[14102] in bugtraq
false alarms by real secure
daemon@ATHENA.MIT.EDU (Danton Nunes)
Wed Mar 1 01:49:39 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <200002291939.QAA05620@quantum.inexo.com.br>
Date: Tue, 29 Feb 2000 16:39:04 -0300
Reply-To: Danton Nunes <danton@INEXO.COM.BR>
From: Danton Nunes <danton@INEXO.COM.BR>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Real secure traps incoming packets on tcp/25 containing certain strings
that suggest a message being directed to a program (to:|something). It
seems not to distinguish between message headers and message contents and
sounds a false alarm when a message or an attachment to a message contains
something like 'mailbox:/c|/some/funny/place'.
it is possible to launch a DoS attack against firewalls with realsecure
just sending a number of e-mails containing the offending pattern. The
message is not delivered, returning to sendmail w/ I/O error. sendmail
requeues and tries again later, making the alarm ring over and over again.
I don't understand why realsecure mistakes normal e-mail text for an
attack against sendmail (most versions are not vulnerable anyway). Amazingly,
this behaviour is documented as a 'feature'.
--
Danton Nunes |Informatica, Consultoria e Servigos de Acesso ` Internet
InterNexo Ltda. | http://www.inexo.com.br/ mailto:danton@inexo.com.br
S.J.Campos,BRASIL | PGP: 02 D1 E2 DF 21 EC 48 69 3F D5 4D 1B 5D 73 F4 B5
