BTW, I do trust people are aware that POST/PUT can _also_ be exploited to
send spam, as per the following from RFG a while back?
>See this recent post to BUGTRAQ:
>
>http://www.securityfocus.com/archive/1/221994
>
>
>"It's possible to connect to one of the numerous public HTTP proxy
>servers and send a request like:
>
>POST http://some.host:25/ HTTP/1.0
>
>giving the SMTP commands as a content."
I'm always a skeptic, so I just checked this out for myself.
It's for real, it works, and God help us. My guess is that there
are a probably a couple of zillion public web proxies out there that
will happily do this. There may be as many of these as there are open
relays (and ordb sez that there are least 116,550 of those at the moment).
Note: The original example exploit program has a sligh imperfection
that may cause it not to work against some mail servers (e.g. Postfix)
that it would otherwise work against. Specifically, the example exploit
code given uses HELO where it should instead use EHLO. This can make a
difference when talking to some mail servers that want you to use EHLO
if you are also going to be using so-called `command pipelining' (i.e.
pushing everything you have at the mail server as fast as you can without
waiting, synchronously, for SMTP responses).
The only good news here is that implementors of mail servers (Sam? Are
you listening?) and NNTP news servers (and any/all other sorts of servers
that typically expect text lines as input) can easily defeat this ploy by
checking to see if the very first ``command'' that is received after the
connection is established is either `POST' or `PUT'. (Yes, this hack
appears to work with http PUT also.) If it is, then the server should
just drop the connection immediately. It should NOT just issue an error
message and they happily continue to accept other commands. It is the
propensity of mail & news servers to do that exact thing that makes this
hack work. If however your mail/news server just drops the connection
when it sees a POST or PUT, then that will completely thwart this http
proxy trick, because the proxy has no idea how to retry, or even that it
should attempt to do so. (Note that POST is a legitimate NNTP command,
so disallowing this one in news servers is going to be a bit tricky. It
is going to have to be selectively disallowed only when the line on which
it appears contains additional `stuff', like for example... "/ HTTP/1.0".)
Oh yea, and you _may_ perhaps need to block more than just POST and PUT.
I'm looking at the code for squid right now, and there may perhaps be
several other HTTP method names that mail & news servers should recognize
and drop the connection when they see. I haven't had time to check these
all out yet, but here is the whole squid list:
--- The following is from a mail admin for altavista, incidentally, who was involved in cleaning up a massive abuse of altavista.com addresses via open proxies: --- Forwarded mail from Suresh Ramasubramanian <mallet@x> +++ Allen Smith [spam-l] <20/02/02 17:20 -0500>: > I'm not sure whether the 'Re: ABUSE-RE: No Fee! Accept Credit Cards Today! > [6dczt]' thread contained an example; whether the "open proxies" that > Suresh was discussing were being used for web connections or email > connections wasn't clear. I have seen a lot of ways. Even worse, when distributed across a lot of open proxies. 1. direct to MX spam from the proxies 2. Connect to webmail servers, signup for accounts (using dictd or worse, a markov chain sort of thing to generate usernames and passwords) - and spam to maybe 10 people from each account. Then discard account, signup for a new account (from a new proxy) and repeat. 3. Use open proxies - but set the damn signed up addresses to be dropboxes in the body or elsewhere, instead of the envelope sender -srs ---End of forwarded mail from Suresh Ramasubramanian <mallet@x> -- Allen Smith http://cesario.rutgers.edu/easmith/ September 11, 2001 A Day That Shall Live In Infamy II "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin FranklinReceived on Thu Feb 21 2002 - 07:14:46 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:30 MST