Sendmail version 8.8.7 has a bug which makes it openly relay all mail. If the RCPT TO: address has quotes ("") around the destination the mailer will relay it regardless of its anti-relay configuration. Quoting http://www.orbs.org/otherresources.cgi: 'several thousand sendmail 8.8 installations have been exploited by a spammer using RCPT TO:<"victim@target"> - with the "" in the envelope. If you have an ORBS notice with "X-Envelope-Recipient: <"someone"> " in the last few lines, then this is the test your sendmail installation failed.' This bug was confirmed on our redhat-5.1 mailserver. RH 5.2 and 5.0 also ship with 8.8.7 and are likely vulnerable. The fix for our site was to download, build, and install the sendmail 8.9.3 package from the redhat-6.1 distribution.
Bug #4217 seems to be the same as this one. It links to the web page: http://www.informatik.uni-kiel.de/%7Eca/email/check.html which contains new rules that prevent this. The quick and dirty way to fix the problem on Red Hat 5.2 is to copy the check_rcpt and removelocal rules from that web page as replacements for the check_rcpt and removelocal rules in sendmail.cf. Or, for the truly lazy, a patch for sendmail.cf: (make sure tabs aren't lost, otherwise sendmail will fail with "expected tab" errors!) ******************* beginning of patch --- /etc/sendmail.bak Thu May 6 14:00:51 1999 +++ /etc/sendmail.cf Wed Nov 24 19:09:10 1999 @@ -870,25 +870,21 @@ R$+ $: $(dequote "" $&{client_addr} $) $| $1 R0 $| $* $@ ok client_addr is 0 for sendmail -bs R$={LocalIP}$* $| $* $@ ok from here -# next: get client name -R$* $| $+ $: $(dequote "" $&{client_name} $) $| $2 -R $| $* $@ ok no client name: directly invoked-#R$- $| $* $@ ok for those without full DNS... -R$*$=w $| $* $@ ok from here -R$*$={LocalNames} $| $* $@ ok from allowed system -# now check other side +# not local, check rcpt R$* $| $* $: $>3 $2 -# remove local part -R$*<@$+.>$* $: $>remove_local $1<@$2.>$3 +# remove local part, maybe repeatedly +R$+ $:$>remove_local $1 # still something left? -R$*<@$+>$* $#error $@ 5.7.1 $: 551 we do not relay +R$*<@$*>$* $#error $@ 5.7.1 $: 550 we do not relay Sremove_local # remove RelayTo part (maybe repeatedly) -R$*<@$*$={RelayTo}.>$* $>3 $1 $4 -R$*<@$=w.>$* $: $>remove_local $>3 $1 $3 - - +R$*<@$*$={RelayTo}.>$* $>3 $1 $4 +R$*<@$=w.>$* $: $>remove_local $>3 $1 $3 +R$*<@$*>$* $@ $1<@$2>$3 +# dequote local part +R$- $: $>3 $(dequote $1 $) +R$*<@$*>$* $: $>remove_local $1<@$2>$3 SjunkIP # lookup IP in database ******************* end of patch
Grrr. Bugzilla or the html formatting seems to have eaten the tabs. Sorry for the length of these comments, but here's a gzipped, uuencoded version: begin 664 sendmail.patch.gz M'XL(",6W/#@``W-E;F1M86EL+G!A=&-H`'U336_:0!0\V[]B%*PJ8.S8?#3% M:E(?>HG4(D0B]1@M]B.XK+W47D)1RG_OKC\(@03Y8,MO9MZ\>;N.X^"*9'15 M4!:G+.'NC"V-A\4:/]D6^`Q_$'A>,/3ACT8CT[;M(W@T-WY1C+%X1F^@0($W M"GRO0H<AG"_77K<WA%V^?82AB:EE&X9A!;`N8_JS%I)P<0'KTTO$$\KD(XOC M?`>K#>L?+%_AO?*KHS@AQ-(P#G!("GB8BQR-(SBS0O>X>?DA(L;O)CNK4_-K M^CP7*1:4D^FTD-%?&>"))"I59"Q5A6E-LL\9U="]T9XB-3Z;3IDX5`T0)SE% MDF^19,]B2;$R,+6<H^GT,'(A"L(F4>^UQ'S-.;Z/[UW7+9U9-YMCSNM(9;V: M?:R:%KMWAF><BXW:6K$M)*5E#&*#:$'1$D(J'11)3*:M_TMPK=6MRWFTDCK> MSMZ!BN>V7\[?0DZI>*:*@17+9>GG:VC9[NT>7($>*Y#EJVI/5?NZW0F_BY1M M9Z0**V*28KXU[>;\G"B9:*&0B0JK$"G)19(]@=-<?MN[J$RT*,]5R"J1H7OM M^E"NANJ$;PBQ*"?.B;.RD29USI"\$Q),W!_:TI[JJ:8:\"#*N7!Y/%>[,:G7 M5T-W=6HZ7]5QT$!N-E7AO3QK;-]TU&-_(/FJ:+]5/"?X-H^P7EV]N>:"'*Q> MX1WC]8#L[Y!6:Q^I?7`NM+A.]/<Z6]Y-=)9<B.5ZA;N)ND.(F60S5I#Y'RJ4 &`[?'!``` ` end
Try new sendmail-8.9.3 from RawHide : ftp://ftp.redhat.com/pub/rawhide/SRPMS/SRPMS/sendmail-8.9.3-15.src.rpm Download, install, build and upgrade your sendmail rpm. The new sendmail anti-spam features are good enought even for ORBS (www.orbs.org) tests.
*** This bug has been marked as a duplicate of 4217 ***