Are you sure its just not ill formatted spam ? I noticed Monday afternoon I
had a few such warning messages. e.g.
smtp1# grep h24HAgAi019889 maillog
Mar 4 12:10:46 smtp1 sendmail[19889]: h24HAgAi019889: Milter: no active filter
Mar 4 12:10:48 smtp1 sendmail[19889]: h24HAgAi019889:
from=<nobody_at_cgi10.interq.net>, size=2263, class=0, nrcpts=1,
msgid=<200303041655.BAA17056_at_cgi10.interq.net>, proto=ESMTP, daemon=MTA,
relay=cgi10.interq.net [210.157.1.15]
Mar 4 12:10:48 smtp1 sendmail[19914]: h24HAgAi019889: SMTP outgoing
connect on smtp1.sentex.ca
Mar 4 12:10:55 smtp1 sendmail[19914]: h24HAgAi019889: Dropped invalid
comments from header address
Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889:
to=<spambox_at_sentex.net>, delay=00:00:10, xdelay=00:00:09, mailer=esmtp,
pri=30728, relay=spamscanner.sentex.ca. [64.7.128.108], dsn=2.0.0,
stat=Sent (h24HAjcM032479 Message accepted for delivery)
Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: done;
delay=00:00:10, ntries=1
smtp1#
But looking at the message, and looking at the same message (spam) from a
few days prior it was due to the some of the obfuscation techniques the
spammer was trying to use to hide the origin.
---Mike
At 12:37 PM 07/03/2003 -0500, Bennett Todd wrote:
>Just a heads-up everyone, the sendmail header parsing buffer
>overflow announced this last Monday, as (among other things) CERT
>CA-2003-07[1] is now being actively exploited on the internet.
>
>We logged received msgs that triggered the truncator code this
>morning at about 3 in the morning, US/Eastern; three different
>attacks spread over two different MX hosts.
>
>-Bennett
>
>[1] <URL:http://www.cert.org/advisories/CA-2003-07.html>
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Received on Mar 10 2003
Intro
