GEN:SID 1:663
Message SMTP rcpt to command attempt
Summary This event is generated when the string "|sed -e '1,/^$/'" is found in the payload of a packet sent to a Sendmail server.  This may be an attempt to exploit a problem in older versions of Sendmail.
Impact Attempted administrator access.  A successful attack can allow remote execution of commands at the privilege level of Sendmail, usually root.
Detailed Information A vulnerability exists in older versions of Sendmail associated with the debug mode.  Malformed text specifying the recipient could be a command that would execute at the privilege level of Sendmail, often times root.  The "sed" command is used to strip off the mail headers before executing the supplied command.  This vulnerability was exploited by the Morris worm.
Affected Systems Sendmail versions prior to 5.5.9.
Attack Scenarios An attacker can craft a recipient name that is a command. This command executes arbitrary code on the server.
Ease of Attack Easy.  An attacker can telnet to port 25 of a vulnerable server, enter debug mode, and craft a malicious recipient containing a command to be executed.
Corrective Action Upgrade to Sendmail version 5.5.9 or higher.
Additional References Bugtraq:
http://www.securityfocus.com/bid/1

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095

Arachnids:
http://www.whitehats.com/info/IDS172

Rule References arachnids: 172
bugtraq: 1
cve: 1999-0095