Re: [fw-wiz] sendmail spamming
From: Robert E. Martin (rmartin_at_fishburne.org)
Date: 05/29/03
- Next message: : "(no subject)"
- Previous message: Christopher Hicks: "Re: [fw-wiz] traffic analysis"
- In reply to: Behm, Jeffrey L.: "RE: [fw-wiz] sendmail spamming"
- Next in thread: Jim Seymour: "RE: [fw-wiz] sendmail spamming"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Behm, Jeffrey L." <BehmJL@bvsg.com> Date: Thu, 29 May 2003 12:35:29 -0400
Behm, Jeffrey L. wrote:
>Morality? Is that old thing still around? ;-)
>
>If I understand your question correctly, the gain is that the real spammer
>is using your web server to generate SPAM and making it look as if your web
>server is the real spammer (The real spammer has little risk in being
>labeled a "SPAMMER" from the Internet-at-large). It's just a way for a real
>spammer to cover his/her tracks and cause your site grief, because *you* now
>are at risk of being labeled a "SPAM-generating" site. To the recipient of
>such spam, the "from" address is legitimately from your web server. However,
>the exploit isn't really your email server, it's the web server <I hope
>you're not gonna say you have a web server on the *same* system as your
>email gateway :-( >. The web server legitimately uses the email gateway to
>send emails out to the internet, but the web server has been exploited to
>allow the intruder to send out emails which are tracked back to "coming from
>the web server."
>
>Hope this helps, and that I understood your question correctly.
>Jeff
>
>
>
>>-----Original Message-----
>>From: Robert E. Martin [mailto:rmartin@fishburne.org]
>>Sent: Thursday, May 29, 2003 8:31 AM
>>To: firewall-wizards@honor.icsalabs.com
>>Subject: [fw-wiz] sendmail spamming
>>
>>
>>Just a moraltiy question for you guys.
>>I have just finished locking up and exploit in our email server. This
>>spawned from a formmail script left on our web server I neglected to
>>delete.
>>I noticed CPU activity spikes on the email server and found
>>that our web
>>server was spamming our email server due to the classic
>>formmail exploit.
>>My question is this. What is the motivation behind such an
>>expliot? What
>>is there to gain from this other than job security for a
>>person like me?
>>This kind of action makes no sense to me.
>>
>>--
>>Robert E Martin
>>IT Manager
>>Fishburne Military School
>>rmartin@fishburne.org
>>540.946.7726
>>
>>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
<I hope
you're not gonna say you have a web server on the *same* system as your
email gateway :-( >. The web server legitimately uses the email gateway to
send emails out to the internet, but the web server has been exploited to
allow the intruder to send out emails which are tracked back to "coming from
the web server."
Oh NO!! The web server and email server are separate machines and different subnets. Lots of separation there, however, there were some strange entries in the root mailbox on the web server. Here:
Return-Path: <apache@fmsws.fishburne.org>
Received: from fmsws.fishburne.org (fmsws.fishburne.org [127.0.0.1])
by fmsws.fishburne.org (8.12.5/8.12.5) with ESMTP id h4T6no4A001254;
Thu, 29 May 2003 02:49:50 -0400
Received: (from apache@localhost)
by fmsws.fishburne.org (8.12.5/8.12.5/Submit) id h4T6nn7Y001252;
Thu, 29 May 2003 02:49:49 -0400
Date: Thu, 29 May 2003 02:49:49 -0400
Message-Id: <200305290649.h4T6nn7Y001252@fmsws.fishburne.org>
To: none@fishburne.org
From: none@fishburne.org ()
Subject: Ignore
to: Spankyparade@o2.pl
*/BEGINABCDFORMMAILfishburne.org/cgi-bin/formmail.cgiTSTSendMailTSTENDABCD
/*
--h4T6nq4A001256.1054190992/fmsws.fishburne.org--
- Next message: : "(no subject)"
- Previous message: Christopher Hicks: "Re: [fw-wiz] traffic analysis"
- In reply to: Behm, Jeffrey L.: "RE: [fw-wiz] sendmail spamming"
- Next in thread: Jim Seymour: "RE: [fw-wiz] sendmail spamming"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
