Re: Strange CONNECT entries in apache logs

From: Christian Vogel <chris(at)netlynx-server.net>
Date: Thu Jul 10 2003 - 13:01:26 EDT

Hi,

On Thu, Jul 10, 2003 at 01:52:17AM -0000, sgaskins@interserv.com wrote:
> 172.150.203.171 - - [09/Jul/2003:17:58:00 -0400] "POST
> http://172.150.203.171:25/ HTTP/1.1" 200 781 "-" "-"

What does happen here:

If you use a http-proxy to proxy HTTP-POST requests the payload is most often forwarded verbatim. Of course, this request will have http-headers in front of the data, but many smtp-servers ignore those. So you can try to make a POST request like this via the proxy:

        POST 
http://victim:25/ HTTP/1.1
        Host: victim
        (empty line)
        HELO spammer
        MAIL FROM: <..>
        RCPT TO: <..>
        DATA
        spam
        .

The SMTP-server will most likely complain about unsupported SMTP-commands "POST", "Host:", "X-Forwarded-For" and so on, but many will just silently accept the junkmail after these commands.

Why back to the spammer's own IP-address:

with the CONNECT the spammer can instantly see if he is talking to a SMTP-server and if it works. But to check how the proxy possibly mangles his POST-request he will have to check on a machine where he has access to the data as it comes out of the proxy.

        Chris

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Thu Jul 10 16:30:38 2003