Re: Percent Hack
- From: "Matt Beechey" <matt@xxxxxxxxxxxx>
- Date: Tue, 28 Feb 2006 16:26:29 +1300
It wouldn't actually be fronted by exchange - I've formulated a solution
using Debian, Postfix, Amavisd and Spamassassin that uses ldap to check
recipient addresses on the exchange server and sits in front for spam
filtering and virus scanning with Clam and Bitdefender (I say formulated - I
found a good writeup on the internet and extended it with LDAP lookups
rather than a static list on the debian box). I'm competent enough with
Debian to maintain and support this solution in that updates etc are easy
with apt-get but it's not that easy with such an outdated Redhat box. As its
being retired shortly I hoped there would be a simple stop-gap to stop the
percent hack problem as otherwise it seems solid enough (it was installed by
a local isp who is no longer interested as they've shifted thier business to
web design and hosting only and its been running for around 6 years at a
guess - it was installed on a purpose built Celeron 400 so that shows it's
Is there a simple process to download the latest sendmail distro and
unzip(tar?) it over the current version?
"Bill Cole" <bill@xxxxxxxxxxxxx> wrote in message
In article <440233cc$1@xxxxxxxxxxxx>,
"Matt Beechey" <matt@xxxxxxxxxxxx> wrote:
I have a client who is currently running sendmail 8.9.3/8.8.7 (Thats
reported upon connection on port 25). They suffer from the percent hack -
people can relay via them simply by using username%domain@ instead of
username@domain in the recipient address.
I don't want to have to upgrade them as my Redhat knowledge is limited -
Then they need to find some other competent person to do the upgrade for
them. Not upgrading is not a reasonable option.
they are running Redhat 6 currently and we plan to retire this server
too long and go with Exchange Server.
Probably not the wisest approach, but I guess a modern Exchange exterior
is better than an ancient sendmail one.
Is there an easy way to fix this issue
on this version of sendmail - I wondered about removing the % symbol from
the Do line (Delimiters) in sendmail.cf but without getting confirmation
this I didn't want to play.
That would work after a fashion, but the breakage could be ugly.
They also send ndr's for all messages to invalid
local users where I would rather block during the smtp session but this
version does not do this I believe.
Any version of Sendmail *can* reject invalid users in SMTP, but whether
it will do so is really a matter of what addresses it sees as local
users. If you have Sendmail acting purely as a relay between the outside
world and some inside mail system (e.g. Exchange) then you have to work
out a way for Sendmail to restrict relaying based on the full address
rather than just by domain.
I did a bit of playing to see if I could
upgrade them but the dependencies appeared to be HUGE - I then hoped I
perhaps step them upto a newer redhat distro but this became a pain as
finding older versions of distro's is hard and from what I've read the
"upgrade" process for Redhat is not REALLY an upgrade - its a cludge so
doesn't sound like a good idea.
Does anyone have an easy fix for this problem as they are on a Relay
blocklist and obviously won't be taken off until we can patch this
Sounds reasonable to me.
They really should be shunned until they upgrade to a securable version
of Sendmail, and likely will be re-shunned repeatedly until they do so,
since there are other known attacks against Sendmail, some more serious
than simple spam relaying. if your client's machine is connected through
a responsibly-managed ISP, they run a real risk of being cut off
completely by running a box with such a severe security flaw.
Now where did I hide that website...
- Re: Percent Hack
- From: Bill Cole
- Re: Percent Hack
- Prev by Date: Re: Unable to receive e-mail from particular domain
- Next by Date: Re: Percent Hack
- Previous by thread: Re: Percent Hack
- Next by thread: Re: Percent Hack