Watch out for misconfigured webservers used to send spam. I was tuning some mailservers today, making the envelope checks quite tough, and adding some RBLs that we're interested in using.
I noticed that there was a large queue of what looked like spam sitting in the deferred queue of one of our machines. All the messages had recipients in the aol domain and bogus senders, and had been deferred due to connection refused at the AOL mailserver. A quick awk+postsuper spell emptied the queue of the rogue messages, and the new rules were showing that more of these messages were not getting through. All good. What seemed interesting was that the source IP for most of these was another machine on the same subnet. netstat --inet -lnp | grep ':25 ' on the suspect machine showed a few httpd processes doing the connection to our newly locked down mailserver. What the hell? I reconfigured the webserver to enable mod_status, turned ExtendedStatus on, and checked out what the webserver was doing. A quick reload and a re-exec of the netstat command, then searching the server-status page for some of the suspect process ids showed that the particular PID at that time was servicing a HTTP POST to the IP of the mailserver on port 25. What the hell? A little bit more investigating showed that the webserver had mod_proxy incorrectly configured. The access controls were allowing anyone to proxy anything to anywhere... including allowing random people to submit posts to random urls... random urls that included every MX listed in the same subnet. We also found a further misconfiguration with the mailserver that would have allowed it to act as a limited relay, for the purposes of this particular spammer. So, it was a neat hack that got performed, and I'm impressed by whoever came up with the idea. I'm guessing however that the specific spammer here had brute-forced to find mailservers on the same subnet as the webserver, and it looks like the spoofing was done by using the domains that this mailserver is MX for, as the from address in the envelope -- again just brute-forcing possible values until it works. I'm wondering now how wide-spread this proxy spam attack is. So, does anyone know how to detect if a webserver is an open proxy just by connecting to it? Or is that another thing that would be brute-forced? I suspect not, otherwise there'd be a lot of proxied POST attempts showing up in the logs. -- [EMAIL PROTECTED] http://spacepants.org/jaq.gpg -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
