Are you sure its just not ill formatted spam ? I noticed Monday afternoon I had a few such warning messages. e.g. smtp1# grep h24HAgAi019889 maillog Mar 4 12:10:46 smtp1 sendmail[19889]: h24HAgAi019889: Milter: no active filter Mar 4 12:10:48 smtp1 sendmail[19889]: h24HAgAi019889: from=<nobodyat_private>, size=2263, class=0, nrcpts=1, msgid=<200303041655.BAA17056at_private>, proto=ESMTP, daemon=MTA, relay=cgi10.interq.net [210.157.1.15] Mar 4 12:10:48 smtp1 sendmail[19914]: h24HAgAi019889: SMTP outgoing connect on smtp1.sentex.ca Mar 4 12:10:55 smtp1 sendmail[19914]: h24HAgAi019889: Dropped invalid comments from header address Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: to=<spamboxat_private>, delay=00:00:10, xdelay=00:00:09, mailer=esmtp, pri=30728, relay=spamscanner.sentex.ca. [64.7.128.108], dsn=2.0.0, stat=Sent (h24HAjcM032479 Message accepted for delivery) Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: done; delay=00:00:10, ntries=1 smtp1# But looking at the message, and looking at the same message (spam) from a few days prior it was due to the some of the obfuscation techniques the spammer was trying to use to hide the origin. ---Mike At 12:37 PM 07/03/2003 -0500, Bennett Todd wrote: >Just a heads-up everyone, the sendmail header parsing buffer >overflow announced this last Monday, as (among other things) CERT >CA-2003-07[1] is now being actively exploited on the internet. > >We logged received msgs that triggered the truncator code this >morning at about 3 in the morning, US/Eastern; three different >attacks spread over two different MX hosts. > >-Bennett > >[1] <URL:http://www.cert.org/advisories/CA-2003-07.html> ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 09:17:29 PST