[Openvas-devel] openvas relay check bogus?
mime at gmx.de
Mon Aug 10 22:36:48 CEST 2009
*** Hanno Böck <hanno at hboeck.de> wrote:
> I get the warning below on some of my servers.
Which MTA(s) are you running on these servers? Qmail?
> Do I get something wrong here or is this test totally bogus?
At first glance i can't see a problem in smtp_relay2.nasl.
> Obviously, my server accepts mails to it's own host. It's not
> relaying them anywhere.
> If the test wants to check for open relays (which is a good idea), it should
> try to deliver a mail to another host (or some bogus host like
> hsajdkahsda.com). If that is accepted, then there's a problem. Accepting mail
> for it's own host is the purpose of an smtp server.
> I assume the intention is to send to nobody at example.com, though the check
> seems to get something wrong here.
> Reported by NVT "Mail relaying (thorough test)" (126.96.36.199.4.1.256188.8.131.5252):
> OpenVAS was able to relay mails by sending those sequences:
> MAIL FROM: <openvas@[host]>
> RCPT TO: <nobody%example.com@[host]>
,---[ http://www.remote.org/jochen/mail/info/address.html ]
| The percent hack
| The so called percent hack is another form of source route. Here an address
| lookes like this:
| peter%hotmail.com%mail.mit.edu at donald.mit.edu
| The mail is sent to the host donald.mit.edu, which will strip off the domain
| and change the rightmost percent sign (%) into an At sign (@), which will
| result in the following address:
| peter%hotmail.com at mail.mit.edu
| So it sends the mail on to mail.mit.edu and so on. This use of the percent sign
| is deprecated because of the associated risk of spam relaying. (See above.)
| Note that there is no official document, that makes the percent sign special.
| It is strictly up to the receiving host, whether it will interpret the percent
| sign in this special way.
Please do the following Test:
| telnet MTA 25
| HELO domain.tld
| MAIL FROM: <mail at domain.tld>
| RCPT TO: <hanno%hboeck.de at domain.tld>
| From: <mail at domain.tld>
| To: <hanno%hboeck.de at domain.tld>
| Subject: test
What's the status code the server(s) responds atfter the "RCPT" command?
,---[ smtp_relay2.nasl ]
| rt = strcat('RCPT TO: <', to_l[i], '>\r\n');
| send(socket: soc, data: rt);
| l = smtp_recv_line(socket: soc);
| if (l =~ '^2[0-9][0-9]')
What's the status code the server(s) responds atfter the "QUIT"
What you see in the MTA(s) Logfile(s)?
More information about the Openvas-devel