SUMMARY: Security threat from sendmail???

From: Dan Penrod (penrod@whiplash.er.usgs.gov)
Date: Thu Dec 02 1993 - 22:55:58 CST


Sun Managers:

Once again many thanks to the sun manager group for speedy, accurate and
detailed replies.

There were many requests for a summary. I'm always glad to hear I'm not
the only one scratching my head! :-) I won't bother including the replies
after the signature simply because there were so many and they were so
verbose. My original note is included below the signature.

The concensus is that this probably is not a security violation although
many people followed up by saying it could be and to read the CERT Advisory
cert.org:/pub/cert_advisories/CA-93:16.sendmail.vulnerability. If anyone
wants it I'd be glad to send it. I received several copies. Also, there
are apparently patches that can be applied to sendmail to plug some of the
numerous esoteric holes.

The large majority of replies said things like, "I get that too, I just
ignore it". The responsible party is the sender so if you get the message
it's not your fault (unless it was sent locally). There are several
scenarios that can cause it. The sendmail can timeout if the mail message
is not properly terminated with the expected ".\n" string.
Other possibilities include loss of connecting due to heavy network traffic
or system halts/reboots.

I'm told it depends on the flavor of sendmail and that Sun's sendmail is
smart enough not to send this error although some other flavors
including Vax's VMS sendmail and (in this case) IBM's VM sendmail panic
causing the receiving hosts console to get this puzzling message.

Bottom line - If you get this message regularly, it is the responsibility
of the sending host's administrator to fix it. This may mean replacing
the default OS's sendmail or improving the reliability of the hardware.

Thanks go to (in order of response):
adam@bwh.harvard.edu
rickert@cs.niu.edu
marc.rinfret@eng.canadair.ca
fetrow@biostat.washingtion.edu
pallas@oclc.org
jram@morgan.com
ricky@fibronics.co.il
peter@jrc.nlschulze@sc.ZIB-Berlin.DE
john@mlb.semi.harris.com
appleton@emh-1.submepp.navy.mil
doug@seas.marine.usf.edu

-drp

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| _/ _/ _/_/_/_/ _/_/_/ _/_/_/_/ | Dan Penrod - Unix Administrator |
| _/ _/ _/ _/ _/ | USGS Center for Coastal Geology |
| _/ _/ _/_/_/_/ _/ _/_/ _/_/_/_/ | St. Petersburg, FL 33701 |
| _/ _/ _/ _/ _/ _/ | (813)893-3100 ext.3043 |
|_/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ | penrod@whiplash.er.usgs.gov |
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

| Dear Sun Managers:
| I got following unusual message in my console window today:
|
| >Dec 1 10:53:23 whiplash sendmail[2894]: AA02894:
| >SYSERR: unexpected close, from=<@UACSC2.ALBANY.EDU:
| >owner-disarm-d@UACSC2.ALBANY.EDU>: Connection reset by peer during
| >collect with uacsc2.albany.edu
|
| I'm sure it's probably an innocuous sendmail message, saying, for some
| reason or another, that it could not deliver a piece of mail... but
| on the other hand, in my imagination, it could be some evil/university/
| internet/hacker/leftwing/rightwing/worm/virus/thing. Please set my
| paranoias to rest. Anyone know what it means?



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:31 CDT