[unisog] sendmail vulnerability / impact

H. Morrow Long morrow.long at yale.edu
Fri Mar 7 16:39:32 GMT 2003


We have a plan to block all TCP port 25 traffic into our campus network
beginning this summer.  We are just in the planning stage.  We plan to
offer MX records for any hosts/departments who insist that they need to
run their own Email servers and receive email on them.  The MX records
would provide for automatic relaying via our main campus email relays.
We already offer this as a service to departments (having mail for their
hosts/domains relayed from the Internet to/them via our relays and MX).
In a very few cases we may 'punch' TCP port 25 'holes' through the block
to some servers.  We are looking at automating the request procedure for
requesting MX record and relaying and/or an exception to the port 25 block.

BTW, though security plays a part (particularly since the sendmail security
hole) the primary reason we are interested in this is to prevent more spamming
via open relays when people accidently bring up SMTP servers.

H. Morrow Long

Robin Anderson wrote:
> In response to the most recently published sendmail vulnerability, we were
> given permission to block inbound port 25 traffic at our ResNet border.
> To date, we've only received one complaint about this action, but our CIO
> wants us to ask other university security folks about what they have done.
> 
> So here goes:
> 
> 1) Has anyone else summarily blocked port 25 traffic (in or out) for
>    their ResNet?
> 
>   a) If you have NOT blocked port 25, have you had problems/incidents
>      relating to the sendmail vulnerability?  Do you have a generally
>      laissez-faire approach to ResNet, or do you try to alert them to new
>      vulnerabilities, fixes, etc?
> 
>   b) If you HAVE blocked port 25, do you have any data to support it as a
>      good decision?  (I know it's hard to prove a negative and that "we
>      haven't been hacked, so it must be working" is sometimes the best we
>      can offer.)  Any complaints?
> 
> 
> 2) Has anyone seen evidence of the exploit (successful or not) at their
>    site?
> 
> Basically, our CIO is considering lifting the port 25 ban if no one has
> seen activity related to the sendmail hole.  Even evidence of a couple
> compromised systems or broad probes for the hole across multiple sites
> might keep the lockdown in place.  Thanks in advance!
> 
> ---
> Robin Anderson				Unix SysAdmin, Specialist / Security
> Office of Information Technology	Univ. of MD, Baltimore County (UMBC)
> 
> PGP fingerprint: (resumbc99) 1024/5B5A87A
> DA F3 7F 1E D3 75 28 9F  75 7D 6A 0C 10 8D CE 35
> 
> "Pulvis et umbra sumus." (We are but dust and shadow.)  --  Horace




More information about the unisog mailing list