RE: [mod-security-users] How do I block mail attempts?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
RE: [mod-security-users] How do I block mail attempts?
|
From: Mark <ad...@as...> - 2005-01-30 22:14:53
|
> -----Original Message----- > From: Eli [mailto:eli...@ex...] > Sent: zondag 30 januari 2005 22:45 > To: 'Mark'; mod...@li... > Subject: RE: [mod-security-users] How do I block mail attempts? > > Mark wrote: > > > How do I block mail attempts, like below? > > > > "POST http://67.234.73.188:25/ HTTP/1.1" > > > > Would this do it? > > > > SecFilter "\:25\/" > > Why is your webserver listening on port 25? I am talking about HTTP POST/PUT relaying, which can be exploited by encoding SMTP requests into HTTP POST data (or a PUT request in the same format). Example: >>> POST http://mx.victim.com:25/ HTTP/1.0 >>> Host: http://mx.victim.com:25/ >>> Content-Length: {length of request body in bytes} >>> >>> HELO foo >>> MAIL FROM:<su...@sp...> >>> RCPT TO:<vi...@vi...> >>> DATA >>> You've been spammed! >>> . >>> QUIT <<< 220 victim.com ESMTP <<< 503 unimplemented <<< 503 unimplemented <<< 503 unimplemented <<< 503 unimplemented <<< 503 unimplemented <<< 250 hello <<< 250 sender ok <<< 250 recipient ok <<< 354 go ahead <<< 250 message accepted for delivery <<< 221 victim.com goodbye I want to prevent those via the POST payload. > The $ in a regex is *end of line*, not end of a word > boundary. If the last part of the ENTIRE line you > want to filter is .exe or whatever, then yes a $ > at the end will work. In this case though, not so good. I guess a "\b" instead will work? Thanks, - Mark |
