Security Incidents mailing list archives
Re: Real-world attacks on sendmail CA-2003-07 seen
From: Mike Tancsa <mike () sentex net>
Date: Fri, 07 Mar 2003 19:57:32 -0500
Are you sure its just not ill formatted spam ? I noticed Monday afternoon I had a few such warning messages. e.g.
smtp1# grep h24HAgAi019889 maillog Mar 4 12:10:46 smtp1 sendmail[19889]: h24HAgAi019889: Milter: no active filterMar 4 12:10:48 smtp1 sendmail[19889]: h24HAgAi019889: from=<nobody () cgi10 interq net>, size=2263, class=0, nrcpts=1, msgid=<200303041655.BAA17056 () cgi10 interq net>, proto=ESMTP, daemon=MTA, relay=cgi10.interq.net [210.157.1.15] Mar 4 12:10:48 smtp1 sendmail[19914]: h24HAgAi019889: SMTP outgoing connect on smtp1.sentex.ca Mar 4 12:10:55 smtp1 sendmail[19914]: h24HAgAi019889: Dropped invalid comments from header address Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: to=<spambox () sentex net>, delay=00:00:10, xdelay=00:00:09, mailer=esmtp, pri=30728, relay=spamscanner.sentex.ca. [64.7.128.108], dsn=2.0.0, stat=Sent (h24HAjcM032479 Message accepted for delivery) Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: done; delay=00:00:10, ntries=1
smtp1#But looking at the message, and looking at the same message (spam) from a few days prior it was due to the some of the obfuscation techniques the spammer was trying to use to hide the origin.
---Mike
At 12:37 PM 07/03/2003 -0500, Bennett Todd wrote:
Just a heads-up everyone, the sendmail header parsing buffer overflow announced this last Monday, as (among other things) CERT CA-2003-07[1] is now being actively exploited on the internet. We logged received msgs that triggered the truncator code this morning at about 3 in the morning, US/Eastern; three different attacks spread over two different MX hosts. -Bennett [1] <URL:http://www.cert.org/advisories/CA-2003-07.html>
---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 07)
- Re: Real-world attacks on sendmail CA-2003-07 seen Mike Tancsa (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Jeff Kell (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen jlewis (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Juan Gallego (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen gabriel rosenkoetter (Mar 11)
- Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Mike Tancsa (Mar 10)
- <Possible follow-ups>
- Re: Real-world attacks on sendmail CA-2003-07 seen Curt Wilson (Mar 10)
- RE: Real-world attacks on sendmail CA-2003-07 seen Barry Kokotailo (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)