Re: mx1.res.cisco.com a dynamic ip?

2011-02-10 Thread Karsten Bräckelmann
On Thu, 2011-02-10 at 19:30 -0500, Michael Scheidell wrote: > host mx1.res.cisco.com > mx1.res.cisco.com has address 208.90.57.13 > $ host 208.90.57.13 > 13.57.90.208.in-addr.arpa domain name pointer mx1.res.cisco.com. > > looks fine to me, why does this look to SA like a dynamic ip? Kind of... i

Re: mx1.res.cisco.com a dynamic ip?

2011-02-10 Thread Sahil Tandon
On Thu, 2011-02-10 at 19:30:15 -0500, Michael Scheidell wrote: > host mx1.res.cisco.com > mx1.res.cisco.com has address 208.90.57.13 > $ host 208.90.57.13 > 13.57.90.208.in-addr.arpa domain name pointer mx1.res.cisco.com. > > looks fine to me, why does this look to SA like a dynamic ip? > > (TRI

Re: mx1.res.cisco.com a dynamic ip?

2011-02-10 Thread Warren Togami Jr.
On 2/10/2011 2:30 PM, Michael Scheidell wrote: host mx1.res.cisco.com mx1.res.cisco.com has address 208.90.57.13 $ host 208.90.57.13 13.57.90.208.in-addr.arpa domain name pointer mx1.res.cisco.com. looks fine to me, why does this look to SA like a dynamic ip? (TRIGGERED RDNS_DYNAMIC.) what, b

Re: Fwd: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt (fwd)

2011-02-10 Thread Andrew Daviel
On Thu, 10 Feb 2011, Michael Scheidell wrote: Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1 I don't see anything on bugtraq about a fix. The securityfocus page lists some Deb

Re: FIX for ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread Mark Martinec
Adam Katz wrote: > ... Why is Amavis here for the ride? They don't use spamass-milter! Unrelated. Just Michael being "at home" on both mailing lists. Mark

mx1.res.cisco.com a dynamic ip?

2011-02-10 Thread Michael Scheidell
host mx1.res.cisco.com mx1.res.cisco.com has address 208.90.57.13 $ host 208.90.57.13 13.57.90.208.in-addr.arpa domain name pointer mx1.res.cisco.com. looks fine to me, why does this look to SA like a dynamic ip? (TRIGGERED RDNS_DYNAMIC.) what, because of 'res' in it? yes, they SHOUTED AT THE

FIX for ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread Adam Katz
On 02/10/2011 09:42 AM, Michael Scheidell wrote: > active exploits going on. > > > > > Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1 > > I don't see anything on bugtraq about a fi

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread Warren Togami Jr.
On 2/10/2011 1:29 PM, John Hardin wrote: On Thu, 10 Feb 2011, David B Funk wrote: On Fri, 11 Feb 2011, Jason Haar wrote: On 02/11/2011 09:37 AM, Mark Martinec wrote: Yes, the security hole is entirely within the milter, independent of the MTA. That exploit is dated Mar 2010? Has this reall

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread Mark Martinec
On Thursday February 10 2011 22:26:37 Patrick Ben Koetter wrote: > I tried the exploit and it seems that Postfix' restrictions that check for > FQDN address and correct recipient syntax prevent the exploit from getting > through: > RCPT TO:root+:"|touch /tmp/foo" > 501 5.1.3 Bad recipient address

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread John Hardin
On Thu, 10 Feb 2011, David B Funk wrote: On Fri, 11 Feb 2011, Jason Haar wrote: On 02/11/2011 09:37 AM, Mark Martinec wrote: Yes, the security hole is entirely within the milter, independent of the MTA. That exploit is dated Mar 2010? Has this really not been fixed in about a year??? "a

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread David B Funk
On Fri, 11 Feb 2011, Jason Haar wrote: > On 02/11/2011 09:37 AM, Mark Martinec wrote: > > Yes, the security hole is entirely within the milter, > > independent of the MTA. > > > That exploit is dated Mar 2010? Has this really not been fixed in about > a year??? > > "a year"??, try half-a-decade.

Re: Fwd: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread JKL
Hi, Seems ok with postfix unless I missed something, which is possible. $ telnet klunky.co.uk 25 Trying 62.58.61.184... Connected to logout.klunky.co.uk. Escape character is '^]'. 220 klunky.co.uk ESMTP Postfix ehlo klunky.co.uk 250-klunky.co.uk 250-PIPELINING 250-SIZE 2048 250-ETRN 250-START

Re: new gappy domain campaign (w/sample)

2011-02-10 Thread mouss
Le 10/02/2011 10:09, Chip M. a écrit : > mouss wrote: >> with a stock config, and without Bayes, it now yields: > > Hmmm, interesting! > > Yes, all the "caught" spam here were due to RBL hits. > > Which begs the question, what SpamAssassin tests are hitting for > the misses vs the kills? > >

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread Karsten Bräckelmann
On Thu, 2011-02-10 at 16:04 -0500, David F. Skoll wrote: > I cannot edit the wiki, I'd be happy to change that. :) Please just drop me your wiki user name. Same goes for everyone else who wants to edit the wiki. We've been forced to put ACLs in place as a counter measure to vandalism and abuse fo

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread Patrick Ben Koetter
* Mark Martinec : > On Thursday February 10 2011 21:14:59 Adam Katz wrote: > > Does this affect sendmail as well as postfix? I assume so, > > but wanted an explicit confirmation. > > Yes, the security hole is entirely within the milter, > independent of the MTA. I tried the exploit and it seems

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread David F. Skoll
Sorry to follow up on myself... > If everyone is talking about > http://savannah.nongnu.org/projects/spamass-milt/, it looks like the > last release was in 2006. It looks like that project is abandoned. I cannot edit the wiki, but I think spamass-milt should be removed from http://wiki.apache.or

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread David F. Skoll
On Fri, 11 Feb 2011 09:50:05 +1300 Jason Haar wrote: > That exploit is dated Mar 2010? Has this really not been fixed in > about a year??? If everyone is talking about http://savannah.nongnu.org/projects/spamass-milt/, it looks like the last release was in 2006. It looks like that project is ab

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread Jason Haar
On 02/11/2011 09:37 AM, Mark Martinec wrote: > Yes, the security hole is entirely within the milter, > independent of the MTA. > That exploit is dated Mar 2010? Has this really not been fixed in about a year??? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread Mark Martinec
On Thursday February 10 2011 21:14:59 Adam Katz wrote: > Does this affect sendmail as well as postfix? I assume so, > but wanted an explicit confirmation. Yes, the security hole is entirely within the milter, independent of the MTA. Mark

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread Adam Katz
Copying the spamass-milter mailing list. On 02/10/2011 09:42 AM, Michael Scheidell wrote: >> if case you are using spamassassin milter: >> >> active exploits going on. >> >> >> >> >> Vulnerable: SpamAssas

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread David F. Skoll
On Thu, 10 Feb 2011 12:42:40 -0500 Michael Scheidell wrote: > heads up: Aieee popen() in security-sensitive software!??!?? Also, why does the milter process run as root? That seems like a huge hole all by itself. Regards, David.

Fwd: RE: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread Michael Scheidell
heads up: if case you are using spamassassin milter: active exploits going on. Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1 I don't see anything on bugtraq about a fix.

Re: new gappy domain campaign (w/sample)

2011-02-10 Thread Benny Pedersen
On Wed, 9 Feb 2011 22:09:08 + (UTC), "Chip M." wrote: > There's an interesting new insecure-boy-drugs campaign that's > about 8% of our post-gateway traffic. It started early today. if you are user on linkedin then report it to ab...@linkedin.com, just funny to see its sent from a linkedin

Re: new gappy domain campaign (w/sample)

2011-02-10 Thread Chip M.
mouss wrote: >with a stock config, and without Bayes, it now yields: Hmmm, interesting! Yes, all the "caught" spam here were due to RBL hits. Which begs the question, what SpamAssassin tests are hitting for the misses vs the kills? Here's what hit (here), for the first 38 missed spams: Test