Thanks. I don't know for sure how many emails were resulting. It was characterized in the complaint as "dozens", but I don't know if that is per hour, day or what. We do frequent, on going scanning of the network. Most of the scans are limited to a select subset (that does not include this plugin), but initial scans are full (safe) and periodically full scans are re-issued.
There is still an ongoing discussion here as to what it really means (meaning, the concern that there are mail servers where there shouldn't be mail servers). I was just wanting to double check about the nasl as our postmaster was quick to say the nessus server should accept mail for any email address that it might generate mail for -- and I don't have time right now to look at the code to determine just what is going on. Note, to my knowledge none of the systems have actually been tagged as positive by the nasl. So thanks again for your reply and the amended nasl. I really appreciate everything Tenable does. Tim Doty -----Original Message----- From: George A. Theall [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 8:44 PM To: Doty, Timothy T. Cc: [email protected] Subject: Re: Nessus, sendmail/clamav and "mail bombing" On Feb 5, 2008, at 6:21 PM, Doty, Timothy T. wrote: > We are getting complaints about "mailbombing" of our postmaster > address with what appears to be email caused by a nasl. How many messages are you / they talking about? > [EMAIL PROTECTED] on > 2/5/2008 > 2:52 PM > The message cannot be delivered due to a configuration > error on the server. Please contact your Administrator. > < system.being.scanned #5.3.0 SMTP; 553 5.3.0 > <[EMAIL PROTECTED]>... > some.nessus.server is not a valid delivery host> This is from a recent plugin, clamav_milter_blackhole_cmd_exec.nasl, which tries to send a message that will exploit a code execution flaw in clamav-milter. Apparently, the target mail system doesn't accept mail from some.nessus.server and is generating a bounce. Still, that should be just one message per scan. Isn't it? I did just commit a change to use any empty from address. MTAs should accept that as it's used for bounces. Look for revision 1.5 to become available in a couple of hours and let me know if that fixes the problem please. George -- [EMAIL PROTECTED]
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
