Re: [exim] HTTP requests to port 25?

Top Page
Delete this message
Reply to this message
Author: Stephen Gran
Date:  
To: exim-users
Subject: Re: [exim] HTTP requests to port 25?
On Tue, Nov 29, 2005 at 02:04:38PM -0500, Marc Sherman said:
> My logs show a number of SMTP protocol violations similar to this one:
>
> 2005-11-21 04:55:24 SMTP protocol violation: synchronization error
> (input sent without waiting for greeting): rejected connection from
> H=ns1.avs18.com[85.118.32.254] input="POST / HTTP/1.1\r\nHost:
> projectile.ca:25\r\nContent-Type:text/plain\r\nContent-Length:
> 891\r\nMax-Forwards: 10\r\nVia: 1.0 projectile.ca:25\r\n\r\nRSET\r\nHELO
> lab-"
>
> Does anyone know what the deal is with those? Is it some kind of
> exploit against a broken HTTP proxy server? If so, why is it hitting
> port 25 instead of port 80?


Somebody has managed to trick a proxy server into POST'ing their spam
to your.address:25 - a common way to make http proxies relay email.

Enforcing sync + a short delay at connect (2 or 3s) makes just about all of
these go away.
--
--------------------------------------------------------------------------
|  Stephen Gran                  | To iterate is human, to recurse,        |
|  steve@???             | divine.   -- Robert Heller              |
|  http://www.lobefin.net/~steve |                                         |

--------------------------------------------------------------------------