Real secure traps incoming packets on tcp/25 containing certain strings that suggest a message being directed to a program (to:|something). It seems not to distinguish between message headers and message contents and sounds a false alarm when a message or an attachment to a message contains something like 'mailbox:/c|/some/funny/place'. it is possible to launch a DoS attack against firewalls with realsecure just sending a number of e-mails containing the offending pattern. The message is not delivered, returning to sendmail w/ I/O error. sendmail requeues and tries again later, making the alarm ring over and over again. I don't understand why realsecure mistakes normal e-mail text for an attack against sendmail (most versions are not vulnerable anyway). Amazingly, this behaviour is documented as a 'feature'. -- Danton Nunes |Informática, Consultoria e Serviços de Acesso à Internet InterNexo Ltda. | http://www.inexo.com.br/ mailto:dantonat_private S.J.Campos,BRASIL | PGP: 02 D1 E2 DF 21 EC 48 69 3F D5 4D 1B 5D 73 F4 B5
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:17 PDT