Re: Yet another sendmail exploit

From           djb@koobera.math.uic.edu (D. J. Bernstein)
Organization   IR
Date           26 Nov 1996 19:14:22 GMT
Newsgroups     comp.security.unix,comp.mail.misc
Message-ID     <1996Nov2619.14.22.1248@koobera.math.uic.edu>
References     1 2 3 4

Trever Miller <bug@cyberdex.cuug.ab.ca> wrote:
> You mean 50%, right?

That's a matter of interpretation. It's not unreasonable to exclude
connection failures from the tally; this weights servers by (late night)
reachability.

Anyway, I've done a second survey. Here are the results.

The InterNIC zone files contain 842937 different domains, counting both
the 2LDs and the glue, as of mid-November 1996.

I did an MX (falling back to A) lookup for each domain, obtaining 134601
different IP addresses. I excluded 0.*, 10.*, and 127.*. I did not retry
apparent soft failures. Note that these 134601 addresses do not entirely
include the 48419 IP addresses listed in the InterNIC zone files.

I tried connecting to port 25 at each address.

28043 connection attempts did not produce a greeting message:

   10158 timed out
   9044 connection refused
   4930 host unreachable
   3500 network unreachable
   404 immediate disconnect
   4 operation not supported
   1 connection reset
   1 protocol not available
   1 machine not on network

106558 produced a greeting message. Most hosts responded to HELP. I have
a script to guess what server is running; here are the results:

   69146 Sendmail
   5366 not sure
   5075 Post.Office
   4575 NT Mail
   2982 MS Exchange
   2457 Netscape Mail Server
   2188 AIMS
   1912 smap
   1361 SLmail
   1323 Smail 3.1
   1230 IMS SMTP Receiver
   1220 IMail
   720 MMDF
   665 Zmailer
   650 EMWAC SMTP Receiver
   638 ``The normal sequence of events in sending a message'' (?)
   615 GroupWise
   516 PMDF
   503 MetaInfo Sendmail
   404 Lotus SMTP MTA
   366 Connect2-SMTP
   357 Worldgroup SMTP server
   315 Generic SMTP Handler (Raptor firewall)
   294 TGV/MultiNet
   225 qmail
   218 ``Simple Mail Transfer Service Ready'' (?)
   180 VMS MX
   173 AltaVista Mail
   118 PP
   112 MailSite SMTP Receiver
   105 IBM VM SMTP
   96 UCX
   91 ``Help ... Not recognized'' (?)
   82 SMTPXD
   71 MailShare
   67 SMTP-OpenVMS
   44 NASTA Gate
   41 Exim
   24 CommuniGate SMTPGate
   21 ListSTAR
   12 Pony Express

Here's how the guesses work:

   /Microsoft Exchange Internet Mail Connector/ { ++exchange; next }
   /NT Server running Internet Shopper/ { ++ntmail; next }
   /Simple Mail Transfer Service Ready/ { ++smtsrfoo; next }
   /send comments to qmail@pobox.com/ { ++qmail; next }
   /CommuniGate SMTPGate is ready/ { ++communigate; next }
   /Apple Internet Mail Server/ { ++aims; next }
   /post.office E-mail system/ { ++postoffice; next }
   /TGV.MultiNet SMTP server/ { ++tgv; next }
   /MailSite SMTP Receiver/ { ++mailsite; next }
   /Worldgroup SMTP server/ { ++worldgroup; next }
   /Generic SMTP handler/ { ++raptor; next }
   /Netscape Mail Server/ { ++netscape; next }
   /EMWAC SMTP Receiver/ { ++emwac; next }
   /GroupWise SMTP.MIME/ { ++groupwise; next }
   /MetaInfo Sendmail/ { ++metainfo; next }
   /IMS SMTP Receiver/ { ++ims; next }
   /running MailShare/ { ++mailshare; next }
   /ListSTAR Package/ { ++liststar; next }
   /TGV MultiNet V/ { ++tgv; next }
   /AltaVista Mail/ { ++avmail; next }
   /Lotus SMTP MTA/ { ++lotus; next }
   /MX V.\..-. VAX/ { ++vmsmx; next }
   /post.office v/ { ++postoffice; next }
   /Connect2-SMTP/ { ++connect2; next }
   /MX V.\.. VAX/ { ++vmsmx; next }
   /MX V.\.. AXP/ { ++vmsmx; next }
   /Zachariassen/ { ++zmailer; next }
   /Pony Express/ { ++pony; next}
   /SMTP.OpenVMS/ { ++openvms; next }
   /IBM VM SMTP/ { ++ibmvm; next }
   /NASTA Gate/ { ++nasta; next }
   /SMTP.smap/ { ++smap; next }
   /Smail3.1/ { ++smail31; next }
   /SLmail95/ { ++slmail; next }
   /SLmailNT/ { ++slmail; next }
   /SLMAILNT/ { ++slmail; next }
   /Sendmail/ { ++sendmail; next }
   /PMDF V/ { ++pmdf; next }
   /SMTPXD/ { ++smtpxd; next }
   /IMail/ { ++imail; next }
   /Exim/ { ++exim; next }
   /UCX / { ++ucx; next }
   /The normal sequence of events in sending a message/ { ++normalfoo; next }
   /[pP][pP].*Pleased to meet you/ { ++pp; next }
   /Help \.\.\. Not recognized/ { ++helpfoo; next }
   /For more info use .HELP/ { ++sendmail; next }
   /unimplemented..#5.5.1/ { ++qmail; next }
   /Complaints.bugs to/ { ++mmdf; next }

The average time to handle one address was under 8 seconds; not counting
initial connection timeouts, 3.78 seconds. I used a concurrency of 250.
I expect my next survey, using the NW list of 13 million hosts, to run a
bit more slowly.

---Dan
Sick of sendmail? Don't get mad; get qmail. http://pobox.com/~djb/qmail.html