[Esd-l] Can anyone confirm that Beagle is successfully trapped?

Tommy Lindqvist lindqt at space.se
Tue Jan 20 07:42:13 PST 2004


Hi,

We had one that got through, but this was/is no fault of the Sanitizer.
Seems like our mailsystem does not invoke Sanitizer for email from
MAILER-DAEMON.

Here is the relevant parts of the header.
I have not had time yet to delve into how I change the attitude of the Sun
Sendmail I use.

Message-Id: <200401191910.i0JJAiPS011032 at cism.jpl.nasa.gov>
Received: (qmail 22096 invoked for bounce); 19 Jan 2004 19:05:47 -0000
Date: 19 Jan 2004 19:05:47 -0000
From: MAILER-DAEMON at one.mailserver.nod
To: somemailinglist at another.mailserver.nod
Subject: failure notice
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
        sunsrv1.space.se
X-Spam-Status: No, hits=2.0 required=7.5 tests=BAYES_44,LARGE_HEX,
        MSGID_FROM_MTA_HEADER,NO_REAL_NAME,UPPERCASE_50_75 autolearn=no
        version=2.60
X-Spam-Level: **


I have edited domain names to be nice to the parties involved. Spamassassin
got invoked, but not Sanitizer. Weird. I start them both from the same
procmailrc.
I have canned the entire message, in case anyoen would be interested. I
still suspect something is wrong with my invokation of Sanitizer rather than
Sanitizer itself.

Or possibly Sanitizer did not scan the message, since the Content-Headers
were missing from the real header, but present in the included message ?

Tommy
 

>-----Original Message-----
>From: esd-l-bounces at spconnect.com 
>[mailto:esd-l-bounces at spconnect.com] On Behalf Of Peter Hanecak
>Sent: Tuesday, January 20, 2004 4:18 PM
>To: John D. Hardin
>Cc: Email Security Discussion list
>Subject: Re: [Esd-l] Can anyone confirm that Beagle is 
>successfully trapped?
>
>Hello,
>
>On Tue, 20 Jan 2004, John D. Hardin wrote:
>
>> All:
>> 
>> I haven't seen it, so I don't know if it uses any tricks that might
>> bypass the sanitizer. It sounds like a simple enough .EXE attachment
>> attack, but if anyone's actually caught one it'd be nice to have
>> confirmation.
>
>if you mean something like that:
>
>-------------------------------------------------------------------
>>From xxx at yyy.edu Tue Jan 20 16:15:01 2004
>Date: Tue, 20 Jan 2004 09:27:22 +0200
>From: xxx at yyy.edu
>To: zzz at www.com
>Subject: Hi
>
> Test =)
>fanjggsnlkbkenm
>--
>Test, yep.
>
>    [ Part 2: "SECURITY NOTICE" ]
>
>
>SECURITY NOTICE:
>
>The mail system has removed a file attachment from this message.
>The attachment has been discarded.
>
>Please contact your system administrator for details.
>
>Filename: pjtjd.exe
>
>
>-------------------------------------------------------------------
>
>than it looks like sanitizer is working on that Beagle.
>
>I was just starting to wonder that it quite silent recently and right 
>after that I received few of those like above. :|
>
>Peter
>
>-- 
>===================================================================
>  Peter Hanecak <hanecak at megaloman.com>
>  GPG pub.key: http://www.megaloman.com/gpg/hanecak-megaloman.txt
>===================================================================
>
>_______________________________________________
>Esd-l mailing list
>Esd-l at spconnect.com
>http://www.spconnect.com/mailman/listinfo/esd-l
>
>



More information about the esd-l mailing list