[imp] IMP as an open relay

Carlton Thomas carlton@gifford.co.uk
Sat, 25 May 2002 12:04:16 +0100 (GMT/BST)


On Thu, 23 May 2002, Jan Schneider wrote:

> Zitat von Christopher Audley <audley@cnsolutionsllc.com>:
> 
> > It seems to me, from scanning redirect.php and IMP.php (createSession), 
> > that I can
> > construct a URL to to connect any instance of IMP running on the net to 
> > run against
> > any IMAP server.  There is no check to limit the server specified to 
> > those listed in
> > servers.php.  Am I wrong about this?
> 
> Yes. The administrator can either select to use a server list, or to disable
> the change of the server. In both cases the appropriate value from
> servers.php will be chosen and can't be overriden by the user.
> 
> Jan.

It is true that the administrator can specify a list of servers to choose
from. However, I have encountered a large number of IMP installations,
including the IMP demo on the Horde site, which allow the user to enter
a POP3/IMAP server to be used for authentication.

OK, I am not a spammer, but assuming I was, I could do the following:-

1) download a shareware POP3/IMAP server and install it on my PC

2) create an account on my server to allow authentication

3) connect to the IMP demo site, enter my authentication details and
specify my IP address as the POP3/IMAP server

4) now I am in, I can spam till "the cows come home", because I now
have an open SMTP relay

I think that the easiest way to combat this is to require that the
user specify an SMTP server and SMTP authentication details when
they specify a POP3/IMAP server which is not local (i.e. the POP3/IMAP
server is not selected from a pull-down list). The administrator should
be allowed to override this. however, I believe that the default should
be to require SMTP server details where POP3/IMAP server details have
been specified.

I know that IMP is not the only email tool which can open a local SMTP
server to abuse and I am very surprised that we have not seen many
examples of this type of abuse. There are a lot of portal sites which
are attracting members by providing webmail access based on the IMP
model, i.e. if you can successfully authenticate against a 'foreign'
POP3/IMAP server then you are free to send mail via the local SMTP
server.

Any comments ?

Regards !

--
Carlton
=============================
GIFFORD INTERNET SERVICES
Bristol, United Kingdom 
Tel: 0845 111 0032
Tel: 0117 939 7722
Fax: 0845 111 0033
Email: admin@gifford.co.uk
Web: http://www.gifford.co.uk
=============================