SMTP configuration disclosure to the spammer

April 2, 2018 provider of myself

Every one or two weeks the postfix monitoring tool says that someone is sending authenticated mail messages from more than three different IP address in the last 10 minutes and usually it means that someone has “stolen” the SMTP configuration from a genuine client or the clustomer has set a guessable password. There are many ways to obtain the password: you can force a client to use a POP/SMTP/IMAP cleartext connection with a MitM attach on a free WiFi connection, install a troyan that sends back the configuration via HTTP or… ask to send back the configuration via SMTP and this is the way used by my preferred spammers. The sent mail contains all the needed information in the subject in this format:

smtp.domain.it:smtp-port:username@domain.tld:password:username@domain.tld:ssl|nossl::::0

You can fight this kind of attack using this postfix’s headers_check expression:

/^subject:.*:.*ssl:/ REJECT Can't disclosure configuration 1

and the result is:

Apr 2 11:16:13 mail-a-eqs postfix/cleanup[13835]: B3D44253F5: reject: header Subject:? 
   smtp.domain.it:587:username@domain.tld:username2018:username@domain.tld:ssl::::0 from 
   unknown[xx.xx.xx.xx]; from=<username@domain.tld> to=<mail22@kikerestor.xyz> proto=ESMTP 
   helo=<[127.0.0.1]>: 5.7.1 Can't disclosure configuration 1

It’s not a joke, the username@domain.tld user uses username2018 password… I suppose this account will not last long…

Questo post è disponibile anche in: Italiano

Blog

SMTP configuration disclosure to the spammer

About the Author