[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crippling Received: headers

> Matti,
> attached is a message from bugtrack about a way to make sendmail produce
> Received: header without information about the sender host address.
> I appears that Zmailer is vulnerable to the same type of attack.

	Well, depends on the version.
	Earlier ones were susceptible to it to some extent, but these
	lattest ones are not.

> Eugene

	My test example:  (circa 1020 chars of __foobarjunk_ strings..)
	Hmm.. exploit spoke of exceeding 1024 characters buffer, but
	I just tried using a screenfull of junk text there, and got it
	all thru in the Received: header...  (Not very usefull that one,
	though..)  The literal IP address is there for tracking the
	connection, and it can't be faked.  "from SOMETHING" just tells
	what the IP reversal reports, and if nothing is reported, there
	will be "from []" (in my example case).

Received: from localhost ([]:48646 "helo __foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk___foobarjunk_" ident: "mea") by mea.tmt.tele.fi with SMTP id <92215-4586>; Wed, 27 May 1998 20:40:24 +0300
From:   <>
To:     mea
Subject: another test
Message-Id: <19980527174035Z92215-4586+3@mea.tmt.tele.fi>
Date:   Wed, 27 May 1998 20:40:24 +0300
Return-Path: <MAILER-DAEMON>

	The report also spoke of truncating the "HELO" parameter into
	something of more reasonable size.  Yielding a Received: line
	which length exceeds 1020, or there of is overall troublesome
	to many systems.

	Yeah, must think about that.

/Matti Aarnio