Thread: [mod-security-users] How do I block mail attempts?

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] How do I block mail attempts?

From: Mark <ad...@as...> - 2005-01-30 04:12:08

How do I block mail attempts, like below?

    "POST http://67.234.73.188:25/ HTTP/1.1"

Would this do it?

    SecFilter "\:25\/"

Also, speaking of SecFilter, I have this:

    SecFilter "(\.com|\.exe|\.cmd|\.bat)"

Can I add $ at the end of SecFilter? Like so:

    SecFilter "(\.com|\.exe|\.cmd|\.bat)$"

I only want to match on patterns ending in this!

Thanks,

- Mark

RE: [mod-security-users] How do I block mail attempts?

From: Eli <eli...@ex...> - 2005-01-30 21:44:55

Mark wrote: 

> How do I block mail attempts, like below?
>
>    "POST http://67.234.73.188:25/ HTTP/1.1"
>
> Would this do it?
>
>    SecFilter "\:25\/"

Why is your webserver listening on port 25?  If it isn't, you can't prevent
people posting to port 25 using mod_security - you need to block it with
your mta software.  Besides, POSTing data to port 25 will never work right -
it isn't SMTP protocol aware and will fail.

> Also, speaking of SecFilter, I have this:
>
>    SecFilter "(\.com|\.exe|\.cmd|\.bat)"
>
> Can I add $ at the end of SecFilter? Like so:
>
>    SecFilter "(\.com|\.exe|\.cmd|\.bat)$"
>
> I only want to match on patterns ending in this!

The $ in a regex is *end of line*, not end of a word boundary.  If the last
part of the ENTIRE line you want to filter is .exe or whatever, then yes a $
at the end will work.  In this case though, not so good.

I suggest using the other SecFilter thing (sorry, can't remember the
directive) that allows you to filter on certain CGI variables.  Filter it on
whatever one you need - file uploads or uri.

Eli.

RE: [mod-security-users] How do I block mail attempts?

From: Mark <ad...@as...> - 2005-01-30 22:14:53

> -----Original Message-----
> From: Eli [mailto:eli...@ex...] 
> Sent: zondag 30 januari 2005 22:45
> To: 'Mark'; mod...@li...
> Subject: RE: [mod-security-users] How do I block mail attempts?
> 
> Mark wrote: 
> 
> > How do I block mail attempts, like below?
> >
> >    "POST http://67.234.73.188:25/ HTTP/1.1"
> >
> > Would this do it?
> >
> >    SecFilter "\:25\/"
> 
> Why is your webserver listening on port 25?

I am talking about HTTP POST/PUT relaying, which can be exploited
by encoding SMTP requests into HTTP POST data (or a PUT request
in the same format). Example: 

>>> POST http://mx.victim.com:25/ HTTP/1.0
>>> Host: http://mx.victim.com:25/
>>> Content-Length: {length of request body in bytes}
>>>
>>> HELO foo
>>> MAIL FROM:<su...@sp...>
>>> RCPT TO:<vi...@vi...>
>>> DATA
>>> You've been spammed!
>>> .
>>> QUIT
<<< 220 victim.com ESMTP
<<< 503 unimplemented
<<< 503 unimplemented
<<< 503 unimplemented
<<< 503 unimplemented
<<< 503 unimplemented
<<< 250 hello
<<< 250 sender ok
<<< 250 recipient ok
<<< 354 go ahead
<<< 250 message accepted for delivery
<<< 221 victim.com goodbye

I want to prevent those via the POST payload.

> The $ in a regex is *end of line*, not end of a word 
> boundary.  If the last part of the ENTIRE line you
> want to filter is .exe or whatever, then yes a $
> at the end will work.  In this case though, not so good.

I guess a "\b" instead will work?

Thanks,

- Mark

Re: [mod-security-users] How do I block mail attempts?

From: Ivan R. <iv...@we...> - 2005-01-30 22:42:50

> I am talking about HTTP POST/PUT relaying, which can be exploited
> by encoding SMTP requests into HTTP POST data (or a PUT request
> in the same format). Example: 

   I am guessing you have a reason for running a proxy on
   that web server?

   Try this (Apache 2.x syntax):

   <Proxy *>
       RewriteEngine On
       # Do not allow proxy requests to target port 25 (SMTP)
       RewriteRule "^proxy:[a-z]*://[^/]*:25(/|$)" "-" [F,NC,L]
   </Proxy>

   It is probably possible to do something with mod_security too
   but I don't have time at the moment to verify it. On the other
   hand I know the solution above works

-- 
Ivan Ristic (http://www.modsecurity.org)

RE: [mod-security-users] How do I block mail attempts?

From: Mark <ad...@as...> - 2005-01-30 22:54:50

> -----Original Message-----
> From: Ivan Ristic [mailto:iv...@we...] 
> Sent: zondag 30 januari 2005 23:43
> To: Mark
> Cc: eli...@ex...; mod...@li...
> Subject: Re: [mod-security-users] How do I block mail attempts?
> 
 
>    I am guessing you have a reason for running a proxy on
>    that web server?

I have no proxy running on the web server. The exploit attempt
was simply something I found in the mod_security log (trapped for
other reasons). I compiled the web server to disallow relays on port 25,
and it does. I just wanted mod_security to log attempts of such.

- Mark

Re: [mod-security-users] How do I block mail attempts?

From: Ivan R. <iv...@we...> - 2005-01-30 23:19:34

Mark wrote:
> I have no proxy running on the web server. The exploit attempt
> was simply something I found in the mod_security log (trapped for
> other reasons). I compiled the web server to disallow relays on port 25,
> and it does. I just wanted mod_security to log attempts of such.

   That I have time to check. Try this:

   SecFilterSelective REQUEST_URI ^http:/.+:25

   (I didn't test it with a proxy compiled into Apache.)

-- 
Ivan Ristic (http://www.modsecurity.org)