procmail
[Top] [All Lists]

Re: SpamDunk Project spamfilter July 4 update

1998-07-07 21:08:27
Jacques Gauthier wrote:

1. Added a recipe to detect spam exploiting a security hole
   in sendmail 8.8

What security hole ? Does earlier versions have the
same security hole ?
  I don't know about earlier versions.  The problem in 8.8
is particularly annoying when trying to track down spammers
who use open relays.  The open relay part is bad enough.
However, if a HELO to sendmail 8.8 is longer than 1024
characters, then
  - a buffer overflow occurs
  - all preceding "Received:" headers get wiped out
  - the "Received:" header at the injection point
    becomes the first 1024 bytes of the HELO message,
    which is usually garbage
  This makes it impossible to track down the original sender
from the headers.  The only option left is to use the
relay's timestamp and ask the relay site to look up their
logs and hope that the IP address of the originating machine
was logged.  My spam filter simply looks for any "Received:"
header in excess of 1000 characters long.
  I'm not familiar with sendmail at all.  I've heard that it
may be possible to set a rule that rejects long HELO's.  Of
course, it's even easier to set a rule that rejects relay
attempts altogether (sigh).

  See the following archived article for a detailed
discussion and suggestions for countermeasures...
http://www.rootshell.com/archive-j457nxiqi3gq59dv/199805/sendmailhelo.txt

-- 
Walter Dnes <waltdnes(_at_)interlog(_dot_)com> procmail spamfilter
http://www.interlog.com/~waltdnes/spamdunk/spamdunk.htm
Why a fiscal conservative opposes Toronto 2008 OWE-lympics
http://www.interlog.com/~waltdnes/owe-lympics/owe-lympics.htm

<Prev in Thread] Current Thread [Next in Thread>