[59625] in North American Network Operators' Group
qmail smtp-auth bug allows open relay
daemon@ATHENA.MIT.EDU (John Brown)
Mon Jul 14 12:33:36 2003
Date: Mon, 14 Jul 2003 10:34:00 -0600
From: John Brown <jmbrown@chagresventures.com>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
seems that there are installs of the smtp-auth patch
to qmail that accept anything as a user name and password
and thus allow you to connect.
http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2
is one URL that talks about this.
There has been an increase is what appears to be qmail based
open-relays over the last 5 days. Each of these servers
pass the normal suite of open-relay tests.
Spammers are scanning for SMTP-AUTH and STARTTLS based
mail servers that may be misconfigured. Then using them
to send out their trash.
Some early docs on setting up qmail based smtp-auth systems
had the config infor incorrect. This leads to /usr/bin/true
being used as the password checker. :(
From an operational perspective, I suspect we will see more
SMTP scans
The basic test (see URL above) should get incorporated into
various open-relay testing scripts.
cheers
john brown
chagres technologies, inc
