On 02/12/2011 05:19 PM, Sahil Tandon wrote:
On Fri, 2011-02-11 at 12:08:35 -0800, Adam Katz wrote:
I consider it a mission-critical component to be able to deliver a
rejection notice at SMTP-time (to avoid backscatter from an emailed
bounce message). The other systems out there
On Fri, 2011-02-11 at 12:08:35 -0800, Adam Katz wrote:
I consider it a mission-critical component to be able to deliver a
rejection notice at SMTP-time (to avoid backscatter from an emailed
bounce message). The other systems out there (specifically amavis and
mailscanner) just can't do this
On 10/02/2011 19:21, David F. Skoll wrote:
On Thu, 10 Feb 2011 12:42:40 -0500
Michael Scheidellmichael.scheid...@secnap.com wrote:
heads up:
Aieee popen() in security-sensitive software!??!??
Also, why does the milter process run as root? That seems like a huge
hole all by itself.
like the last release was in 2006. It looks like that project
is abandoned.
Not quite abandoned:
*From*: Dan Nelson
*Subject*: Re: alert: New event: ET EXPLOIT Possible SpamAssassin
Milter Plugin Remote Arbitrary Command Injection Attempt
*Date*: Fri, 11 Feb 2011 00:08:26
Am 10.02.2011 22:26, schrieb Patrick Ben Koetter:
* Mark Martinec mark.martinec...@ijs.si:
On Thursday February 10 2011 21:14:59 Adam Katz wrote:
Does this affect sendmail as well as postfix? I assume so,
but wanted an explicit confirmation.
Yes, the security hole is entirely within the
On 02/11/2011 03:39 AM, Giles Coochey wrote:
Under CentOS spamass-milter appears to run as sa-milt.
IIRC, Debian does this too. However, the -x flag may require running as
root, so it is possible (I have not verified) that it never downgrades
its privileges.
The Vulnerability is only active
Am 11.02.2011 20:11, schrieb Adam Katz:
On 02/11/2011 03:39 AM, Giles Coochey wrote:
Under CentOS spamass-milter appears to run as sa-milt.
IIRC, Debian does this too. However, the -x flag may require running as
root, so it is possible (I have not verified) that it never downgrades
its
On 02/10/2011 03:41 PM, Warren Togami Jr. wrote:
On 2/10/2011 1:29 PM, John Hardin wrote:
I suppose we ought to compose a boilerplate response for the
inevitable visitors who will show up asking about this exploit in
SpamAssassin...
Perhaps more than boilerplate, but rather an official
On Fri, 11 Feb 2011 12:08:35 -0800
Adam Katz antis...@khopis.com wrote:
I consider it a mission-critical component to be able to deliver a
rejection notice at SMTP-time (to avoid backscatter from an emailed
bounce message). The other systems out there (specifically amavis and
mailscanner)
Am 11.02.2011 21:08, schrieb Adam Katz:
On 02/10/2011 03:41 PM, Warren Togami Jr. wrote:
On 2/10/2011 1:29 PM, John Hardin wrote:
I suppose we ought to compose a boilerplate response for the
inevitable visitors who will show up asking about this exploit in
SpamAssassin...
Perhaps more than
Adam Katz wrote:
I consider it a mission-critical component to be able to deliver a
rejection notice at SMTP-time (to avoid backscatter from an emailed
bounce message). The other systems out there (specifically amavis and
mailscanner) just can't do this while spamass-milter does it with very
On Fri, Feb 11, 2011 at 09:30:15PM +0100, Mark Martinec wrote:
Adam Katz wrote:
I consider it a mission-critical component to be able to deliver a
rejection notice at SMTP-time (to avoid backscatter from an emailed
bounce message). The other systems out there (specifically amavis and
.
Original Message
Subject: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter
Plugin Remote Arbitrary Command Injection Attempt
The rule is only looking for this:
content:to|3A|; depth:10; nocase; content:+|3A|\|7C|;
Personally, I
On Thu, 10 Feb 2011 12:42:40 -0500
Michael Scheidell michael.scheid...@secnap.com wrote:
heads up:
Aieee popen() in security-sensitive software!??!??
Also, why does the milter process run as root? That seems like a huge
hole all by itself.
Regards,
David.
10, 2011 12:25 PM
*To:* John Meyer
*Cc:* Jonathan Scheidell; Anthony Wetula
*Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter
Plugin Remote Arbitrary Command Injection Attempt
is the snort rule specific enough that you can block the offending ip
for 5 mins?
(if its a real
On Thursday February 10 2011 21:14:59 Adam Katz wrote:
Does this affect sendmail as well as postfix? I assume so,
but wanted an explicit confirmation.
Yes, the security hole is entirely within the milter,
independent of the MTA.
Mark
On 02/11/2011 09:37 AM, Mark Martinec wrote:
Yes, the security hole is entirely within the milter,
independent of the MTA.
That exploit is dated Mar 2010? Has this really not been fixed in about
a year???
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3
On Fri, 11 Feb 2011 09:50:05 +1300
Jason Haar jason.h...@trimble.co.nz wrote:
That exploit is dated Mar 2010? Has this really not been fixed in
about a year???
If everyone is talking about http://savannah.nongnu.org/projects/spamass-milt/,
it looks like the last release was in 2006. It looks
Sorry to follow up on myself...
If everyone is talking about
http://savannah.nongnu.org/projects/spamass-milt/, it looks like the
last release was in 2006. It looks like that project is abandoned.
I cannot edit the wiki, but I think spamass-milt should be removed from
* Mark Martinec mark.martinec...@ijs.si:
On Thursday February 10 2011 21:14:59 Adam Katz wrote:
Does this affect sendmail as well as postfix? I assume so,
but wanted an explicit confirmation.
Yes, the security hole is entirely within the milter,
independent of the MTA.
I tried the
On Thu, 2011-02-10 at 16:04 -0500, David F. Skoll wrote:
I cannot edit the wiki,
I'd be happy to change that. :)
Please just drop me your wiki user name. Same goes for everyone else who
wants to edit the wiki. We've been forced to put ACLs in place as a
counter measure to vandalism and abuse
on bugtraq about a fix.
Original Message
Subject: RE: alert: New event: ET EXPLOIT Possible SpamAssassin
Milter Plugin Remote Arbitrary Command Injection Attempt
The rule is only looking for this:
content:to|3A|; depth:10; nocase
On Fri, 11 Feb 2011, Jason Haar wrote:
On 02/11/2011 09:37 AM, Mark Martinec wrote:
Yes, the security hole is entirely within the milter,
independent of the MTA.
That exploit is dated Mar 2010? Has this really not been fixed in about
a year???
a year??, try half-a-decade. I've got a
On Thu, 10 Feb 2011, David B Funk wrote:
On Fri, 11 Feb 2011, Jason Haar wrote:
On 02/11/2011 09:37 AM, Mark Martinec wrote:
Yes, the security hole is entirely within the milter,
independent of the MTA.
That exploit is dated Mar 2010? Has this really not been fixed in about
a year???
a
On Thursday February 10 2011 22:26:37 Patrick Ben Koetter wrote:
I tried the exploit and it seems that Postfix' restrictions that check for
FQDN address and correct recipient syntax prevent the exploit from getting
through:
RCPT TO:root+:|touch /tmp/foo
501 5.1.3 Bad recipient address syntax
On 2/10/2011 1:29 PM, John Hardin wrote:
On Thu, 10 Feb 2011, David B Funk wrote:
On Fri, 11 Feb 2011, Jason Haar wrote:
On 02/11/2011 09:37 AM, Mark Martinec wrote:
Yes, the security hole is entirely within the milter,
independent of the MTA.
That exploit is dated Mar 2010? Has this
On Thu, 10 Feb 2011, Michael Scheidell wrote:
http://seclists.org/fulldisclosure/2010/Mar/140
http://www.securityfocus.com/bid/38578
Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1
I don't see anything on bugtraq about a fix.
The securityfocus page lists some Debian
27 matches
Mail list logo