[unisog] sendmail vulnerability / impact

Peter Van Epp vanepp at sfu.ca
Fri Mar 7 16:19:36 GMT 2003


On Fri, Mar 07, 2003 at 09:31:37AM -0500, Robin Anderson wrote:
> 
> In response to the most recently published sendmail vulnerability, we were
> given permission to block inbound port 25 traffic at our ResNet border.
> To date, we've only received one complaint about this action, but our CIO
> wants us to ask other university security folks about what they have done.
> 
> So here goes:
> 
> 1) Has anyone else summarily blocked port 25 traffic (in or out) for
>    their ResNet?

	We went one better and contracted out our Resnet (see the huge smile
on my face, best move we have ever made, although I'm not sure the contractor
thinks so any more :-)). The worst strain has been holding in saying "I told 
you so" to the poor contractor :-). That said I beleive they are blocking 
port 25 because they have an their own mail server (and have become sudden 
experts in all the problems of a resnet, see the grey hair appearing as we
watch ...).
	We do have 25 inbound on the main campus network blocked other than
to a handful of "approved" (for some value of approved) mail servers where
we trust the admins to do the right thing. There have not been a lot of 
complaints (and there is little sympathy for those that do complain :-)).
The approved course is to point your mail host at the campus smtp server
and we will arrange to forward your return mail from the campus server back
to your mail server.

> 
>   a) If you have NOT blocked port 25, have you had problems/incidents
>      relating to the sendmail vulnerability?  Do you have a generally
>      laissez-faire approach to ResNet, or do you try to alert them to new
>      vulnerabilities, fixes, etc?
> 
>   b) If you HAVE blocked port 25, do you have any data to support it as a
>      good decision?  (I know it's hard to prove a negative and that "we
>      haven't been hacked, so it must be working" is sometimes the best we
>      can offer.)  Any complaints?
> 

	We haven't had the entire campus on one of the black lists in a long
time :-). That is what finally drove the approval of blocking port 25: the 
out cry from the community as someone's unsecured box was used to spam and
the entire domain hit the black lists. As noted there have not been that many
complaints and none of them have been successful (where success == convincing
management to add them to the exception list). I suspect the requriement for
a full time trained SA to run the mail server slows a fair number of them 
down :-).

> 
> 2) Has anyone seen evidence of the exploit (successful or not) at their
>    site?

	On any given day argus sees scans of the entire net looking for port
25. I can't say as how I have noticed an upswing in such scans, but then since
they are blocked I can't say I've looked all that hard either (they get 
classified as unsuccessful and not shown to me)..
	Ob argus plug: argus installed on your Internet link would let you 
present management with documentation of the number of scumbags attempting to
do any of a variety of bad things (including subvert sendmail) to your net :-)

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list