HTTP: SMTP Proxied Through HTTP

This signature detects attempts to connect to an SMTP server through an HTTP CONNECT. Some HTTP servers allow to proxy to other services. Spammers use improperly configured HTTP servers to forward spam e-mails to avoid black lists.

Extended Description

Multiple software and integrated server packages that function as web proxies may be used as open TCP proxies. This is through the usage of the HTTP CONNECT method by default. This method is detailed in RFC 2817, where it is used to build generic Transit Layer Security over HTTP. Upon receiving a CONNECT request, vulnerable products act as a TCP proxy, tunneling the conversation. This can be used to launch attacks against internal machines or to, for example, use an internal mail server as an open relay. In many cases, this behavior may be controlled through the server configuration. Often it is related to support for tunneling or SSL related functionality. The issue may also introduce an additional threat. Trusted, internal hosts may be able to proxy unauthorized connections to arbitrary ports on external hosts, which may violate security policy. This vulnerability represents a preliminary list of vendors which may have vulnerable default configurations. Updates will be made as additional information becomes available.

Affected Products

Cacheflow cacheos,Lotus domino,Sambar server

References

BugTraq: 4131

URL: https://www.kb.cert.org/vuls/id/150227 http://www.kb.cert.org/vuls/id/868219

Short Name

HTTP:TUNNEL:SMTP

Severity

Warning

Recommended

False

Recommended Action

None

HTTP: SMTP Proxied Through HTTP

Extended Description

Affected Products

References

Found a potential security threat?