From owner-freebsd-security  Mon Jun 14 17:24:16 1999
Delivered-To: freebsd-security@freebsd.org
Received: from trixie.teamspirit.com (trixie.teamspirit.com [204.94.66.2])
	by hub.freebsd.org (Postfix) with ESMTP id 7C70214CF9
	for <security@FreeBSD.ORG>; Mon, 14 Jun 1999 17:24:09 -0700 (PDT)
	(envelope-from preeper@cts.com)
Received: from sgt361.teamspirit.com (dt2-blk1-hfc-0251-d1db0ca7.rdc1.sdca.coxatwork.com [209.219.12.167])
	by trixie.teamspirit.com (8.9.2/8.9.1) with SMTP id RAA20712;
	Mon, 14 Jun 1999 17:49:18 -0700 (PDT)
Message-Id: <3.0.5.32.19990614172328.041c7970@crash.cts.com>
X-Sender: preeper@crash.cts.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Mon, 14 Jun 1999 17:23:28 -0700
To: Kenneth Ingham <ingham@i-pi.com>, LutzRab@omc.net
From: Jerry Preeper <preeper@cts.com>
Subject: Re: New Attack via sendmail?
Cc: security@FreeBSD.ORG
In-Reply-To: <19990614173259.33286@i-pi.com>
References: <199906141930.VAA14403@office.omc.net>
 <199906141930.VAA14403@office.omc.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I've had this similar thing hit me with 2.2.8-Stable and procmail 3.11.pre7
I think.  It has a problem that apparently has been fixed in 3.13 so if
your'e using procmail, time to upgrade.  Someone sent us a 30MB email
(40+MB after encoding) that just couldn't get through my procmail recipes
without killing the machine.  I have since upgraded procmail, although I
haven't yet tested it with this large of an email yet.  First it eats up
all the swap space trying to match all the conditions, then all sorts of
services just start dying until the whole machine is pretty much dead. 

Jerry


>> 
>> I've seen some pretty strange lines in syslog of one of our webservers.
>> 
>> The box is running 2.2.8 with sendmail 8.9.3 and has never been out of
>> swap space before, in fact it's not using swap space at all under normal
>> conditions.
>[log deleted]
>
>I've seen the exact same thing on a 2.2.6 system running sendmail
>8.9.1 with procmail as a local delivery agent when a really large
>email message (one which was around 1/3 - 1/2 of total swap space)
>was moving through.
>
>Kenneth
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message