Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against SpamAssassin Long Message Header Denial of Service

Subscribe

Check Point Reference: CPAI-2005-335
Date Published:
Severity:
Last Updated:
Source: Secunia Advisory: SA17386
Industry Reference(s): CVE-2005-3351
Protection Provided by: Security Gateway
  • R75
Who is Vulnerable?
Apache Software Foundation SpamAssassin 3.0.4 and prior
Vulnerability Description
SpamAssassin is an open source spam filtering product developed using Perl. The product supports a number of filtering methods such as header fields and body phrase identification, white and black list rules. The product is also embedded in numerous commercial anti-spam products from a broad range of vendors.
Vulnerability Details
There exists a remote denial of service vulnerability in Apache SpamAssassin. The vulnerability is caused by an inefficient method used in email header parsing. An attacker can exploit the vulnerability by sending a malicious email that contains crafted headers. This can cause the affected application to terminate.
As SpamAssassin may be set up in numerous configurations, the behaviour of the affected program is dependent on the current setup.
If SpamAssassin is running as a standalone daemon, a successful attack will terminate the process creating a denial-of-service condition of the spam filtering functionality. This might affect email delivery if SpamAssassin is configured as a mandatory step in the delivery path.
When the product is set up as a standalone filter, filtering email through a Local Delivery Agent (procmail), an offensive email will be discarded. In this case, the email will not be delivered to the intended recipient nor will it be stored as an identified spam email.

Protection Overview
This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R75

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade > Application Intelligence > Mail > SMTP.
2. In the right pane, double-click the SpamAssassin Long Message Header Denial of Service protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: SMTP Protection Violation
Attack Information: SpamAssassin long message header denial of service