH and STARTTLS based
mail servers that may be misconfigured. Then using them
to send out their trash.

Some early docs on setting up qmail based smtp-auth systems
had the config infor incorrect. This leads to /usr/bin/true
being used as the password checker.

From an operational perspective, I suspect we will see more

SMTP scans

The basic test (see URL above) should get incorporated into
various open-relay testing scripts.

cheers

john brown
chagres technologies, inc

W.D_McKinney · July 15, 2003, 4:45am

John,

Did you mean to post this on the qmail list per chance ?

Dee

Valdis_Kletnieks · July 15, 2003, 5:53am

Doubtful, he's *citing* a posting from an archive of the qmail list.

It's a heads-up for your abuse desk, that the trojaned DSL/cablemodem customers
of yours that have been acting as spam relays are likely to start scanning for
open qmail servers to abuse....

John_Brown · July 16, 2003, 2:17am

Nope, I thought it might be operational in nature. ergo
spammers and others now scanning for qmail-smtp-auth patch
users and using those weak sites as a relay.

the issue is that those sites will PASS the current "open relay"
check tools and thus not be BLACK LISTED.

Hey, what a cool feature. Passes open-relay test, won't get
black listed, and can be used to relay spam.

this might cause more traffic, more abuse complaints, more
headaches for those in operations…

ps: the URL is *from* the qmail list.

cheers,
john

John_Brown · July 16, 2003, 2:18am

Yup, what he said.

yeah, all those lovely home based DSL/Cable/Wireless users with Linux/BSD
qmail-smtp-auth setups thinking they are safe and can relay off of their
nifty box at home / soho.

Weeeee

john

Margie · July 16, 2003, 2:29am

I think this *is* operational in nature. FYI, we have found this hack actively being used on seemingly secure qmail, exchange, IMail, postfix servers run by admins with clue. And we have a pattern of the same content and an apparent small set of source IPs. (I'm working on that angle now)

Check your mail logs campers.

Jack_Bates · July 16, 2003, 10:37am

Margie Arbon wrote:

Check your mail logs campers.

You're joking, right? *headache just thinking about those logs*

-Jack

Stephen_Sprunk3 · July 19, 2003, 10:46pm

Thus spake "John Brown" <jmbrown@chagresventures.com>

seems that there are installs of the smtp-auth patch
to qmail that accept anything as a user name and password
and thus allow you to connect.

http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2

is one URL that talks about this.
...
Some early docs on setting up qmail based smtp-auth systems
had the config infor incorrect. This leads to /usr/bin/true
being used as the password checker.

That isn't a bug; it's a documentation problem and/or incompetent admin,
depending on how generous you're feeling.

S

Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking