Date: Fri, 21 Jul 2000 18:08:33 +0200 From: Koos van den Hout <koos@KZDOOS.XS4ALL.NL> Subject: Sendmail filter rule to stop Outlook exploit To: BUGTRAQ@SECURITYFOCUS.COM Also on http://www.cetis.hvu.nl/~koos/outlookoverflow.txt with tabs in the right places :) # # this is a filter to make sendmail reject messages with Date: headers # that are too long. This is used in the latest Outlook exploit. # # You NEED: # - a sendmail that understands regex maps. I had to specially compile this # into 8.11 ! Add to sendmail-8.11.0/devtools/Site/site.config.m4 # define(`confMAPDEF',`-DMAP_REGEX') and rebuild from scratch # # The filter simply rejects messages with a date header longer (total!) # then 60 chars # # Then add this part to your .mc file in the different areas and regenerate # your .cf file # # 2000-07-21 Originally written # # if you cut and paste this: # tabs are in use in the '^R' lines # # Koos van den Hout # http://www.cetis.hvu.nl/~koos/ # http://www.virtualbookcase.com/ # LOCAL_CONFIG Klinetoolong regex -a@MATCH ^.{60,}$ LOCAL_RULESETS HDate: $>+CheckDate SCheckDate R$* $: $(linetoolong $1 $) R@MATCHi $#error $: 553 Date Header too long error R$*i $@ OK -- Koos van den Hout, PGP keyid RSA/1024 0xCA845CB5 via keyservers koos@kzdoos.xs4all.nl or DSS/1024 0xF0D7C263 -?) Fax +31-30-2817051 Visit my site about books with reviews /\\ http://www.cetis.hvu.nl/~koos/ http://www.virtualbookcase.com/ _\_V