Re: Sendmail 8.11 configuration/security issue

["Don Voss" <voss () albany edu>]

> > On Fri, 3 Jan 2003 oobs3c02 () attbi com wrote:
> >
> > The scenario turned up when a person I know received spam with the
> > sender being spoofed showing amber () mydomain com and recipient being
> > myfriend () mydomain com. After inspecting the mail headers, we
> > discovered that the source IP was definitely external. We've scoured
> > sendmail.org, arachnoid.com, cauce.org and all the books we have and
> > could not find this scenario speifically mentioned.

Just to answer the above .. it is just a mass mailer virus. 

Current versions have their own SMTP and attempt to "guess" at smtp 
engines from address's found. IE: address found in doc = 
fred () someschool edu, virus trys to send by smtp.someschool.edu .

It scans local and net attached drives for addresses in address 
book[s],IRC applications,  .doc, .hta, .html, .xls + other file 
types. It disables various virus checker applications, 
inserts/attaches random docs, random subject lines, etc.

Just means you can get email from yourself or a dead person .. 
depending on the documentation data available on the infected unit.

Not sure you should deal with this at the sendmail point .. 

regards,
/don



_______________________________________________________
Don Voss

"Jazz music is an intensified feeling of nonchalance."
 -- Francoise Sagan