Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 987

SMTP:OVERFLOW:SENDMAIL-MIME-OF
SMTP:OVERFLOW:SQRLMAIL-HDR-INJ
SMTP:OVERFLOW:TOO-MANY-RCPT
SMTP:REQERR:REQ-SYNTAX-ERROR
SMTP:RESPONSE:PIPE-FAILED
SMTP:SAGTUBE-DOS
SMTP:SENDMAIL:ADDR-PRESCAN-ATK
SMTP:SENDMAIL:SENDMAIL-FF-OF
Copyright © 2010, Juniper Networks, Inc.
This signature detects buffer overflow attempts against
Sendmail. Sendmail versions 8.8.0 and 8.8.1 are vulnerable.
Attackers may embed a maliciously crafted MIME header in
an e-mail to overflow a buffer in Sendmail and execute
arbitrary commands as root.
This signature detects SMTP messages with Base-64
encoded headers. SquirrelMail 1.4.3a and earlier versions do
not correctly sanitize SMTP headers. Attackers may send
maliciously crafted SMTP messages to execute arbitrary
code at the same privilege level as the target (typically user).
Note: Systems that typically carry non-English e-mail
messages should not include this attack object in their
security policy.
This protocol anomaly is too many 'RCPT TO:' recipients in
an SMTP connection. This may indicate a very popular e-mail
message or a DoS/buffer overflow attempt.
This protocol anomaly is an unparsed SMTP command line
or header line due to a missing ':'. This may indicate a
nonstandard e-mail client or server or a backdoor/exploit
attempt.
This signature detects SMTP server responses that are
generated when an unsuccessful attempt is made to send
shell commands via an SMTP e-mail message by exploiting
the pipe (|) passthrough vulnerability in SendMail. If the '|'
operator was used within specified "mail to" and/or "rcpt
to" e-mail addresses to cause Sendmail to reroute data to
another program, attackers receive a '550' error message.
This signature detects character strings within an e-mail
message that are designed to exploit a vulnerability in
SpamAssasssin. SpamAssassin Project SpamAssassin 2.63
and earlier are vulnerable. SpamAssassin uses a weighting
system to determine when an e-mail message is spam.
Attackers may send a maliciously crafted e-mail with a
spoofed address to cause SpamAssassin to consider all
further e-mail from the spoofed address as spam, regardless
of the target's whitelist settings. After the malicious e-mail
has been received by the target, SpamAssassin blocks all
e-mails from the spoofed address.
This signature detects attempts to exploit a vulnerability in
Sendmail SMTP server versions prior to 8.12.9. Because the
prescan() procedure that processes e-mail addresses in
SMTP headers does not perform some char and int
conversions correctly, attackers may send a maliciously
crafted request to corrupt the Address Prescan Memory on
a Sendmail SMTP server and execute arbitrary code.
This signature detects attempts to exploit a vulnerability in
Sendmail versions 8.12.8 and earlier. Under certain
conditions, the Sendmail address parser does not perform
sufficient bounds checking when converting char to int.
Attackers may use this exploit to gain control of the server.
Appendix E: Log Entries
critical sos5.1.0
medium sos5.1.0
medium sos5.0.0,
sos5.1.0
medium sos5.1.0
high sos5.1.0
medium sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
937