Re: [exim] Dealing with clever spammers - how do I?

Top Page
Delete this message
Reply to this message
Author: Chris Lightfoot
Date:  
To: Odhiambo G. Washington, exim-users
Subject: Re: [exim] Dealing with clever spammers - how do I?
On Fri, Jun 16, 2006 at 01:24:25PM +0300, Odhiambo G. Washington wrote:
>
> Hi,
>
> PS: This is a bit OT, but there is an Exim bit.
>
>
> I have a server that I use for hosting websites. I simply give ftp
> access and the customer just uploads their web content. The problem
> comes in the name of some code used in these websites - they allow
> http-put and http-post by spammers.
>
> Information about my blacklisted server is here:
>
> http://dsbl.org/listing?62.8.64.6
>
> Now, since I am running Exim on this server, is there a way to take
> care of (prevent the spamming) such a situation within Exim itself?
>
> So far, this server is almost permanently blacklisted.
>
> I'd appreciate if anyone knows a better way to audit the web data
> content stored on the server, even ;)


hang on, the claim in the above link is that your server
is an open web proxy, not that there's a specific script
on it that's exploitable (though of course there may be
one of those too).

I'm a bit surprised by that because your server (a)
appears to be apache; but (b) doesn't list mod_proxy in
the Server: header. It also doesn't appear to permit the
types of exploits that the above link talks about:

: chris@sphinx ~/sof*/mythic-u* \$; telnet 62.8.64.6 80
Trying 62.8.64.6...
Connected to 62.8.64.6.
Escape character is '^]'.
POST http://sphinx.mythic-beasts.com:25/ HTTP/1.0
Host: sphinx.mythic-beasts.com
Content-Length: 112

HELO fish
MAIL FROM: <chris@???>
RCPT TO: <chris@???>
DATA
Fish soup is good for you
.
QUIT
HTTP/1.1 404 Not Found
Date: Fri, 16 Jun 2006 11:38:55 GMT
Server: Apache/1.3.33 (Darwin) mod_jk/1.2.4 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7i PHP/4.3.11 mod_perl/1.26
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL / was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at sphinx.mythic-beasts.com Port 25</ADDRESS>
</BODY></HTML>

-- the results there indicate that it's just accepting
HTTP requests for any hostname and returning a `not found'
result (I guess you use the apache mass hosting mode?). I
see from the blacklist page above that the emails which
were passed through the machine were sent almost a year
ago; perhaps the configuration of the machine has been
changed to fix this problem since then?

In any case I don't understand why the removal request
hasn't been processed, though of course the operators of
the blacklist are permitted to put whatever information
they want into it, whether or not it's correct (module
local law on defamation etc.). If they continue to be
intransigent, forward mail via a second IP address and
chalk this one up to the general idiocy of people trying
to do spam filtering on IP address only.

--
``It's not our fault we have to grab your crotch to make sure your balls aren't
made of plastic explosives -- the government made us do it!''
(Colin Teubner summarises a security notice at Heathrow Airport)