I use sendmail 8.17.1.9 under gentoo -- any patch for that one to fix this?
On Mon, 01 Jan 2024 12:58:47 -0500, Gellner, Oliver via mailop wrote: > > > > On 28.12.2023 at 20:29 Marco Moock via mailop wrote: > > > > Am 28.12.2023 um 18:15:39 Uhr schrieb Tom Perrine via mailop: > > > >> Has anyone detected or seen any evidence of SMTP smuggling in the > >> wild? > >> > >> I’m trying to get an independent read on how quickly the bad actors > >> have (or haven’t) picked up on this, yet. > > > > According to the information I read, it affected some hosting solutions > > at 1und1/IONOS, but that has been fixed. > > The vulnerability is not super critical, but it has been fixed only for a > very small subset of affected systems. All kind of MTAs from Postfix to > Sendmail, Exim and various proprietary systems are affected and the > vulnerability generally remains unfixed until the administrators adjust the > configuration of their system. > I haven’t heard of any large scale exploitation in the past, but I imagine > that spammers will include the technique in their toolset for the future. > > > Although, it needs to have certain circumstances, so the sending server > > (for example a submission server for the customer) must accept it as one > > message and the receiving server (e.g. the outgoing relay) must > > interpret it as 2 messages and the 1. server need to be allowed to > > relay through the second one for the really bad attacks > > (unauthenticated relaying). > > To exploit the issue, an email message needs to traverse two MTAs that treat > the EOM marker differently. The MTAs do not need to be in a special trust > relationship or allowed to relay to each other. > > — > BR Oliver > ________________________________ > > dmTECH GmbH > Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe > Telefon 0721 5592-2500 Telefax 0721 5592-2777 > dmt...@dm.de<mailto:dmt...@dm.de> * www.dmTECH.de<http://www.dmtech.de> > GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 > Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher > ________________________________ > Datenschutzrechtliche Informationen > Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser > ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in > Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder > sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen > unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren > Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie > hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>. > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
