From: Ronald F. Guilmette (no email)
Date: Thu Nov 01 2001 - 03:16:42 EST
In message <>, you wrote:
>the number one best way of blocking spam is to reject mail from
>non-existant domains...
Oh, well, I wasn't even counting THAT ONE!
Doing that just seems so sensible and obvious that I don't even give it
a second thought anymore. Anybody who isn't already doing that ought to
have his head examined.
>obviously, spammers have severe learning difficulties.
Yea. I guess so. If they can't even figure out that they may get more
deliveries if they use a real domain name instead of a totally made-up
one. Like DUH!
>postfix's "bad pipelining" check sometimes gets a lot. sometimes not.
>depends on which spammers are currently operating and what tricks
>they're trying. it has been unusually popular this week.
That may be directly related to this:
http://www.securityfocus.com/archive/1/221994
In a nutshell, some clever fellow figured out that it is possible to give
some web servers/proxies a command like:
POST http://some.host:25/ HTTP/1.0
followed by http "post data" consisting of:
EHLO domain
MAIL FROM:<>
RCPT TO:<>
DATA
spam spam spam spam...
.
QUIT
and that at least a few web servers & proxies would dutifully ship that
all over to some.host:25, whereupon the local mail server there would
dutifully issues errors for (but otherwise ignore) all of the HTTP headers
that get prefixed onto the "data" by the web server/proxy, and that then
they would just accept the SMTP commands and data as if nothing had happened.
I looked into this, and without too much work I found a couple of dozen
servers and/or proxies that were indeed vulnerable to this. I feel sure
that there are many more out there.
So tell me please, what is this postfix "bad pipelining check" you're
speaking of? How do I enable it? Do you think that it would thwart
this type of spamming?
P.S. I found out that the dirty web server trick described above can also
be accomplished with PUT as well as POST in some cases. Also (as if all
that wern't bad enough) even in the case of servers that aren't intending
to be proxies, if there is a mail server running on the same machine, then
this may work too:
POST http://localhost:25/ HTTP/1.0
(It's a depressingly insecure net out there.)
-
To unsubscribe, send mail to with content
(not subject): unsubscribe postfix-users
|
|
|