Re: [courier-users] ESMTP command error - a LOT of them

This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_commodore.email-scan.com-29952-1119630479-0001-2
Content-Type: text/plain; format=flowed; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-Mime-Autoconverted: from 8bit to quoted-printable by mimegpg

Randall Shaw writes:

> I am seeing a few too many of "502 ESMTP command error" in the log reports
> each night (logwatch). Here are but a few examples:
>
>
> "502 ESMTP command error",cmd: CELLPADDING=3D4><TR><TD colspan=3D2 align=3D=
center
> bgcolor=3D#C0C0FF><FONT FACE=3Darial><B><A : 8 Time(s)
>
> "502 ESMTP command error",cmd: CONTENT-LENGTH: 4805: 16 Time(s)
>
> "502 ESMTP command error",cmd: DATA: 697 Time(s)
>
> "502 ESMTP command error",cmd: RCPT TO:<joe@somedomain.com>: 20 Time(s)
>
>
> They span from all sorts of html garbage (obvious spam), to actual command=
s
> that appear VALID (DATA: RCPT TO: HOST: SENDER:).
>
> My question is... Should I be alarmed?

No. You should be happy, actually.

> Is esmtpd doing something bad that
> causes all these? Is it because esmtpd denies them relay, but they still
> spew forth data and esmtpd goes "WTF?!"...

A spammer has hacked some open web proxy (whose IP address you've logged, by=

the way) administered by some moron who has no clue about system security,
and is trying to use the proxy to spam.

The proxy receives what it thinks is an HTTP request, which it tries to
forward to the target "web site". The spammer puts an SMTP dialog in the
payload. The spammer's http request looks something like this:

POST mail.example.com:25 HTTP/1.0
Content-Length: 8923
EHLO mail.hotmail.com
MAIL FROM:<hotsuzie@nekkidbabes.com>
RCPT TO:<courier@randallshaw.com>
DATA
From: Hot Suzie <hotsuzie@nekkidbabes.com>
To: courier@randallshaw.com
Subject: Fr33 pR0n w38cAm

<html>
<body>
=E2=80=A6

The proxy then turns around and connects to your port 25 and tries to dump
all of the above, as a single blob.

This trick is designed to work with sendmail, or perhaps some NT-based
garbage, that quickly ignores the initial http header garbage, as errors,
then mindlessly processes the rest of the input, one line at a time.

Sadly, this trick won't work with Courier, which expects everyone who
connects to be a proper SMTP client, that waits for a reply from EHLO, and
each subsequent command (taking into account ESMTP PIPELINING), before
sending the next command. If whoever connects sends some glop of garbage,
without waiting for a response, it gets flushed. So, the initial set of
SMTP commands gets flushed down the toilet, and if there's anything left,
which by this time gives you somewhere within the HTML payload, it gets
logged as additional errors, with tarpitting making sure the whole process
goes sloooowly.


--=_commodore.email-scan.com-29952-1119630479-0001-2
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBCvDSLx9p3GYHlUOIRAjTDAJ9/Zjjbkby1IxmPGyN4gQTsVpsnugCeN5NE
WD94BASMtBhTZaA4npkn84Q=
=fEVD
-----END PGP SIGNATURE-----

--=_commodore.email-scan.com-29952-1119630479-0001-2--


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/.../courier-users