[24419] in bugtraq
[Fwd: RE: UPDATE: [wcolburn@nmt.edu: SMTP relay through checkpoint
daemon@ATHENA.MIT.EDU (Corey J. Steele)
Tue Feb 26 17:51:54 2002
From: "Corey J. Steele" <csteele@good-sam.com>
To: bugtraq@securityfocus.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature";
boundary="=-kv7paxWHRpw/RfPUrvDp"
Date: 25 Feb 2002 15:39:02 -0600
Message-Id: <1014673142.14187.23.camel@ws47619>
Mime-Version: 1.0
--=-kv7paxWHRpw/RfPUrvDp
Content-Type: multipart/mixed; boundary="=-vdz3W5BH0TZn3RNmhEI5"
--=-vdz3W5BH0TZn3RNmhEI5
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
this was off-list discussion, but I suspect it may be useful for others
on the list.
-C
--=20
Information Security Analyst
Good Samaritan Society
e-mail: csteele@good-sam.com
voice: (605) 362-3899
PGP Key fingerprint =3D 564F 2A97 2ADA F492 F34C 8E4A 12AF 9DC3 400E 2DD6
--=-vdz3W5BH0TZn3RNmhEI5
Content-Disposition: inline
Content-Description: Forwarded message - RE: UPDATE: [wcolburn@nmt.edu: SMTP
relay through checkpoint fire wall]
Content-Type: message/rfc822
Subject: RE: UPDATE: [wcolburn@nmt.edu: SMTP relay through checkpoint fire
wall]
From: "Corey J. Steele" <csteele@good-sam.com>
To: Peter Bieringer <pb@bieringer.de>
Cc: Proescholdt timo <Timo.Proescholdt@brk-muenchen.de>, 'Steve VanDevender' <stevev@hexadecimal.uoregon.edu>
In-Reply-To: <109540000.1014670188@localhost>
References: <410B51F29EA8D3118EE400508B44AE2B3C6FCD@rz-nt-mail.brk-mue
nchen.de> <1014386253.12936.4.camel@ws47619>
<109540000.1014670188@localhost>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-FNI8f8/7Snx21+D/7fOv"
X-Mailer: Evolution/1.0.2
Date: 25 Feb 2002 15:26:16 -0600
Message-Id: <1014672376.14187.17.camel@ws47619>
Mime-Version: 1.0
--=-FNI8f8/7Snx21+D/7fOv
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Well...=20
[csteele@ws47619 csteele]$ telnet viruswall 8080
Trying XXX.XXX.XXX.XXX...
Connected to viruswall.
Escape character is '^]'.
CONNECT mailserver:25 / HTTP/1.0
HTTP/1.0 403 Forbidden
Server: Squid/2.3.STABLE4
Mime-Version: 1.0
Date: Mon, 25 Feb 2002 21:55:38 GMT
Content-Type: text/html
Content-Length: 729
Expires: Mon, 25 Feb 2002 21:55:38 GMT
X-Squid-Error: ERR_ACCESS_DENIED 0
X-Cache: MISS from viruswall
Proxy-Connection: close
<HTML><HEAD>
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR>
<P>
While trying to retrieve the URL:
<A HREF=3D"mailserver:25">mailserver:25</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Access Denied.
</STRONG>
<P>
Access control configuration prevents your request from
being allowed at this time. Please contact your service provider if
you feel this is incorrect.
</UL>
<P>Your cache administrator is <A HREF=3D"mailto:webmaster">webmaster</A>.
<br clear=3D"all">
<hr noshade size=3D1>
Generated Mon, 25 Feb 2002 21:55:38 GMT by viruswall (Squid/2.3.STABLE4)
</BODY></HTML>
Connection closed by foreign host.
We have VirusWall listening on port 8080, and then sending
non-viruslaced requests to a SmartFilter-enabled SQUID proxy. All
systems are Linux based -- most are Red Hat 6.2, with latest applicable
patches. We built squid ourselves to include SmartFilter.
Hopefully this helps...=20
Best Regarads
-C
On Mon, 2002-02-25 at 14:49, Peter Bieringer wrote:
> Hi
>=20
> --On Friday, February 22, 2002 07:57:33 AM -0600 "Corey J. Steele"
> <csteele@good-sam.com> wrote:
>=20
> > Trend's Interscan 3.6 running on Linux is not vulnerable to this
> > (we are using Interscan in conjunction with squid.)
>=20
> Are you sure? I've tested 3.6 Build 1182 and I found it's proceeding
> CONNECT without any problems, also to a remote mailserver:
>=20
> # telnet viruswall 80
> Trying 1.2.3.4...
> Connected to viwa.
> Escape character is '^]'.
> CONNECT mail.server.com:25 / HTTP/1.0
>=20
> HTTP/1.0 200 Connection established
> Proxy-agent: InterScan 2.0
>=20
> 220 mail.server.com ESMTP
> mail from: <user@domain.com>
> 250 ok
> rcpt to: <user@domain.com>
> 250 ok
> data
> 354 go ahead
> test
> .
> 250 ok 1014669994 qp 21827
> quit
> 221 mail.server.com
> Connection closed by foreign host.
>=20
>=20
> The only thing is that you have to type the CONNECT line quickly so
> use "nc" or copy and paste for that.
>=20
> You can solve this if you using squid as dispatcher and bypass
> Interscan for CONNECT (which we do on a customer installation).
>=20
>=20
> Peter
>=20
--=20
Information Security Analyst
Good Samaritan Society
e-mail: csteele@good-sam.com
voice: (605) 362-3899
PGP Key fingerprint =3D 564F 2A97 2ADA F492 F34C 8E4A 12AF 9DC3 400E 2DD6
--=-FNI8f8/7Snx21+D/7fOv
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: quoted-printable
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA8eqv4Eq+dw0AOLdYRAtyrAJ4sIVMYkBu7ioZLHIJ6oJaWmo7pdACeOQug
qQl0GWaWM4+zu7Sjp8GdVTg=3D
=3DhWby
-----END PGP SIGNATURE-----
--=-FNI8f8/7Snx21+D/7fOv--
--=-vdz3W5BH0TZn3RNmhEI5--
--=-kv7paxWHRpw/RfPUrvDp
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA8eq72Eq+dw0AOLdYRAuQBAKCl0Pq03vPhLzH+jm+2nFUUPemSGwCfSa/c
SPX1xPSkVGpZQZMrPNQA6R4=
=jnAr
-----END PGP SIGNATURE-----
--=-kv7paxWHRpw/RfPUrvDp--
