[原文]poprelayd script before 2.0 in Cobalt RaQ3 servers allows remote attackers to bypass authentication for relaying by causing a "POP login by user" string that includes the attacker's IP address to be injected into the maillog log file.
poprelayd is a script that parses /var/log/maillog for valid pop logins, and based upon the login of a client, allows the person logged into the pop3 service to also send email from the ip address they're accessing the system with.
poprelayd doesn't authenticate output to the /var/log/maillog file. This makes it possible for a user to create an arbitrary string via sendmail that will be logged to the file, thus allowing a remote user to relay mail through the SMTP server.
telnet dumbcobalt 25
Connected to dumbcobalt
mail from:"POP login by user "admin" at (126.96.36.199) 188.8.131.52
553 "POP login by user "admin" at (184.108.40.206) 220.127.116.11
@linux.org"...Domain name required