[unisog] sendmail vulnerability / impact
harnold at binghamton.edu
Fri Mar 7 15:49:59 GMT 2003
If you're going to block 25, what about the more secure methods of sending
mail? SSLSMTP, etc? Do you block those ports as well?
I'm interested in this as we wonder if restricting servers in the dorms
would be a good thing (for us) or if it would cause a huge problem
From: Robin Anderson [mailto:robin at umbc.edu]
Sent: Friday, March 07, 2003 9:32 AM
To: unisog at sans.org
Subject: [unisog] sendmail vulnerability / impact
In response to the most recently published sendmail vulnerability, we were
given permission to block inbound port 25 traffic at our ResNet border. To
date, we've only received one complaint about this action, but our CIO wants
us to ask other university security folks about what they have done.
So here goes:
1) Has anyone else summarily blocked port 25 traffic (in or out) for
a) If you have NOT blocked port 25, have you had problems/incidents
relating to the sendmail vulnerability? Do you have a generally
laissez-faire approach to ResNet, or do you try to alert them to new
vulnerabilities, fixes, etc?
b) If you HAVE blocked port 25, do you have any data to support it as a
good decision? (I know it's hard to prove a negative and that "we
haven't been hacked, so it must be working" is sometimes the best we
can offer.) Any complaints?
2) Has anyone seen evidence of the exploit (successful or not) at their
Basically, our CIO is considering lifting the port 25 ban if no one has seen
activity related to the sendmail hole. Even evidence of a couple
compromised systems or broad probes for the hole across multiple sites might
keep the lockdown in place. Thanks in advance!
Robin Anderson Unix SysAdmin, Specialist / Security
Office of Information Technology Univ. of MD, Baltimore County (UMBC)
PGP fingerprint: (resumbc99) 1024/5B5A87A
DA F3 7F 1E D3 75 28 9F 75 7D 6A 0C 10 8D CE 35
"Pulvis et umbra sumus." (We are but dust and shadow.) -- Horace
More information about the unisog