httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eli Marmor <mar...@netmask.it>
Subject Spam Using SMTP "Over" HTTP-Proxy
Date Thu, 28 Aug 2003 06:47:19 GMT
Hi,

According to research companies, most of the current spamming is done
using HTTP proxies. Spammers assistant scripts scan the net 24 hours a
day, looking for open proxies, and then use them to spread the spam.

Now everybody asking: how can an HTTP proxy used for sending e-mail ?!

The answer is simple: today, more than 99% of the mail servers are
closed against relay, and open only for incoming messages (for internal
recipiants) or outgoing messages (sent by internal users).

Most of the mail servers, including all of the ISPs, recognize
"internal users" as users who connect to the mail server from IP
classes that belong the organization (for example, IPs that belong to
the ISP in the case of an ISP).

So theoretically, a spammer can't use a mail server of a foreign ISP,
unless he connects to it from an IP that belongs to this ISP.

An open HTTP proxy that belongs to a customer of this ISP can help the
spammer to cheat the mail server of that ISP and let it believe that
this e-mail is sent from an innocent customer of that ISP, and this is
how most of the current spamming is done.

But HTTP proxy is educated to forward HTTP content, not SMTP ?!

This is resolved easily by using "POST"; As you probably know, wrong
headers are ignored by most of the mail servers (including sendmail);
So the spammer connects to port 25 of the mail server as an HTTP
service through the open proxy, send a POST request, and hides the SMTP
content in the body of the posted data. The sendmail ignores the HTTP
headers (and only reports warnings to the sender), and accepts the rest
(i.e. the SMTP commands + the body of the e-mail).

It is VERY easy for mod_proxy of Apache to recognize such sessions and
block them. Before I'm starting such a project, I'd like to know:

1. Is there any existing code and/or module that implements this?
2. Is there any plan to add this to Apache / mod_proxy?  My plan will
   take a long time...
3. Is there anything that can be learned from other proxies (e.g Squid)
   regarding this issue?
4. Can anybody add anything to the details that I wrote or has anything
   else to contribute to the effort?

Thanks,
-- 
Eli Marmor
marmor@netmask.it
CTO, Founder
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.:   +972-9-766-1020          8 Yad-Harutzim St.
Fax.:   +972-9-766-1314          P.O.B. 7004
Mobile: +972-50-23-7338          Kfar-Saba 44641, Israel

Mime
View raw message