[Snort-sigs] http post on port 25

hans rosa.schwein at ...2991...
Tue Feb 8 13:50:50 EST 2005


hi joe 
hi all others, thanks for response.

joe, i cannot follow your ideas. and i also cannot follow the 
spammers methode. we speak about service smtp. imho you cannot 
"request" or post with http syntax on destination port 25. 
but i am sure there are servers, which are acting on such
dialogs in any matter. i assume there are 1% or more 
of all smtp-traffic of this type. 1% is extremly high and 
nobody would write such a  dialog, if there are no results. 
so, what are the backgrounds. i am sure, i have no problems 
with sendmail listening on port 25.

i would be interested on reports of other network-admins and
if you could approve also such a high rate of this malformed 
traffic. 

thanks for all response in advance

best regards 
hans 

-- 



On Tue, Feb 08, 2005 at 02:56:59PM -0500, Joe Patterson wrote:
> I would bet I know what this is.  A spammer has found an open http proxy
> server.  He is "requesting" the "document" located at
> http://your.mail.server:25/ from that http proxy server, and part of the
> POST operation just happens to be very similar to an SMTP conversation.
> 
> Probably handy to know about, if for no other reason than to build up a list
> of open proxy servers out there.
> 
> -Joe
> 
> > -----Original Message-----
> > From: snort-sigs-admin at lists.sourceforge.net
> > [mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of hans
> > Sent: Tuesday, February 08, 2005 11:42 AM
> > To: snort-sigs at lists.sourceforge.net
> > Subject: [Snort-sigs] http post on port 25
> >
> >
> >
> > hi all
> >
> > this days i noticed some strange dialogs on smtp port 25
> > hosts around the world are trying to setup a dialog
> > immediatly after the SYN - SYN ACK - ACK frames
> > with the following content:
> >  POST / HTTP/1.1
> >  Host: my.hostname.com:25
> >  Content-Type: text/plain
> >  ... and so on
> >
> > o.k. - i am not crazy, i really speak about e-mail, and
> > this is not the content of the message body, it's the tcp-flow
> > later in the dialog there is a rset, but game over
> > with sendmail and greeting feature.
> >
> > there are some additional infos, like a tcpdump and a rule for
> > snort, to find at  http://ma.yer.at/2005/smtp_post.html
> >
> > i would be interested, if you could also notice such traffic.
> > i can't belive, are there any mail-gateways, which respond to
> > http-post-commands on port 25 ?
> >
> > here the rule, which does the job for me perfectly:
> >
> > alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP POST";
> > flow:to_server,established; content:"post"; nocase; content:"/";
> > nocase; pcre:"/^post\s+\/\s+http\/1.1/smi";
> > classtype:attempted-recon; sid:050201; rev:10;)
> >
> > i am new to snort, so i don't know if this rule is correct,
> > for example, i don't know where to get a correct sid, i took
> > the current date.
> > what i did, i took an other smtp-rule and did modify the content.
> >
> >
> > best regards
> > hans
> >
> > p.s.: i hope this is the correct forum, or should i post
> >       in the Snort-users list ?
> >
> > --
> >
> >




More information about the Snort-sigs mailing list