Just a matter of using protocols in ways they weren't intended, but work
anyway. The sequence of events is this:
1) spammer sends a request to an open proxy server (on whatever port that
proxy is listening on, probably 80, 8080, or 3128). The request is for
http://your.mail.server:25/, the type is a POST, and the post data is a
properly formatted smtp conversation starting with RSET.
2) the http proxy turns around, makes a connection to your.mail.server on
port 25 (because that's what's in the URL, and it's blindly obeying it), and
sends the http request.
3) the mail server recieves a connection on port 25, accepts it, and gets a
block of text (the http request). The mail server considers each line a
separate command. The first few commands it recieves (POST, Host:,
Content-Type:, etc...) are not valid SMTP commands, and generate error
messages, but *do not* cause the connection to close. Somewhere in the
middle of that block of text is "\nRSET\n". *That* is a valid SMTP command.
The mail server knows what to do with it. It means to reset the connection
state. This it does. This command is followed by additional valid SMTP
commands, which tell the mail server to send a message, which it does. At
this point, the spammer has succeded in sending a message, and he no longer
cares anything about what happens after this.
4) the proxy server receives the smtp error messages (as replies from the
mail server), which are not a valid http response header.
5) the proxy server sends something like a 500 error back to the spammer,
who, as noted above, really doesn't care.
I've kind of sort of disected this (using your data, because I thougt it was
kind of interesting) at
http://www.asgardgroup.com/~jpatterson/smtp-http.html
-Joe
-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net]On Behalf Of hans
Sent: Tuesday, February 08, 2005 4:49 PM
To: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] http post on port 25
hi joe
hi all others, thanks for response.
joe, i cannot follow your ideas. and i also cannot follow the
spammers methode. we speak about service smtp. imho you cannot
"request" or post with http syntax on destination port 25.
but i am sure there are servers, which are acting on such
dialogs in any matter. i assume there are 1% or more
of all smtp-traffic of this type. 1% is extremly high and
nobody would write such a dialog, if there are no results.
so, what are the backgrounds. i am sure, i have no problems
with sendmail listening on port 25.
i would be interested on reports of other network-admins and
if you could approve also such a high rate of this malformed
traffic.
thanks for all response in advance
best regards
hans
--
On Tue, Feb 08, 2005 at 02:56:59PM -0500, Joe Patterson wrote:
I would bet I know what this is. A spammer has found an open http proxy
server. He is "requesting" the "document" located at
http://your.mail.server:25/ from that http proxy server, and part of the
POST operation just happens to be very similar to an SMTP conversation.
Probably handy to know about, if for no other reason than to
build up a list
of open proxy servers out there.
-Joe
-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net]On Behalf Of hans
Sent: Tuesday, February 08, 2005 11:42 AM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] http post on port 25
hi all
this days i noticed some strange dialogs on smtp port 25
hosts around the world are trying to setup a dialog
immediatly after the SYN - SYN ACK - ACK frames
with the following content:
POST / HTTP/1.1
Host: my.hostname.com:25
Content-Type: text/plain
... and so on
o.k. - i am not crazy, i really speak about e-mail, and
this is not the content of the message body, it's the tcp-flow
later in the dialog there is a rset, but game over
with sendmail and greeting feature.
there are some additional infos, like a tcpdump and a rule for
snort, to find at http://ma.yer.at/2005/smtp_post.html
i would be interested, if you could also notice such traffic.
i can't belive, are there any mail-gateways, which respond to
http-post-commands on port 25 ?
here the rule, which does the job for me perfectly:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP POST";
flow:to_server,established; content:"post"; nocase; content:"/";
nocase; pcre:"/^post\s+\/\s+http\/1.1/smi";
classtype:attempted-recon; sid:050201; rev:10;)
i am new to snort, so i don't know if this rule is correct,
for example, i don't know where to get a correct sid, i took
the current date.
what i did, i took an other smtp-rule and did modify the content.
best regards
hans
p.s.: i hope this is the correct forum, or should i post
in the Snort-users list ?
--
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
