Latest M$ worm du jour, could it also be targeting sendmail?

Ryan.Oliver at Ryan.Oliver at
Thu May 22 23:53:45 PDT 2003

Greetings all,
This SHOULD go to lfs security but I haven't got access to a newsreader

We all know about the support at virus mail going around, but
here's something interesting I've dredged up from some logs

May 23 14:43:40 XXXX sendmail[3963]: [ID 801593] h4N4hdIi003963:
from=<support at>, size=69731, class=0, nrcpts=1, msgid
=<20030523044315.9D8BE2A0ABA at>, proto=ESMTP,
daemon=MTA-v4, [XXX.XXX.XXX.XXX]
May 23 14:43:40 XXXX sendmail[3965]: [ID 801593 mail.alert] h4N4hdIi003963:
Fixed MIME Content-Disposition header field (possible attack)
May 23 14:43:41 XXXX sendmail[3965]: [ID 801593] h4N4hdIi003963:
to=<XXXXXXXX at XXXXXXX>, delay=00:00:02, xdelay=00:00:01, mailer=esmtp, p
ri=120597, relay=XXXXXX.XXXXXX.XXX.XX [XXX.XXX.XXX.XXX], dsn=2.0.0,
stat=Sent (Message accepted for delivery)

Interesting methinks, note the
"Fixed MIME Content-Disposition header field (possible attack)"

This security fix was included in sendmail 8.12.9 to avoid a possible
buffer overflow...

/me wonders if this latest #$%&^% worm is dual purpose, or if this is just
an artifact of the forged message.
( haven't seen anything on the net yet linking this worm with this error,
but I suppose I'm probably one of the few anal people who regularly greps
their sendmail logs... )

Guess I'll have to capture one off the wire...

Unsubscribe: send email to listar at
and put 'unsubscribe lfs-dev' in the subject header of the message

More information about the lfs-dev mailing list