sendmail invalid sender signature

Unanswered Question
Jan 29th, 2008
User Badges:

Hi, for the last week i have been seing tons of this signature alert firing, now the explanation of this signature in NSDB is :"Triggers on any mail message with a pipe (|) symbol in the From: field".

i don't have sendmail , all these signatures are firing when trying to go through my mail filters. i have tuned it from before to drop the packet and produce an alert , but why tons of signatures this week and from different source addresses ? is this legitimate traffic i'm blocking ?


thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
attmidsteam Wed, 01/30/2008 - 06:52
User Badges:
  • Silver, 250 points or more

It is very possible you are blocking legit traffic. As you've noted, the signature is only looking for a pipe character which was a vulnerability in sendmail 8 years ago! We've disabled it a LONG time ago due to the noise and the fact that sendmail was patched eons ago (if you are even using it).

josephium Wed, 01/30/2008 - 22:59
User Badges:

but why would someone send the pipe character in the email address ?

mhellman Thu, 01/31/2008 - 06:04
User Badges:
  • Blue, 1500 points or more

They could very well be trying to exploit this extremely old vulnerability. Look at a packet capture. Do the mail transactions triggering these alarms look legitimate? Research the sources of these alarms. Is there a single source or multiple? Are the sources trusted or well known entities? If not, do they show up in any black lists? Answering these questions might help you decide what to do from a response/tuning perspective.


Unless you don't have something better to do (i.e. more important alarms to investigate) I don't know that I'd spend a whole lot of time on these. Follow attmidsteam's advice and disable the sig and move on.

Actions

This Discussion