Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Real-world attacks on sendmail CA-2003-07 seen
From: Mike Tancsa <mike () sentex net>
Date: Fri, 07 Mar 2003 19:57:32 -0500
Are you sure its just not ill formatted spam ? I noticed Monday afternoon I had a few such warning messages. e.g. 

smtp1# grep h24HAgAi019889 maillog
Mar  4 12:10:46 smtp1 sendmail[19889]: h24HAgAi019889: Milter: no active filter
Mar 4 12:10:48 smtp1 sendmail[19889]: h24HAgAi019889: from=<nobody () cgi10 interq net>, size=2263, class=0, nrcpts=1, msgid=<200303041655.BAA17056 () cgi10 interq net>, proto=ESMTP, daemon=MTA, relay=cgi10.interq.net [210.157.1.15] Mar 4 12:10:48 smtp1 sendmail[19914]: h24HAgAi019889: SMTP outgoing connect on smtp1.sentex.ca Mar 4 12:10:55 smtp1 sendmail[19914]: h24HAgAi019889: Dropped invalid comments from header address Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: to=<spambox () sentex net>, delay=00:00:10, xdelay=00:00:09, mailer=esmtp, pri=30728, relay=spamscanner.sentex.ca. [64.7.128.108], dsn=2.0.0, stat=Sent (h24HAjcM032479 Message accepted for delivery) Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: done; delay=00:00:10, ntries=1 
smtp1#
But looking at the message, and looking at the same message (spam) from a few days prior it was due to the some of the obfuscation techniques the spammer was trying to use to hide the origin. 

        ---Mike

At 12:37 PM 07/03/2003 -0500, Bennett Todd wrote:

Just a heads-up everyone, the sendmail header parsing buffer
overflow announced this last Monday, as (among other things) CERT
CA-2003-07[1] is now being actively exploited on the internet.

We logged received msgs that triggered the truncator code this
morning at about 3 in the morning, US/Eastern; three different
attacks spread over two different MX hosts.

-Bennett

[1] <URL:http://www.cert.org/advisories/CA-2003-07.html>



----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]