01-29-2008 11:21 PM - edited 03-10-2019 03:57 AM
Hi, for the last week i have been seing tons of this signature alert firing, now the explanation of this signature in NSDB is :"Triggers on any mail message with a pipe (|) symbol in the From: field".
i don't have sendmail , all these signatures are firing when trying to go through my mail filters. i have tuned it from before to drop the packet and produce an alert , but why tons of signatures this week and from different source addresses ? is this legitimate traffic i'm blocking ?
thank you
01-30-2008 06:52 AM
It is very possible you are blocking legit traffic. As you've noted, the signature is only looking for a pipe character which was a vulnerability in sendmail 8 years ago! We've disabled it a LONG time ago due to the noise and the fact that sendmail was patched eons ago (if you are even using it).
01-30-2008 10:59 PM
but why would someone send the pipe character in the email address ?
01-31-2008 06:04 AM
They could very well be trying to exploit this extremely old vulnerability. Look at a packet capture. Do the mail transactions triggering these alarms look legitimate? Research the sources of these alarms. Is there a single source or multiple? Are the sources trusted or well known entities? If not, do they show up in any black lists? Answering these questions might help you decide what to do from a response/tuning perspective.
Unless you don't have something better to do (i.e. more important alarms to investigate) I don't know that I'd spend a whole lot of time on these. Follow attmidsteam's advice and disable the sig and move on.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide