Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

qmail smtp-auth bug allows open relay

  • From: John Brown
  • Date: Mon Jul 14 12:35:18 2003

seems that there are installs of the smtp-auth patch
to qmail that accept anything as a user name and password
and thus allow you to connect.

http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2

is one URL that talks about this.

There has been an increase is what appears to be qmail based
open-relays over the last 5 days.  Each of these servers
pass the normal suite of open-relay tests.

Spammers are scanning for SMTP-AUTH and STARTTLS based 
mail servers that may be misconfigured. Then using them
to send out their trash.

Some early docs on setting up qmail based smtp-auth systems
had the config infor incorrect.  This leads to /usr/bin/true
being used as the password checker. :(

>From an operational perspective, I suspect we will see more
SMTP scans

The basic test (see URL above) should get incorporated into
various open-relay testing scripts.

cheers

john brown
chagres technologies, inc





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.