McAfee 'Rumor Technology' bug turns servers into hijacked spam proxies.

Discussion in 'other security issues & news' started by Baserk, Jan 18, 2012.

Thread Status:
Not open for further replies.
  1. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Apparantly a new feature from McAfee SaaS Endpoint Protection, called 'Rumor Technology' is being abused atm to turn small business computers into spam proxies.

    'Rumor Technology' is used for updating McAfee 'SEP' on computers in a local network without an internet connection; 'Internet Independent Updating (IIU) allows non-Internet connected computers to use SaaS Endpoint Protection by using McAfee Rumor2 Technology.' link
    It turns out that f.i. a SBS 2003/2008 server that does have an internet connection and has McAfee SEP installed can be abused as a proxy for sending spam.
    Several users have complained that due to this bug, their IP has been blacklisted because they are now seen as email spammers.

    Some McAfee 'SEP' user complaints at technet.microsoft.com/Forums link (according to the last post in this thread, McAfee will issue a patch during next week).
    And some other reports on this nasty bug; link and link

    edit; CNET article link.
     
    Last edited: Jan 18, 2012
  2. DctrRoss

    DctrRoss Registered Member

    Joined:
    Jan 18, 2012
    Posts:
    1
    Location:
    US
    We had this occur on one of my clients mailservers. It took me by suprise once I figured out it was the McAfee service that was slamming port 25 on the machine and not the mail server. It took McAfee almost a week to get back to us and confirm that it ws their service that was putting the mailservers IP on the RBLs.

    Here is the response from them.

    McAfee Engineering Team has determined that apparently hackers are scanning for machines on the internet with port 6515 open and are using rumor to allow them to spoof emails.

    Engineering will create a patch as quickly as possible which will prevent port 6515 from responding to external contacts. In the meantime we suggest you to either install an external firewall on the network that handles NAT or disable McAfee Peer Distribution Service permanently from services.msc to stop this issue temporarily.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    http://news.cnet.com/8301-27080_3-57361542-245/mcafee-to-plug-spammer-hole-this-week
     
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Sad news when the thing you trust to protect you is what gets you hijacked. I sense a lot of techs using this as an opportunity to convince their boss to move away from it.

    http://www.bbc.co.uk/news/technology-16627713
     
  5. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,956
    Location:
    U.S.A.
     
Loading...
Thread Status:
Not open for further replies.