[Snort-sigs] http post on port 25

hans rosa.schwein at ...2991...
Wed Feb 9 12:05:21 EST 2005


hi Joe 

thanks for your detailed statement. you did a great job. 
now it's clear, why this "http-prefix" .
if open mail-gateways get less, spammer are looking 
for alternatives.

and that would become nearly a perfect spam, if there 
wouldn't be on my site sendmail with the greetpause-feature. 
with this the remote spammer has in this case only one possible 
command - namely "quit". even "rset" does not restart 
the dialog. 

so it's only a question of time, if spammers meet the 
dialogs and timeouts, then my rule should break the 
connection, now it's only monitoring. 


if it is ok for you, i would set a link in my html-page
to your's with the explanation. 


best regards 
hans 

-- 

On Tue, Feb 08, 2005 at 06:21:40PM -0500, Joe Patterson wrote:
> Just a matter of using protocols in ways they weren't intended, but work
> anyway.  The sequence of events is this:
> 
> 1) spammer sends a request to an open proxy server (on whatever port that
> proxy is listening on, probably 80, 8080, or 3128).  The request is for
> http://your.mail.server:25/, the type is a POST, and the post data is a
> properly formatted smtp conversation starting with RSET.
> 
> 2) the http proxy turns around, makes a connection to your.mail.server on
> port 25 (because that's what's in the URL, and it's blindly obeying it), and
> sends the http request.
> 
> 3) the mail server recieves a connection on port 25, accepts it, and gets a
> block of text (the http request).  The mail server considers each line a
> separate command.  The first few commands it recieves (POST, Host:,
> Content-Type:, etc...) are not valid SMTP commands, and generate error
> messages, but *do not* cause the connection to close.  Somewhere in the
> middle of that block of text is "\nRSET\n".  *That* is a valid SMTP command.
> The mail server knows what to do with it.  It means to reset the connection
> state.  This it does.  This command is followed by additional valid SMTP
> commands, which tell the mail server to send a message, which it does.  At
> this point, the spammer has succeded in sending a message, and he no longer
> cares anything about what happens after this.
> 
> 4) the proxy server receives the smtp error messages (as replies from the
> mail server), which are not a valid http response header.
> 
> 5) the proxy server sends something like a 500 error back to the spammer,
> who, as noted above, really doesn't care.
> 
> I've kind of sort of disected this (using your data, because I thougt it was
> kind of interesting) at
> http://www.asgardgroup.com/~jpatterson/smtp-http.html
> 
> -Joe
> 
> > -----Original Message-----
> > From: snort-sigs-admin at lists.sourceforge.net
> > [mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of hans
> > Sent: Tuesday, February 08, 2005 4:49 PM
> > To: snort-sigs at lists.sourceforge.net
> > Subject: Re: [Snort-sigs] http post on port 25
> >
> >
> >
> > hi joe
> > hi all others, thanks for response.
> >
> > joe, i cannot follow your ideas. and i also cannot follow the
> > spammers methode. we speak about service smtp. imho you cannot
> > "request" or post with http syntax on destination port 25.
> > but i am sure there are servers, which are acting on such
> > dialogs in any matter. i assume there are 1% or more
> > of all smtp-traffic of this type. 1% is extremly high and
> > nobody would write such a  dialog, if there are no results.
> > so, what are the backgrounds. i am sure, i have no problems
> > with sendmail listening on port 25.
> >
> > i would be interested on reports of other network-admins and
> > if you could approve also such a high rate of this malformed
> > traffic.
> >
> > thanks for all response in advance
> >
> > best regards
> > hans
> >
> > --
> >
> >
> >
> > On Tue, Feb 08, 2005 at 02:56:59PM -0500, Joe Patterson wrote:
> > > I would bet I know what this is.  A spammer has found an open http proxy
> > > server.  He is "requesting" the "document" located at
> > > http://your.mail.server:25/ from that http proxy server, and part of the
> > > POST operation just happens to be very similar to an SMTP conversation.
> > >
> > > Probably handy to know about, if for no other reason than to
> > build up a list
> > > of open proxy servers out there.
> > >
> > > -Joe
> > >
> > > > -----Original Message-----
> > > > From: snort-sigs-admin at lists.sourceforge.net
> > > > [mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of hans
> > > > Sent: Tuesday, February 08, 2005 11:42 AM
> > > > To: snort-sigs at lists.sourceforge.net
> > > > Subject: [Snort-sigs] http post on port 25
> > > >
> > > >
> > > >
> > > > hi all
> > > >
> > > > this days i noticed some strange dialogs on smtp port 25
> > > > hosts around the world are trying to setup a dialog
> > > > immediatly after the SYN - SYN ACK - ACK frames
> > > > with the following content:
> > > >  POST / HTTP/1.1
> > > >  Host: my.hostname.com:25
> > > >  Content-Type: text/plain
> > > >  ... and so on
> > > >
> > > > o.k. - i am not crazy, i really speak about e-mail, and
> > > > this is not the content of the message body, it's the tcp-flow
> > > > later in the dialog there is a rset, but game over
> > > > with sendmail and greeting feature.
> > > >
> > > > there are some additional infos, like a tcpdump and a rule for
> > > > snort, to find at  http://ma.yer.at/2005/smtp_post.html
> > > >
> > > > i would be interested, if you could also notice such traffic.
> > > > i can't belive, are there any mail-gateways, which respond to
> > > > http-post-commands on port 25 ?
> > > >
> > > > here the rule, which does the job for me perfectly:
> > > >
> > > > alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP POST";
> > > > flow:to_server,established; content:"post"; nocase; content:"/";
> > > > nocase; pcre:"/^post\s+\/\s+http\/1.1/smi";
> > > > classtype:attempted-recon; sid:050201; rev:10;)
> > > >
> > > > i am new to snort, so i don't know if this rule is correct,
> > > > for example, i don't know where to get a correct sid, i took
> > > > the current date.
> > > > what i did, i took an other smtp-rule and did modify the content.
> > > >
> > > >
> > > > best regards
> > > > hans
> > > >
> > > > p.s.: i hope this is the correct forum, or should i post
> > > >       in the Snort-users list ?
> > > >
> > > > --
> > > >
> > > >
> >
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list