[70113] in North American Network Operators' Group
Re: Postfix errors from some new worm??
daemon@ATHENA.MIT.EDU (Scott Call)
Thu Apr 29 20:56:25 2004
Date: Thu, 29 Apr 2004 17:55:34 -0700 (PDT)
From: Scott Call <scall@devolution.com>
To: Nicole <nmh@daemontech.com>
Cc: <nanog@nanog.org>
In-Reply-To: <XFMail.040429171844.nmh@daemontech.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 29 Apr 2004, Nicole wrote:
>
>
> Seems like its trying to show web data.. and it ignores errors.
> I am seeing a bit of these. Nothing googelable for SHWAN-PROXY =[
>
> Some broken script or worm?
>
It's most likely an HTTP proxy connection abuse.
Since CONNECT proxies are drying up, people are using open HTTP proxies
to try to send mail.
Basically they send a POST to the proxy that causes it to connect to your
server, and make an HTTP request that contains SMTP commands, so after the
HTTP commands it would have a line like:
value=\r\nHELO sdfads\r\nMAIL FROM:<Ima@spammer.com>\r\nRCPT
TO:<sucker@spammed.com>\r\nDATA\r\nSee my website\r\n\.
which if your mail server ignores the errors caused by the HTTP header
will cause an SMTP session to be triggered.
I'm not sure if postfix has it, but setting a max number of errors per
session, or making sure the SMTP lock-step is followed can really help
stop these.
-S
> Nicole
>
>
> Transcript of session follows.
>
> Out: 220 krell.webweaver.net ESMTP commodore 64 Postfix Baby
> In: POST / HTTP/1.0
> Out: 502 Error: command not implemented
> In: Via: 1.0 SHWAN-PROXY
> Out: 502 Error: command not implemented
> In: Host: mail.webweaver.net:25
> Out: 502 Error: command not implemented
> In: Content-Length: 1056
> Out: 502 Error: command not implemented
> In: Content-Type: text/plain
> Out: 502 Error: command not implemented
> In: Connection: Keep-Alive
> Out: 502 Error: command not implemented
> In:
> Out: 500 Error: bad syntax
> In: RSET
> Out: 250 Ok
> In: HELO webtv.net
> Out: 250 krell.webweaver.net
> In: MAIL FROM:<swe4etp07@hotmail.com>
> Out: 250 Ok
> In: RCPT TO:<nicole@webweaver.net>
> Out: 550 Client host rejected: cannot find your hostname, [207.68.98.5]
> In: DATA
> Out: 554 Error: no valid recipients
> In: To: <nicole@webweaver.net>
> Out: 502 Error: command not implemented
> In: From: "roman" <jojo21planet@hotmail.com>
> Out: 221 Error: I can break rules, too. Goodbye.
>
>
> --
> |\ __ /| (`\
> | o_o |__ ) )
> // \\
> - nmh@daemontech.com - Powered by FreeBSD -
> ------------------------------------------------------
> "The term "daemons" is a Judeo-Christian pejorative.
> Such processes will now be known as "spiritual guides"
> -Politicaly Correct UNIX Page
>
> http://www.nonsenseband.com
>
> *** Spam Sucks and I get tons of it. So I have some tight spam filters.
> If any email to me bounces, please use your secret decoder ring
> and please send to blabgoo at yahoo dot com :)
>
>
>
>
> !DSPAM:40919bc4290231576414491!
>
>
>
--
Scott Call Router Geek, ATGi, home of $6.95 Prime Rib
I make the world a better place, I boycott Wal-Mart
VoIP incoming: +1 360-382-1814
