Consider the following bogus qfl0NFMs3g016812 file for sending forged
mail (qf files are described in ?§11.12 on page 445):
V8
T829313834
N0
P943442
Fs
$_root@yourhost
S
RPFD:george@yourhost
H?P?return-path:
Hmessage-id: <200712141257.l0NFSKNK016837@yourhost>
HFrom: root@yourhost
HDate: Thu, 14 Dec 2007 05:47:46 -0800
HTo: george@yourhost
HSubject: Change your Password Now!!
This qf file causes mail to be sent to george that appears in all ways to come from
root. There is nothing in this qf file to indicate to the recipient (or to sendmail) that
the message is not authentic. Now further suppose that the df file (the message
body) contains the following text:
The system has been compromised. Change your password NOW!
Your new password must be:
Fuzz7bal
Thank you,
--System Administration
Unfortunately, in any large organization there will be more than a few users who will
obey a message such as this. They will gladly change their password to one assigned
to them, thereby providing the attacker with easy access to their accounts.
The queue directory must be owned by and writable only by root or the user defined
by the RunAsUser option (?§24.9.102 on page 1083). CERT recommends that the
queue directory always be mode 0700.
The MSP queue of V8.12 and above (typically /var/spool/clientmqueue) must be
owned by smmsp, with group smmsp, and should be mode 0770.
Pages:
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332