From owner-freebsd-security  Tue Mar  4  9:42: 4 2003
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id E9FA037B401; Tue,  4 Mar 2003 09:42:01 -0800 (PST)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2D7D443F93; Tue,  4 Mar 2003 09:42:01 -0800 (PST)
	(envelope-from mike@sentex.net)
Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27])
	by lava.sentex.ca (8.12.8/8.12.7) with ESMTP id h24HfxtB008198;
	Tue, 4 Mar 2003 12:42:00 -0500 (EST)
	(envelope-from mike@sentex.net)
Message-Id: <5.2.0.9.0.20030304124221.04e55460@marble.sentex.ca>
X-Sender: mdtpop@marble.sentex.ca (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
Date: Tue, 04 Mar 2003 12:46:38 -0500
To: "Jacques A. Vidrine" <nectar@FreeBSD.ORG>
From: Mike Tancsa <mike@sentex.net>
Subject: Checking for sendmail attacked (was Re: SA-03:04.sendmail Bin
  Update)
Cc: security@FreeBSD.ORG
In-Reply-To: <20030304150629.GB92031@madman.celabo.org>
References: <ECEPLGOFLCLKKCNAGCBHGEFEDIAA.chris@digitaldeck.com>
 <5.2.0.9.0.20030303122518.056f4300@marble.sentex.ca>
 <ECEPLGOFLCLKKCNAGCBHGEFEDIAA.chris@digitaldeck.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: By Sentex Communications (lava/20020517)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 09:06 AM 04/03/2003 -0600, Jacques A. Vidrine wrote:
>The patch added a new log message which you can check for.  Do
>`strings /path/to/sendmail | grep Dropped'.
>
>   % strings ./sendmail-4.6-i386-crypto.bin| grep Dropped
>   Dropped invalid comments from header address


Interesting, I am seeing this show up in my logs due to some poorly 
formatted spam. (LOGLevel up to 12)

smtp1# grep h24HAgAi019889 maillog
Mar  4 12:10:46 smtp1 sendmail[19889]: h24HAgAi019889: Milter: no active filter
Mar  4 12:10:48 smtp1 sendmail[19889]: h24HAgAi019889: 
from=<nobody@cgi10.interq.net>, size=2263, class=0, nrcpts=1, 
msgid=<200303041655.BAA17056@cgi10.interq.net>, proto=ESMTP, daemon=MTA, 
relay=cgi10.interq.net [210.157.1.15]
Mar  4 12:10:48 smtp1 sendmail[19914]: h24HAgAi019889: SMTP outgoing 
connect on smtp1.sentex.ca
Mar  4 12:10:55 smtp1 sendmail[19914]: h24HAgAi019889: Dropped invalid 
comments from header address
Mar  4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: 
to=<slijboom@sentex.net>, delay=00:00:10, xdelay=00:00:09, mailer=esmtp, 
pri=30728, relay=spamscanner.sentex.ca. [64.7.128.108], dsn=2.0.0, 
stat=Sent (h24HAjcM032479 Message accepted for delivery)
Mar  4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: done; 
delay=00:00:10, ntries=1
smtp1#

Is there a more definitive way to see if someone is actively trying to 
exploit the issue?

         ---Mike 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message