Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 04 Mar 2003 12:46:38 -0500
From:      Mike Tancsa <mike@sentex.net>
To:        "Jacques A. Vidrine" <nectar@FreeBSD.ORG>
Cc:        security@FreeBSD.ORG
Subject:   Checking for sendmail attacked (was Re: SA-03:04.sendmail Bin Update)
Message-ID:  <5.2.0.9.0.20030304124221.04e55460@marble.sentex.ca>
In-Reply-To: <20030304150629.GB92031@madman.celabo.org>
References:  <ECEPLGOFLCLKKCNAGCBHGEFEDIAA.chris@digitaldeck.com> <5.2.0.9.0.20030303122518.056f4300@marble.sentex.ca> <ECEPLGOFLCLKKCNAGCBHGEFEDIAA.chris@digitaldeck.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 09:06 AM 04/03/2003 -0600, Jacques A. Vidrine wrote:
>The patch added a new log message which you can check for.  Do
>`strings /path/to/sendmail | grep Dropped'.
>
>   % strings ./sendmail-4.6-i386-crypto.bin| grep Dropped
>   Dropped invalid comments from header address


Interesting, I am seeing this show up in my logs due to some poorly 
formatted spam. (LOGLevel up to 12)

smtp1# grep h24HAgAi019889 maillog
Mar  4 12:10:46 smtp1 sendmail[19889]: h24HAgAi019889: Milter: no active filter
Mar  4 12:10:48 smtp1 sendmail[19889]: h24HAgAi019889: 
from=<nobody@cgi10.interq.net>, size=2263, class=0, nrcpts=1, 
msgid=<200303041655.BAA17056@cgi10.interq.net>, proto=ESMTP, daemon=MTA, 
relay=cgi10.interq.net [210.157.1.15]
Mar  4 12:10:48 smtp1 sendmail[19914]: h24HAgAi019889: SMTP outgoing 
connect on smtp1.sentex.ca
Mar  4 12:10:55 smtp1 sendmail[19914]: h24HAgAi019889: Dropped invalid 
comments from header address
Mar  4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: 
to=<slijboom@sentex.net>, delay=00:00:10, xdelay=00:00:09, mailer=esmtp, 
pri=30728, relay=spamscanner.sentex.ca. [64.7.128.108], dsn=2.0.0, 
stat=Sent (h24HAjcM032479 Message accepted for delivery)
Mar  4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: done; 
delay=00:00:10, ntries=1
smtp1#

Is there a more definitive way to see if someone is actively trying to 
exploit the issue?

         ---Mike 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030304124221.04e55460>