Hi, On Thu, Jul 10, 2003 at 01:52:17AM -0000, sgaskinsat_private wrote: > 172.150.203.171 - - [09/Jul/2003:17:58:00 -0400] "POST > http://172.150.203.171:25/ HTTP/1.1" 200 781 "-" "-" What does happen here: If you use a http-proxy to proxy HTTP-POST requests the payload is most often forwarded verbatim. Of course, this request will have http-headers in front of the data, but many smtp-servers ignore those. So you can try to make a POST request like this via the proxy: POST http://victim:25/ HTTP/1.1 Host: victim (empty line) HELO spammer MAIL FROM: <..> RCPT TO: <..> DATA spam . The SMTP-server will most likely complain about unsupported SMTP-commands "POST", "Host:", "X-Forwarded-For" and so on, but many will just silently accept the junkmail after these commands. Why back to the spammer's own IP-address: with the CONNECT the spammer can instantly see if he is talking to a SMTP-server and if it works. But to check how the proxy possibly mangles his POST-request he will have to check on a machine where he has access to the data as it comes out of the proxy. Chris ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 10 2003 - 13:13:01 PDT