[原文]poprelayd script before 2.0 in Cobalt RaQ3 servers allows remote attackers to bypass authentication for relaying by causing a "POP login by user" string that includes the attacker's IP address to be injected into the maillog log file.
poprelayd is a script that parses /var/log/maillog for valid pop logins, and based upon the login of a client, allows the person logged into the pop3 service to also send email from the ip address they're accessing the system with.
poprelayd doesn't authenticate output to the /var/log/maillog file. This makes it possible for a user to create an arbitrary string via sendmail that will be logged to the file, thus allowing a remote user to relay mail through the SMTP server.
telnet dumbcobalt 25
Connected to dumbcobalt
mail from:"POP login by user "admin" at (22.214.171.124) 126.96.36.199
553 "POP login by user "admin" at (188.8.131.52) 184.108.40.206
@linux.org"...Domain name required