Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Incidents
Real-world attacks on sendmail CA-2003-07 seen Mar 07 2003 05:37PM
Bennett Todd (bet rahul net) (2 replies)
Re: Real-world attacks on sendmail CA-2003-07 seen Mar 08 2003 03:31AM
jlewis lewis org (1 replies)
Re: Real-world attacks on sendmail CA-2003-07 seen Mar 10 2003 06:52PM
Bennett Todd (bet rahul net) (1 replies)
Re: Real-world attacks on sendmail CA-2003-07 seen Mar 10 2003 08:56PM
Juan Gallego (Little Boss physics mcgill ca) (1 replies)
Re: Real-world attacks on sendmail CA-2003-07 seen Mar 11 2003 02:30AM
gabriel rosenkoetter (gr eclipsed net)
Re: Real-world attacks on sendmail CA-2003-07 seen Mar 08 2003 12:57AM
Mike Tancsa (mike sentex net) (2 replies)

Are you sure its just not ill formatted spam ? I noticed Monday afternoon I
had a few such warning messages. e.g.

smtp1# grep h24HAgAi019889 maillog
Mar 4 12:10:46 smtp1 sendmail[19889]: h24HAgAi019889: Milter: no active filter
Mar 4 12:10:48 smtp1 sendmail[19889]: h24HAgAi019889:
from=<nobody (at) cgi10.interq (dot) net [email concealed]>, size=2263, class=0, nrcpts=1,
msgid=<200303041655.BAA17056 (at) cgi10.interq (dot) net [email concealed]>, proto=ESMTP, daemon=MTA,
relay=cgi10.interq.net [210.157.1.15]
Mar 4 12:10:48 smtp1 sendmail[19914]: h24HAgAi019889: SMTP outgoing
connect on smtp1.sentex.ca
Mar 4 12:10:55 smtp1 sendmail[19914]: h24HAgAi019889: Dropped invalid
comments from header address
Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889:
to=<spambox (at) sentex (dot) net [email concealed]>, delay=00:00:10, xdelay=00:00:09, mailer=esmtp,
pri=30728, relay=spamscanner.sentex.ca. [64.7.128.108], dsn=2.0.0,
stat=Sent (h24HAjcM032479 Message accepted for delivery)
Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: done;
delay=00:00:10, ntries=1
smtp1#

But looking at the message, and looking at the same message (spam) from a
few days prior it was due to the some of the obfuscation techniques the
spammer was trying to use to hide the origin.

---Mike

At 12:37 PM 07/03/2003 -0500, Bennett Todd wrote:
>Just a heads-up everyone, the sendmail header parsing buffer
>overflow announced this last Monday, as (among other things) CERT
>CA-2003-07[1] is now being actively exploited on the internet.
>
>We logged received msgs that triggered the truncator code this
>morning at about 3 in the morning, US/Eastern; three different
>attacks spread over two different MX hosts.
>
>-Bennett
>
>[1] <URL:http://www.cert.org/advisories/CA-2003-07.html>

------------------------------------------------------------------------
----

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

[ reply ]
Re: Real-world attacks on sendmail CA-2003-07 seen Mar 10 2003 06:40PM
Jeff Kell (jeff-kell utc edu)
Re: Real-world attacks on sendmail CA-2003-07 seen Mar 09 2003 02:41PM
Bennett Todd (bet rahul net) (1 replies)
worm/Trojans are taking advantage of default path of Windows Mar 11 2003 03:35AM
kyle kylelai com







 

Privacy Statement
Copyright 2009, SecurityFocus