sendmail vulnerability / impact

Robin Anderson robin at umbc.edu
Fri Mar 7 14:31:37 GMT 2003


In response to the most recently published sendmail vulnerability, we were
given permission to block inbound port 25 traffic at our ResNet border.
To date, we've only received one complaint about this action, but our CIO
wants us to ask other university security folks about what they have done.

So here goes:

1) Has anyone else summarily blocked port 25 traffic (in or out) for
   their ResNet?

  a) If you have NOT blocked port 25, have you had problems/incidents
     relating to the sendmail vulnerability?  Do you have a generally
     laissez-faire approach to ResNet, or do you try to alert them to new
     vulnerabilities, fixes, etc?

  b) If you HAVE blocked port 25, do you have any data to support it as a
     good decision?  (I know it's hard to prove a negative and that "we
     haven't been hacked, so it must be working" is sometimes the best we
     can offer.)  Any complaints?


2) Has anyone seen evidence of the exploit (successful or not) at their
   site?

Basically, our CIO is considering lifting the port 25 ban if no one has
seen activity related to the sendmail hole.  Even evidence of a couple
compromised systems or broad probes for the hole across multiple sites
might keep the lockdown in place.  Thanks in advance!

---
Robin Anderson				Unix SysAdmin, Specialist / Security
Office of Information Technology	Univ. of MD, Baltimore County (UMBC)

PGP fingerprint: (resumbc99) 1024/5B5A87A
DA F3 7F 1E D3 75 28 9F  75 7D 6A 0C 10 8D CE 35

"Pulvis et umbra sumus." (We are but dust and shadow.)  --  Horace



More information about the unisog mailing list