[Snort-sigs] http post on port 25
rosa.schwein at ...2991...
Tue Feb 8 13:50:50 EST 2005
hi all others, thanks for response.
joe, i cannot follow your ideas. and i also cannot follow the
spammers methode. we speak about service smtp. imho you cannot
"request" or post with http syntax on destination port 25.
but i am sure there are servers, which are acting on such
dialogs in any matter. i assume there are 1% or more
of all smtp-traffic of this type. 1% is extremly high and
nobody would write such a dialog, if there are no results.
so, what are the backgrounds. i am sure, i have no problems
with sendmail listening on port 25.
i would be interested on reports of other network-admins and
if you could approve also such a high rate of this malformed
thanks for all response in advance
On Tue, Feb 08, 2005 at 02:56:59PM -0500, Joe Patterson wrote:
> I would bet I know what this is. A spammer has found an open http proxy
> server. He is "requesting" the "document" located at
> http://your.mail.server:25/ from that http proxy server, and part of the
> POST operation just happens to be very similar to an SMTP conversation.
> Probably handy to know about, if for no other reason than to build up a list
> of open proxy servers out there.
> > -----Original Message-----
> > From: snort-sigs-admin at lists.sourceforge.net
> > [mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of hans
> > Sent: Tuesday, February 08, 2005 11:42 AM
> > To: snort-sigs at lists.sourceforge.net
> > Subject: [Snort-sigs] http post on port 25
> > hi all
> > this days i noticed some strange dialogs on smtp port 25
> > hosts around the world are trying to setup a dialog
> > immediatly after the SYN - SYN ACK - ACK frames
> > with the following content:
> > POST / HTTP/1.1
> > Host: my.hostname.com:25
> > Content-Type: text/plain
> > ... and so on
> > o.k. - i am not crazy, i really speak about e-mail, and
> > this is not the content of the message body, it's the tcp-flow
> > later in the dialog there is a rset, but game over
> > with sendmail and greeting feature.
> > there are some additional infos, like a tcpdump and a rule for
> > snort, to find at http://ma.yer.at/2005/smtp_post.html
> > i would be interested, if you could also notice such traffic.
> > i can't belive, are there any mail-gateways, which respond to
> > http-post-commands on port 25 ?
> > here the rule, which does the job for me perfectly:
> > alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP POST";
> > flow:to_server,established; content:"post"; nocase; content:"/";
> > nocase; pcre:"/^post\s+\/\s+http\/1.1/smi";
> > classtype:attempted-recon; sid:050201; rev:10;)
> > i am new to snort, so i don't know if this rule is correct,
> > for example, i don't know where to get a correct sid, i took
> > the current date.
> > what i did, i took an other smtp-rule and did modify the content.
> > best regards
> > hans
> > p.s.: i hope this is the correct forum, or should i post
> > in the Snort-users list ?
> > --
More information about the Snort-sigs