[968] in linux-security and linux-alert archive
Re: [linux-security] sendmail security
daemon@ATHENA.MIT.EDU (Richard Bullington)
Fri Jul 26 05:40:12 1996
Date: Fri, 26 Jul 1996 04:05:27 -0400 (EDT)
From: Richard Bullington <rbulling@obscure.org>
To: John Henders <jhenders@bogon.com>
cc: "Miller, Raul D." <RDMiller@legislate.com>,
linux-security@tarsier.cv.nrao.edu
In-Reply-To: <E0uiuMn-0000KO-00@stdismas.bogon.com>
On Tue, 23 Jul 1996, John Henders wrote:
> Qmail is nice, but in defence of smail, I'd like to point out that smail
> has had _one_ cert notice since they started doing cert advisories.
> There was one other problem with the Slackware distribution of smail as
> it was configured wrong (big surprise there).
Smail may not have CERT advisories put out, but people who write
mailbombing software are actively exploiting a weakness in the production
version (at least up to 3.1.29.1): it does not keep an IP address trail of
SMTP participants in the "Received:" line of the headers.
This means that if you can telnet to the SMTP port of a machine running
smail, you can effectively forge mail. Smail will hide your tracks from
the recipient of the message, who will need to get cooperation from the
system administrators of the smail system to do any more tracing.
Can someone quote from an SMTP related RFC that specifies what should
be in the "Received:" header? Is Smail being a bad SMTP citizen?
-Richard Bullington <rbulling@obscure.org> http://www.obscure.org