[postfix-es] Hotmail DAV vulnerability used for Spam injection

[José Luis Tallón]

Hi all. I have just learnt about a vulnerability in Hotmail DAV service. 
Read the full story at http://www.unicom.com/chrome/a/000262.html.

Guessing we might see a surge in UCE coming from Hotmail ( one of the 
comments claim a 2200% increase in the last couple of months or so ) and 
not knowing if you are already aware about it, i decided to send the link.


Meanwhile, I have quickly grafted a PCRE to block it ( might contain errors ):

/etc/postfix/body_checks.pcre

/^Received: from (:?\d{1,3}\.)+(:?xxx\.)+ by (.+)\.hotmail\.com with 
DAV;/  REJECT Not
   that clever trick, man!

it was derived from this header:
"Received: from 64.84.xxx.xxx by bay3-dav112.bay3.hotmail.com with DAV;"


It might be deemed interesting to additionally reject all-numeric hostnames 
(no PTR available), in which case we might arrive to this PCRE:
/^Received: from (:?\d{1,3}\.){1,4}(:?xxx\.)? by (.+)\.hotmail\.com with DAV;/


Rejecting reverse-resolvable hosts[ that is, non-numeric hostname ] seems 
quite overkill, doesn't it?



I might have overlooked anything. As always, comments appreciated, YMMV, etc.

Hope it helps.


Regards,
	J.L. 

-
Para ENVIAR mensajes a esta lista tienes que estar SUSCRITO a ella.
.
Envía la linea "unsubscribe postfix-es" en el cuerpo de un mensaje
a majordomo en WL0.org para quitarte de la lista.