[Openvas-devel] openvas relay check bogus?

Mon Aug 10 22:36:48 CEST 2009

Hello Hanno,

*** Hanno Böck <hanno at hboeck.de> wrote:

> I get the warning below on some of my servers.

Which MTA(s) are you running on these servers? Qmail?

> Do I get something wrong here or is this test totally bogus? 

At first glance i can't see a problem in smtp_relay2.nasl.

> Obviously, my server accepts mails to it's own host. It's not
> relaying them anywhere.
> 
> If the test wants to check for open relays (which is a good idea), it should 
> try to deliver a mail to another host (or some bogus host like 
> hsajdkahsda.com). If that is accepted, then there's a problem. Accepting mail 
> for it's own host is the purpose of an smtp server.
> 
> I assume the intention is to send to nobody at example.com, though the check 
> seems to get something wrong here.
>
> -----------
> Reported by NVT "Mail relaying (thorough test)" (1.3.6.1.4.1.25623.1.0.11852):

[...]

> OpenVAS was able to relay mails by sending those sequences:

>        MAIL FROM: <openvas@[host]>
>        RCPT TO: <nobody%example.com@[host]>

,---[ http://www.remote.org/jochen/mail/info/address.html ]
| The percent hack
|
| The so called percent hack is another form of source route. Here an address
| lookes like this:
|
| peter%hotmail.com%mail.mit.edu at donald.mit.edu
|
| The mail is sent to the host donald.mit.edu, which will strip off the domain
| and change the rightmost percent sign (%) into an At sign (@), which will
| result in the following address:
|
| peter%hotmail.com at mail.mit.edu
|
| So it sends the mail on to mail.mit.edu and so on. This use of the percent sign
| is deprecated because of the associated risk of spam relaying. (See above.)
|
| Note that there is no official document, that makes the percent sign special.
| It is strictly up to the receiving host, whether it will interpret the percent
| sign in this special way.
`---|

Please do the following Test:

,---|
| telnet MTA 25
| HELO domain.tld
| MAIL FROM: <mail at domain.tld>
| RCPT TO: <hanno%hboeck.de at domain.tld>
| DATA
| From: <mail at domain.tld>
| To: <hanno%hboeck.de at domain.tld>
| Subject: test
|
| test
| .
| QUIT
`---|

What's the status code the server(s) responds atfter the "RCPT" command?
250/251?

,---[ smtp_relay2.nasl ]
|  rt = strcat('RCPT TO: <', to_l[i], '>\r\n');
|  send(socket: soc, data: rt);
|  l = smtp_recv_line(socket: soc);
|  if (l =~ '^2[0-9][0-9]')
|   { 
`---|  

What's the status code the server(s) responds atfter the "QUIT"
command?

What you see in the MTA(s) Logfile(s)? 

Micha