Massively broken ratware,
safely rejectable with a MTA header rule detecting
/^Message-ID: \<\d\[\d/
On 08.05.2015 17:46, Dianne Skoll wrote:
Hi,
We are seeing a trickle of weird empty messages. Here's a sample
Sendmail log:
May 8 11:33:31 colo3 sm-mta[1100]: t48FXPqL001100:
from=<ragland_rosell...@cttstone.com>, size=18, class=0, nrcpts=1,
msgid=<8[10, proto=SMTP, daemon=MTA,
relay=50-242-22-73-static.hfc.comcastbusiness.net [50.242.22.73] (may
be forged)
Note the size of 18 bytes. The entire message content consists of
the single header:
Message-ID: <8[10
and that's it!
So, buggy ratware? Someone trying to exploit a vulnerable SMTP server?
Bizarre...
On one of our scanners:
$ fgrep -c 'size=18,' /var/log/mail-daily/current.log
1993
(out of 459997 messages, so 0.4%)
and:
fgrep 'size=18,' /var/log/mail-daily/current.log | sed -e 's/.*msgid=//' -e
's/, .*//' | sort | uniq -c
199 <0[10
202 <1[10
182 <2[10
209 <3[10
188 <4[10
196 <5[10
212 <6[10
226 <7[10
193 <8[10
191 <9[10
Regards,
Dianne.
