Re: Real-world attacks on sendmail CA-2003-07 seen

From: Juan Gallego (Little.Bossat_private)
Date: Mon Mar 10 2003 - 12:56:22 PST

Next message: Thomas Schmitz: "Re: Increase in Scans of Port 445?"

Previous message: Jeremy Junginger: "UPDATE: Possibly Unknown Virus? Care to help me analyze?!?"
In reply to: Bennett Todd: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: gabriel rosenkoetter: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: Barry Kokotailo: "RE: Real-world attacks on sendmail CA-2003-07 seen"
Reply: gabriel rosenkoetter: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2003-03-10 13:52-0500, Bennett Todd <betat_private> wrote:

| Tancsa was right, and that what I was actually seeing was spam
| that provoked this log message, and not an attempt at exploiting
| CA-2003-07 after all.

i have to agree. althought i don't have the original messages, i happen to
log email subjects, and they have spam written all over them.

hth,
-- 
juan

--- begin syslog snippet (prettified for clarity) ---

Mar 10 02:01:04 mandos sendmail[18722]: h2A70mA18722: [rbl]subject:Gain 3 \
		Full Inches In Length[64.15.239.131]
Mar 10 02:01:04 mandos sendmail[18722]: h2A70mA18722: \
		from=<nobodyat_private>, size=2351, class=0, nrcpts=1, \
		msgid=<200303100702.QAA17631at_private>, proto=SMTP, \
		daemon=MTA, relay=mail.bigfoot.com [64.15.239.131]
Mar 10 02:01:04 mandos sendmail[14378]: h2A70mA18722: Dropped invalid \
		comments from header address
Mar 10 02:01:04 mandos sendmail[14378]: h2A70mA18722: \
		to=<pelletat_private>, delay=00:00:00, \
		xdelay=00:00:00, mailer=local, pri=31532, dsn=2.0.0, stat=Sent
Mar 10 15:13:41 mandos sendmail[18808]: h2AKDeA18808: [rbl]subject:WE HAVE \
		HELPED 700,000 MEN LIKE YOU [210.157.1.23]
Mar 10 15:13:42 mandos sendmail[18808]: h2AKDeA18808: \
		from=<nobodyat_private>, size=2115, class=0, nrcpts=1, \
		msgid=<200303102015.FAA29778at_private>, proto=ESMTP, \
		daemon=MTA, relay=cgi18.interq.net [210.157.1.23]
Mar 10 15:13:44 mandos sendmail[13178]: h2AKDeA18808: Dropped invalid \
		comments from header address
Mar 10 15:13:45 mandos sendmail[13178]: h2AKDeA18808: to=lilleym@balrog, \
		delay=00:00:04, xdelay=00:00:03, mailer=esmtp, pri=31531, \
		relay=balrog.physics.mcgill.ca. [132.206.123.41], dsn=2.0.0, \
		stat=Sent (PAA04506 Message accepted for delivery)

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Thomas Schmitz: "Re: Increase in Scans of Port 445?"
Previous message: Jeremy Junginger: "UPDATE: Possibly Unknown Virus? Care to help me analyze?!?"
In reply to: Bennett Todd: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: gabriel rosenkoetter: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: Barry Kokotailo: "RE: Real-world attacks on sendmail CA-2003-07 seen"
Reply: gabriel rosenkoetter: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 14:13:25 PST