From: Randall Parker 

The fact that sendmail has so many security bugs that allow it to be taken
over in the first place is pathetic. That it runs on most systems as root
is stupid since, as has posted here, it is possible to get it to
  start up using some higher port number that the firewall can present
to the outside world as a lower port number.

I see a lot of ISPs running Postfix. I don't see sendmail when I look at
email headers or email bounce messages. But I do see Postfix there.

Geo. wrote:


> - -----------------------
> - --- Issue Specifics ---
> - -----------------------
>
>  It has been reported that under certain conditions a vulnerability in
>  sendmail could allow a remote attacker to execute arbitrary code with
>  the privileges of the sendmail daemon, typically root. This effects
>  all versions of sendmail including the latest version, 8.12.9.
>
>  For more details please see:
>  http://www.cert.org/advisories/CA-2003-25.html
>  http://www.kb.cert.org/vuls/id/784980
>
> http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html
>
>  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
>  assigned the name CAN-2003-0694 to this issue:
>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0694
>
>

--- BBBS/NT v4.01 Flag-5