Date: Tue, 04 Mar 2003 12:46:38 -0500 From: Mike Tancsa <mike@sentex.net> To: "Jacques A. Vidrine" <nectar@FreeBSD.ORG> Cc: security@FreeBSD.ORG Subject: Checking for sendmail attacked (was Re: SA-03:04.sendmail Bin Update) Message-ID: <5.2.0.9.0.20030304124221.04e55460@marble.sentex.ca> In-Reply-To: <20030304150629.GB92031@madman.celabo.org> References: <ECEPLGOFLCLKKCNAGCBHGEFEDIAA.chris@digitaldeck.com> <5.2.0.9.0.20030303122518.056f4300@marble.sentex.ca> <ECEPLGOFLCLKKCNAGCBHGEFEDIAA.chris@digitaldeck.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 09:06 AM 04/03/2003 -0600, Jacques A. Vidrine wrote: >The patch added a new log message which you can check for. Do >`strings /path/to/sendmail | grep Dropped'. > > % strings ./sendmail-4.6-i386-crypto.bin| grep Dropped > Dropped invalid comments from header address Interesting, I am seeing this show up in my logs due to some poorly formatted spam. (LOGLevel up to 12) smtp1# grep h24HAgAi019889 maillog Mar 4 12:10:46 smtp1 sendmail[19889]: h24HAgAi019889: Milter: no active filter Mar 4 12:10:48 smtp1 sendmail[19889]: h24HAgAi019889: from=<nobody@cgi10.interq.net>, size=2263, class=0, nrcpts=1, msgid=<200303041655.BAA17056@cgi10.interq.net>, proto=ESMTP, daemon=MTA, relay=cgi10.interq.net [210.157.1.15] Mar 4 12:10:48 smtp1 sendmail[19914]: h24HAgAi019889: SMTP outgoing connect on smtp1.sentex.ca Mar 4 12:10:55 smtp1 sendmail[19914]: h24HAgAi019889: Dropped invalid comments from header address Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: to=<slijboom@sentex.net>, delay=00:00:10, xdelay=00:00:09, mailer=esmtp, pri=30728, relay=spamscanner.sentex.ca. [64.7.128.108], dsn=2.0.0, stat=Sent (h24HAjcM032479 Message accepted for delivery) Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: done; delay=00:00:10, ntries=1 smtp1# Is there a more definitive way to see if someone is actively trying to exploit the issue? ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030304124221.04e55460>