From owner-freebsd-security Tue Jun 15 1:29: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from shaper.fast.net.uk (shaper.fast.net.uk [194.207.104.25]) by hub.freebsd.org (Postfix) with ESMTP id 51E8014D98 for ; Tue, 15 Jun 1999 01:28:56 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from office0 ([192.168.0.110]) by shaper.fast.net.uk (8.8.8/8.8.7) with SMTP id JAA26698 for ; Tue, 15 Jun 1999 09:39:58 +0100 (BST) Message-Id: <3.0.6.32.19990615092904.00943210@192.168.0.100> X-Sender: netadmi@192.168.0.100 X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Tue, 15 Jun 1999 09:29:04 +0100 To: security@FreeBSD.ORG From: FastNet Admin Subject: Re: New Attack via sendmail? In-Reply-To: <199906141930.VAA14403@office.omc.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, At 21:30 14/06/99 +0200, Lutz Rabing wrote: > >I've seen some pretty strange lines in syslog of one of our webservers. > >The box is running 2.2.8 with sendmail 8.9.3 and has never been out of >swap space before, in fact it's not using swap space at all under normal >conditions. > I saw something like this and it appeared to be caused by a process called procmail that was spawning across the system using huge amounts of memory and processor capability. Though I never got totally to the bottom of this it appeared as if stupidly large emails being delivered locally invoked procmail. Procmail then swallowed all the resources till the system eventually crashed with out of swap errors. This happened several times. It appears as if a log file being mailed to a user account was the cause of the problem and I have stopped this routine from happening. If I get the same thing again I'll set an email size limit of something like 30MB. Regards Ian Robertson FastNet International Ltd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message