Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

sendmail invalid sender signature

Hi, for the last week i have been seing tons of this signature alert firing, now the explanation of this signature in NSDB is :"Triggers on any mail message with a pipe (|) symbol in the From: field".

i don't have sendmail , all these signatures are firing when trying to go through my mail filters. i have tuned it from before to drop the packet and produce an alert , but why tons of signatures this week and from different source addresses ? is this legitimate traffic i'm blocking ?

thank you


Re: sendmail invalid sender signature

It is very possible you are blocking legit traffic. As you've noted, the signature is only looking for a pipe character which was a vulnerability in sendmail 8 years ago! We've disabled it a LONG time ago due to the noise and the fact that sendmail was patched eons ago (if you are even using it).

Community Member

Re: sendmail invalid sender signature

but why would someone send the pipe character in the email address ?


Re: sendmail invalid sender signature

They could very well be trying to exploit this extremely old vulnerability. Look at a packet capture. Do the mail transactions triggering these alarms look legitimate? Research the sources of these alarms. Is there a single source or multiple? Are the sources trusted or well known entities? If not, do they show up in any black lists? Answering these questions might help you decide what to do from a response/tuning perspective.

Unless you don't have something better to do (i.e. more important alarms to investigate) I don't know that I'd spend a whole lot of time on these. Follow attmidsteam's advice and disable the sig and move on.

CreatePlease to create content