[Esd-l] Detection rule for sendmail header exploit

Brett Glass brett at lariat.org
Wed Mar 5 11:57:06 PST 2003

So, what's the complete, correct recipe here? 


At 08:24 AM 3/5/2003, John D. Hardin wrote:
>On Wed, 5 Mar 2003, Mike McCandless wrote:
>> Could the line you provided
>> ^(From|To|CC|Reply-To|Resent-From): .*<>.*<>.*<>.*<>.*<>.*\(.*\)
>> be added to header checks in the MTA?  I use Postfix, so I could add
>> this to the header regular expression table...and wouldn't have to worry
>> about ever seeing it in procmail...
>Yes, that should work.
>Note that this may not detect all variants of attacks on this

More information about the esd-l mailing list