FirewallWizards
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [fw-wiz] FWSM tagging email from myspace.com

from [lordchariot] [Permanent Link][Original]
To: "'Firewall Wizards Security Mailing List'" <firewall-wizards@listserv.icsalabs.com>
Subject: Re: [fw-wiz] FWSM tagging email from myspace.com
From: <lordchariot@earthlink.net>
Date: Mon, 11 Dec 2006 15:50:06 -0500
Delivered-to: sp-com-lists@consult.net
Delivered-to: fwwizards-list2@consult.net
Delivered-to: firewall-wizards@listserv.icsalabs.com
In-reply-to: <457D4E04.E6D0.00C1.0@georgiasouthern.edu>
List-archive: <https://listserv.icsalabs.com/pipermail/firewall-wizards>
List-help: <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=help>
List-id: Firewall Wizards Security Mailing List <firewall-wizards.listserv.icsalabs.com>
List-post: <mailto:firewall-wizards@listserv.icsalabs.com>
List-subscribe: <https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=subscribe>
List-unsubscribe: <https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=unsubscribe>
Reply-to: Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Sender: firewall-wizards-bounces@listserv.icsalabs.com
Thread-index: AccdZSmWXMckFXezT8SbJ94FszvHOAAAFBwg 
If I'm reading this right, there are '|' characters in the address. Most
firewalls will block this by default because it was an early sendmail
exploit that would pipe the input to a shell and root the box. (as I recall,
look it up)

It doesn't look like legitimate to me. IMHO I'd keep it blocked.

-erik

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Simon
Bell
Sent: Monday, December 11, 2006 12:25 PM
To: firewall-wizards@listserv.cybertrust.com
Subject: [fw-wiz] FWSM tagging email from myspace.com

I've noticed lately a growing number of firewall syslog msgs with critical
SMTP errors:

%FWSM-2-108002: SMTP replaced |: out 204.16.32.71 in x.x.x.x data: MAIL
FROM:<03|m|gci0emm80|42wdr4_2_h.nfrd|_|5rjd5n2hjw7.rdlsr1w@me4<006>öK+<018>ª
<007>ìÑ<003>#

At first I thought this was just typical spam that the firewall was tagging
and it wasn't a big deal. However, I started sniffing these packets and I'm
beginning to think they're legitimate emails coming from myspace.com. Is
there a configuration setting that could be applied to allow this type
email? I realize this would then be opening me up a bit, but I'm not sure
how else to approach this problem.

Thanks in advance.

Simon

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [fw-wiz] testing gear, Shahin Ansari
Next by Date:  Re: [fw-wiz] testing gear, Aaron Smith
Previous by Thread:  [fw-wiz] FWSM tagging email from myspace.com, Simon Bell
Next by Thread:  [fw-wiz] testing gear, Shahin Ansari
Indexes:  [Date] [Thread] [Top] [All Lists]