Re: Real-world attacks on sendmail CA-2003-07 seen

From: Juan Gallego (Little.Boss@physics.mcgill.ca)
Date: 03/10/03

  • Next message: Thomas Schmitz: "Re: Increase in Scans of Port 445?"
    Date: Mon, 10 Mar 2003 15:56:22 -0500
    From: Juan Gallego <Little.Boss@physics.mcgill.ca>
    To: Bennett Todd <bet@rahul.net>
    
    

    On 2003-03-10 13:52-0500, Bennett Todd <bet@rahul.net> wrote:

    | Tancsa was right, and that what I was actually seeing was spam
    | that provoked this log message, and not an attempt at exploiting
    | CA-2003-07 after all.

    i have to agree. althought i don't have the original messages, i happen to
    log email subjects, and they have spam written all over them.

    hth,

    -- 
    juan
    --- begin syslog snippet (prettified for clarity) ---
    Mar 10 02:01:04 mandos sendmail[18722]: h2A70mA18722: [rbl]subject:Gain 3 \
    		Full Inches In Length[64.15.239.131]
    Mar 10 02:01:04 mandos sendmail[18722]: h2A70mA18722: \
    		from=<nobody@cgi14.interq.net>, size=2351, class=0, nrcpts=1, \
    		msgid=<200303100702.QAA17631@cgi14.interq.net>, proto=SMTP, \
    		daemon=MTA, relay=mail.bigfoot.com [64.15.239.131]
    Mar 10 02:01:04 mandos sendmail[14378]: h2A70mA18722: Dropped invalid \
    		comments from header address
    Mar 10 02:01:04 mandos sendmail[14378]: h2A70mA18722: \
    		to=<pellet@physics.mcgill.ca>, delay=00:00:00, \
    		xdelay=00:00:00, mailer=local, pri=31532, dsn=2.0.0, stat=Sent
    Mar 10 15:13:41 mandos sendmail[18808]: h2AKDeA18808: [rbl]subject:WE HAVE \
    		HELPED 700,000 MEN LIKE YOU [210.157.1.23]
    Mar 10 15:13:42 mandos sendmail[18808]: h2AKDeA18808: \
    		from=<nobody@cgi18.interq.net>, size=2115, class=0, nrcpts=1, \
    		msgid=<200303102015.FAA29778@cgi18.interq.net>, proto=ESMTP, \
    		daemon=MTA, relay=cgi18.interq.net [210.157.1.23]
    Mar 10 15:13:44 mandos sendmail[13178]: h2AKDeA18808: Dropped invalid \
    		comments from header address
    Mar 10 15:13:45 mandos sendmail[13178]: h2AKDeA18808: to=lilleym@balrog, \
    		delay=00:00:04, xdelay=00:00:03, mailer=esmtp, pri=31531, \
    		relay=balrog.physics.mcgill.ca. [132.206.123.41], dsn=2.0.0, \
    		stat=Sent (PAA04506 Message accepted for delivery)
    ----------------------------------------------------------------------------
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
    

  • Next message: Thomas Schmitz: "Re: Increase in Scans of Port 445?"

    Relevant Pages

    • Re: Firewall suggestion?
      ... > I have a customer that is using Exchange 5.5 behind a simple firewall. ... > server by trying to use it as a Spam relay. ... The target hosts must be ... If this header is set, ...
      (comp.security.firewalls)
    • bogofilte-0.15.4
      ... Bogofilter is a mail filter that classifies mail as spam or ham ... Bogofilter is run by an MDA script to classify an incoming message as ... * Additional header line tagging as suggested by Michael O'Reilly. ... Added BOGOTEST environment variable to enable flex debugging. ...
      (comp.os.linux.announce)
    • bogofilter 0.15.10 available
      ... Bogofilter is a mail filter that classifies mail as spam or ham ... Bogofilter is run by an MDA script to classify an incoming message as ... your token database to take advantage of header line tagging which was ... Revise flex rule for encoded text to reduce program size. ...
      (comp.os.linux.announce)
    • FAQ: Canonical list of questions Beavis refuses to answer (V1.40) (was Re: Fixing mangled mbox From
      ... misdated 'From ' header fields. ... His response, if any, usually consists of replying to the parent post with a loud proclamation that his Usenet-reading software runs a magical filter that automatically identifies anyone who's making fun of him, and hides those offensive posts. ... If spammers avoid forging real E-mail addresses on spam, then where do all these bounces everyone reports getting come from? ...
      (comp.mail.misc)
    • Bogofilter-0.15.7 - New Stable Release
      ... Bogofilter is a mail filter that classifies mail as spam or ham ... Bogofilter is run by an MDA script to classify an incoming message as ... Disable header line tagging when processing msg-count files. ... Revise flex rule for encoded text to reduce program size. ...
      (comp.os.linux.announce)