Sendmail Vulnerability.

[alan () MANAWATU GEN NZ (Alan Brown)]

In mail going back and forth with Eric Alman and the sendmail team
regarding the massive amount of spamming that's happening using forged
HELOs and other bits'n'pieces, the following item came up:

Sendmail does not do a forward DNS crosscheck on the PTR record
associated with incoming IPs.

IE, given control of a netblock's in-addr.arpa table, it is trivial to
make mail appear to come from any named machine on the planet and only a
manual lookup on the IP will show the lie.

I've switched sendmail to being called out of inetd.conf with a PARANOID
hosts.deny entry.

In light of the tactics that various spammers are using - particularly
Quantcom.com (supplied by AGIS), I expect that they'll start using DNS
spoofing shortly. Quantcom is the most aggressive site at the moment and
have started sending spam with threats attached. I am currently taking
upwards of 80 items per day in my admin mailboxes, relayhosted through
a different site almost every time.

Currently I have some 135 hosts.deny lines against sendmail to lockout
problem netblocks and domains. IMO if they're prevented from accessing the
sendmail process it's a good thing, particularly as when calling it with
-bs from inetd.conf, many of the load reducing checks are bypassed. :-(

AB