Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

sendmail overflow

I am receiving around 500-1500 events a day for “sendmail data overflow Subsig 0”. I checked the NSDB and it indicates SubSigs 0-2 may fire if international character sets are used in the names or email addresses contained in the email message header.

The destination is always the mail server which is not directly vulnerable to this type of an attack. I’d like to filter the event/ Subsig 0 for this destination however I am concerned as this attack description indicates it could be passed further in to the network and it is therefore IMHO a good idea to continue monitoring this event.

The content buffer shows a what appears to be a spam message header however I don’t think the signature is aimed/designed at capturing spam mail.

Attacker Context:

ar 2004 time -0600

Message-ID: <removed@comptroller>

Reply-To: "Removed" <removed@hotmail.com>

From: "Removed" <removed@hotmail.com>

To: <removed@somewhere.com>

Subject: Cc:No Doctors Appointments Needed - x

Victim Context:

220 mailserver ESMTP Server (Microsoft Exchange Internet Mail Service removed) ready

250 OK

250 OK - mail from <removed@hotmail.com>

250 OK - Recipient < removed@somewhere.com >

354 Send data. End with CRLF.CRLF

In this content buffer above, what and where is the vulnerability.

Should I be concerned with these events in this context bearing in mind that this signature is designed to capture a specific problem on sendmail demon/ application.

SIGID: 3115 <protected>

SubSig: 0 <protected>

RegexString: ([Ff][Rr][Oo][Mm]|[Tt][Oo]|[Cc][Cc])[:][\x00-\x09\x0B\x0C\x0E-\x7F]+[\x80-\xFF] <protected>

Any advice as to what “others” have done to reduce the amount of events received daily is welcome

1 REPLY
Bronze

Re: sendmail overflow

Unfortunately, I cannot make a determination of cause based on the context buffer you provided. An actual traffic sample would be very helpful in determining the cause of the alarms. Please send traffic samples to mcerha@cisco.com. Be sure to enable CapturePacket.

92
Views
0
Helpful
1
Replies
CreatePlease to create content