Nope, I thought it might be operational in nature. ergo spammers and others now scanning for qmail-smtp-auth patch users and using those weak sites as a relay.
the issue is that those sites will PASS the current "open relay" check tools and thus not be BLACK LISTED. Hey, what a cool feature. Passes open-relay test, won't get black listed, and can be used to relay spam. this might cause more traffic,, more abuse complaints, more headaches for those in operations... ps: the URL is *from* the qmail list. cheers, john On Mon, Jul 14, 2003 at 08:45:44PM -0800, W.D. McKinney wrote: > > John, > > Did you mean to post this on the qmail list per chance ? > > Dee > > On Mon, 2003-07-14 at 08:34, John Brown wrote: > > seems that there are installs of the smtp-auth patch > > to qmail that accept anything as a user name and password > > and thus allow you to connect. > > > > http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2 > > > > is one URL that talks about this. > > > > There has been an increase is what appears to be qmail based > > open-relays over the last 5 days. Each of these servers > > pass the normal suite of open-relay tests. > > > > Spammers are scanning for SMTP-AUTH and STARTTLS based > > mail servers that may be misconfigured. Then using them > > to send out their trash. > > > > Some early docs on setting up qmail based smtp-auth systems > > had the config infor incorrect. This leads to /usr/bin/true > > being used as the password checker. :( > > > > >From an operational perspective, I suspect we will see more > > SMTP scans > > > > The basic test (see URL above) should get incorporated into > > various open-relay testing scripts. > > > > cheers > > > > john brown > > chagres technologies, inc > > > > >