sendmail invalid sender signature

josephium · ‎01-29-2008

Hi, for the last week i have been seing tons of this signature alert firing, now the explanation of this signature in NSDB is :"Triggers on any mail message with a pipe (|) symbol in the From: field".

i don't have sendmail , all these signatures are firing when trying to go through my mail filters. i have tuned it from before to drop the packet and produce an alert , but why tons of signatures this week and from different source addresses ? is this legitimate traffic i'm blocking ?

thank you

attmidsteam · ‎01-30-2008

It is very possible you are blocking legit traffic. As you've noted, the signature is only looking for a pipe character which was a vulnerability in sendmail 8 years ago! We've disabled it a LONG time ago due to the noise and the fact that sendmail was patched eons ago (if you are even using it).

josephium · ‎01-30-2008

but why would someone send the pipe character in the email address ?

mhellman · ‎01-31-2008

They could very well be trying to exploit this extremely old vulnerability. Look at a packet capture. Do the mail transactions triggering these alarms look legitimate? Research the sources of these alarms. Is there a single source or multiple? Are the sources trusted or well known entities? If not, do they show up in any black lists? Answering these questions might help you decide what to do from a response/tuning perspective.

Unless you don't have something better to do (i.e. more important alarms to investigate) I don't know that I'd spend a whole lot of time on these. Follow attmidsteam's advice and disable the sig and move on.