stycznia 1998 12:28Subject: Sendmail 8.8.8 (qmail?) HELO hole.Here's a brief description of Sendmail (qmail) hole I foundrecently:When someone mailbombs you, or tries to send fakemail, spam, etc -sendmail normally attachs sender's host name and it's addressto outgoing message:--*From spam@flooders.net Mon Jan 5 22:08:21 1998Received: from spammer (marc@math.university.edu [150.129.84.5]) by myhost.com (8.8.8/8.8.8) with SMTP id WAA00376 for lcamtuf; Mon, 5 Jan 1998 22:07:54 +0100Date: Mon, 5 Jan 1998 22:07:54 +0100From: spam@flooders.netMessage-Id: *3.14159665@pi*MAILBOOM!!!--That's perfect - now you know, who is responsible for that annoyingjunk in your mailbox: "Received: from spammer (marc@math.university.edu[150.129.84.5])". Nothing easier...But I found a small hole, which allows user to hide it's personality,and send mails anonymously. The only thing you should do is topass HELO string longer than approx. 1024 B - sender's location andother very useful information will be cropped!!! Messageheaders should become not interesting. Sometimes, sendermay become quite untraceable (but not always, if it's possibleto obtain logs from machine which has been used to sent):--*From spam@flooders.net Mon Jan 5 22:09:05 1998Received: from xxxxxxxxxxxxxx... [a lot of 'x's] ...xxxxDate: Mon, 5 Jan 1998 22:08:52 +0100From: spam@flooders.netMessage-Id: *3.14159665@pi*MAILBOOM!!! Now guess who am I...--Here's a simple example of Sendmail's HELO hole usage. Note, thisscript has been written ONLY to show how easy may be sendingfakemails, mailbombs, with cooperation of Sendmail ;) Script isvery slow and restricted in many ways, but explains the problemwell (note, some of non-Berkeley daemons are also affected,probably Qmail?):-- EXPLOIT CODE --#!/bin/bashTMPDIR=/tmp/`whoami`PLIK=$TMPDIR/.safeTIMEOUT=2LIMIT=10MAX=20echoecho "SafeBomb 1.02b -- sendmail HELO hole usage example"echo "Author: Michal Zalewski *lcamtuf@boss.staszic.waw.pl*"e...
