Re: Postfix errors from some new worm??

[Scott Call <scall () devolution com>]

On Thu, 29 Apr 2004, Nicole wrote:

>  Seems like its trying to show web data.. and it ignores errors.
>  I am seeing a bit of these. Nothing googelable for SHWAN-PROXY =[
>
>  Some broken script or worm?

It's most likely an HTTP proxy connection abuse.

Since CONNECT proxies are drying up, people are using open HTTP proxies
to try to send mail.

Basically they send a POST to the proxy that causes it to connect to your
server, and make an HTTP request that contains SMTP commands, so after the
HTTP commands it would have a line like:

value=\r\nHELO sdfads\r\nMAIL FROM:<Ima () spammer com>\r\nRCPT
TO:<sucker () spammed com>\r\nDATA\r\nSee my website\r\n\.

which if your mail server ignores the errors caused by the HTTP header
will cause an SMTP session to be triggered.

I'm not sure if postfix has it, but setting a max number of errors per
session, or making sure the SMTP lock-step is followed can really help
stop these.

-S


>   Nicole
>
>
> Transcript of session follows.
>
>  Out: 220 krell.webweaver.net ESMTP commodore 64 Postfix Baby
>  In:  POST / HTTP/1.0
>  Out: 502 Error: command not implemented
>  In:  Via: 1.0 SHWAN-PROXY
>  Out: 502 Error: command not implemented
>  In:  Host: mail.webweaver.net:25
>  Out: 502 Error: command not implemented
>  In:  Content-Length: 1056
>  Out: 502 Error: command not implemented
>  In:  Content-Type: text/plain
>  Out: 502 Error: command not implemented
>  In:  Connection: Keep-Alive
>  Out: 502 Error: command not implemented
>  In:
>  Out: 500 Error: bad syntax
>  In:  RSET
>  Out: 250 Ok
>  In:  HELO webtv.net
>  Out: 250 krell.webweaver.net
>  In:  MAIL FROM:<swe4etp07 () hotmail com>
>  Out: 250 Ok
>  In:  RCPT TO:<nicole () webweaver net>
>  Out: 550 Client host rejected: cannot find your hostname, [207.68.98.5]
>  In:  DATA
>  Out: 554 Error: no valid recipients
>  In:  To: <nicole () webweaver net>
>  Out: 502 Error: command not implemented
>  In:  From: "roman" <jojo21planet () hotmail com>
>  Out: 221 Error: I can break rules, too. Goodbye.
>
>
> --
>                      |\ __ /|   (`\
>                      | o_o  |__  ) )
>                     //      \\
>   -  nmh () daemontech com  -  Powered by FreeBSD  -
> ------------------------------------------------------
>  "The term "daemons" is a Judeo-Christian pejorative.
>  Such processes will now be known as "spiritual guides"
>   -Politicaly Correct UNIX Page
>
>      http://www.nonsenseband.com
>
> *** Spam Sucks and I get tons of it. So I have some tight spam filters.
>      If any email to me bounces, please use your secret decoder ring
>      and please send to blabgoo at yahoo dot com  :)
>
>
>
>
> !DSPAM:40919bc4290231576414491!

-- 
Scott Call      Router Geek, ATGi, home of $6.95 Prime Rib
I make the world a better place, I boycott Wal-Mart
VoIP incoming: +1 360-382-1814