From owner-freebsd-security@FreeBSD.ORG Mon May 10 08:56:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48FDB16A4CE for ; Mon, 10 May 2004 08:56:50 -0700 (PDT) Received: from smtp3b.sentex.ca (smtp3b.sentex.ca [205.211.164.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD6CB43D4C for ; Mon, 10 May 2004 08:56:49 -0700 (PDT) (envelope-from mike@sentex.net) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by smtp3b.sentex.ca (8.12.11/8.12.11) with ESMTP id i4AFungY060897 for ; Mon, 10 May 2004 11:56:49 -0400 (EDT) (envelope-from mike@sentex.net) Received: from localhost (localhost [127.0.0.1]) by avscan2.sentex.ca (Postfix) with ESMTP id F08AD59CBE for ; Mon, 10 May 2004 11:56:48 -0400 (EDT) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 79006-01 for ; Mon, 10 May 2004 11:56:48 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan2.sentex.ca (Postfix) with ESMTP id BF1DA59CBD for ; Mon, 10 May 2004 11:56:48 -0400 (EDT) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i4AFulGZ038262 for ; Mon, 10 May 2004 11:56:47 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040510115614.04be3708@64.7.153.2> X-Sender: mdtpop@64.7.153.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Mon, 10 May 2004 11:59:05 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at (avscan2) sentex.ca Subject: rate limiting sshd connections ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2004 15:56:50 -0000 Does anyone know of a way to rate limit ssh connections from an IP address ? We are starting to see more and more brute force attempts to guess simple passwords "/usr/sbin/inetd -wWl -C 10" is nice for slowing down attempts to services launched via inetd. Is there an equiv method for doing this to sshd? Running from inetd has some issues supposedly. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Mon May 10 09:02:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED1CF16A4CE for ; Mon, 10 May 2004 09:02:06 -0700 (PDT) Received: from relay2.mecon.ar (relay2.mecon.gov.ar [168.101.16.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4903743D1F for ; Mon, 10 May 2004 09:02:03 -0700 (PDT) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (racing.mecon.gov.ar [168.101.133.15]) by relay2.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i4AG20G2022056; Mon, 10 May 2004 13:02:00 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (meyosp.mecon.gov.ar [10.11.0.149]) by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i4AG20Ee001668; Mon, 10 May 2004 13:02:00 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (bal740r0.mecon.ar [10.11.1.11]) by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i4AG1xW2001665; Mon, 10 May 2004 13:01:59 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (localhost [127.0.0.1]) i4AG20T1001337; Mon, 10 May 2004 13:02:00 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: (from fpscha@localhost) by bal740r0.mecon.gov.ar (8.12.8p2/8.12.6/Submit) id i4AG1x7a001336; Mon, 10 May 2004 13:01:59 -0300 (ART) (envelope-from fernando@mecon.gov.ar) X-Authentication-Warning: bal740r0.mecon.gov.ar: fpscha set sender to fernando@mecon.gov.ar using -f Date: Mon, 10 May 2004 13:01:59 -0300 From: Fernando Schapachnik To: Mike Tancsa Message-ID: <20040510160159.GY306@bal740r0.mecon.gov.ar> References: <6.0.3.0.0.20040510115614.04be3708@64.7.153.2> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <6.0.3.0.0.20040510115614.04be3708@64.7.153.2> User-Agent: Mutt/1.4.2.1i X-OS: FreeBSD 4.7 - http://www.freebsd.org cc: freebsd-security@freebsd.org Subject: Re: rate limiting sshd connections ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2004 16:02:07 -0000 Have you checked MaxStartups at the sshd_config man page? En un mensaje anterior, Mike Tancsa escribió: > > Does anyone know of a way to rate limit ssh connections from an IP address > ? We are starting to see more and more brute force attempts to guess > simple passwords "/usr/sbin/inetd -wWl -C 10" is nice for slowing down > attempts to services launched via inetd. Is there an equiv method for > doing this to sshd? Running from inetd has some issues supposedly. From owner-freebsd-security@FreeBSD.ORG Mon May 10 09:05:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B71416A4CF for ; Mon, 10 May 2004 09:05:38 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11DFC43D48 for ; Mon, 10 May 2004 09:05:38 -0700 (PDT) (envelope-from mike@sentex.net) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by smtp3.sentex.ca (8.12.11/8.12.10) with ESMTP id i4AG5YMY035381; Mon, 10 May 2004 12:05:34 -0400 (EDT) (envelope-from mike@sentex.net) Received: from localhost (localhost [127.0.0.1]) by avscan2.sentex.ca (Postfix) with ESMTP id 85C2F59C96; Mon, 10 May 2004 12:05:37 -0400 (EDT) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 80370-02; Mon, 10 May 2004 12:05:37 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan2.sentex.ca (Postfix) with ESMTP id 6DC8259C93; Mon, 10 May 2004 12:05:37 -0400 (EDT) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i4AG5aCS038330; Mon, 10 May 2004 12:05:36 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040510120626.035ccb20@64.7.153.2> X-Sender: mdtpop@64.7.153.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Mon, 10 May 2004 12:07:51 -0400 To: Fernando Schapachnik From: Mike Tancsa In-Reply-To: <20040510160159.GY306@bal740r0.mecon.gov.ar> References: <6.0.3.0.0.20040510115614.04be3708@64.7.153.2> <20040510160159.GY306@bal740r0.mecon.gov.ar> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at (avscan2) sentex.ca cc: freebsd-security@freebsd.org Subject: Re: rate limiting sshd connections ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2004 16:05:38 -0000 At 12:01 PM 10/05/2004, Fernando Schapachnik wrote: >Have you checked MaxStartups at the sshd_config man page? Thanks, I am not sure how I missed that :( I only looked through the=20 daemon's docs and was searching on the key words rate limit via google. ---Mike >En un mensaje anterior, Mike Tancsa escribi=F3: > > > > Does anyone know of a way to rate limit ssh connections from an IP= address > > ? We are starting to see more and more brute force attempts to guess > > simple passwords "/usr/sbin/inetd -wWl -C 10" is nice for slowing down > > attempts to services launched via inetd. Is there an equiv method for > > doing this to sshd? Running from inetd has some issues supposedly. From owner-freebsd-security@FreeBSD.ORG Mon May 10 09:16:53 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99A0816A4CE for ; Mon, 10 May 2004 09:16:53 -0700 (PDT) Received: from omoikane.mb.skyweb.ca (64-42-246-34.mb.skyweb.ca [64.42.246.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FF4743D2F for ; Mon, 10 May 2004 09:16:53 -0700 (PDT) (envelope-from mark@skyweb.ca) Received: by omoikane.mb.skyweb.ca (Postfix, from userid 1001) id BE92761D09; Mon, 10 May 2004 11:17:34 -0500 (CDT) From: Mark Johnston To: freebsd-security@freebsd.org Date: Mon, 10 May 2004 11:17:32 -0500 User-Agent: KMail/1.6.1 References: <6.0.3.0.0.20040510115614.04be3708@64.7.153.2> In-Reply-To: <6.0.3.0.0.20040510115614.04be3708@64.7.153.2> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200405101117.32934.mjohnston@skyweb.ca> Subject: Re: rate limiting sshd connections ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2004 16:16:53 -0000 Mike Tancsa wrote: > Does anyone know of a way to rate limit ssh connections from an IP address? I haven't used it myself, but ipfw (not sure whether it's ipfw2-only) has a limit directive: limit {src-addr | src-port | dst-addr | dst-port} N The firewall will only allow N connections with the same set of parameters as specified in the rule. One or more of source and destination addresses and ports can be specified. If you're getting lots of connects in parallel, that should improve things. Here's another thought, using dummynet: ipfw pipe 1 config bw 1Kbit mask src-ip 0xffffffff ipfw add 10 pipe 1 tcp from any to me 22 setup 1 kbit is 128 bytes/sec, which is roughly 2-3 average SYN packets per second. More than enough for a regular host, but fairly limiting against a flood. You can also implement this at the border: ipfw pipe 1 config bw 1Kbit mask src-ip 0xffffffff dst-ip 0xffffffff ipfw add 10 pipe 1 tcp from any to (LAN) 22 setup (Dropping the dst-ip mask here would limit SYNs from any given IP to your whole LAN.) These aren't tested, but they may give you some ideas. Mark From owner-freebsd-security@FreeBSD.ORG Mon May 10 12:26:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7ADFB16A4CE for ; Mon, 10 May 2004 12:26:10 -0700 (PDT) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5596943D39 for ; Mon, 10 May 2004 12:26:10 -0700 (PDT) (envelope-from marquis@roble.com) Received: from localhost (localhost [127.0.0.1]) by mx5.roble.com (Postfix) with ESMTP id 0F5442C6AB for ; Mon, 10 May 2004 12:26:10 -0700 (PDT) Date: Mon, 10 May 2004 12:26:10 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20040510190058.3DC2E16A4F3@hub.freebsd.org> References: <20040510190058.3DC2E16A4F3@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20040510192610.0F5442C6AB@mx5.roble.com> Subject: Re: rate limiting sshd connections ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2004 19:26:10 -0000 Mike Tancsa wrote: >Does anyone know of a way to rate limit ssh connections from an IP address? We've used inetd for this for several few years. Works great. Aside from having more connection limiting features inetd is also easier to configure on non-standard ports, uses less memory (1K vs 5K), and has a simpler (and by extension more secure) code base. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Tue May 11 10:47:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3B7D16A4CE for ; Tue, 11 May 2004 10:47:44 -0700 (PDT) Received: from hotmail.com (bay15-f42.bay15.hotmail.com [65.54.185.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54AFD43D39 for ; Tue, 11 May 2004 10:47:43 -0700 (PDT) (envelope-from slimmybaddog@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 11 May 2004 10:47:43 -0700 Received: from 213.5.18.72 by by15fd.bay15.hotmail.msn.com with HTTP; Tue, 11 May 2004 17:47:43 GMT X-Originating-IP: [213.5.18.72] X-Originating-Email: [slimmybaddog@hotmail.com] X-Sender: slimmybaddog@hotmail.com From: "slimmy baddog" To: freebsd-security@freebsd.org Date: Tue, 11 May 2004 17:47:43 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 11 May 2004 17:47:43.0688 (UTC) FILETIME=[0FFE4480:01C43780] Subject: Re: rate limiting sshd connections ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 May 2004 17:47:44 -0000 I would strognly suggest that you dont use inetd for running services but running all your services as daemons wich is much faster for the system and safer. I've seen somewhere i think a command for limiting that but i am not sure ... If i find the command i'll tell you ! Take care ;) _________________________________________________________________ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail From owner-freebsd-security@FreeBSD.ORG Tue May 11 13:27:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3584916A4CE for ; Tue, 11 May 2004 13:27:08 -0700 (PDT) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id F41B443D31 for ; Tue, 11 May 2004 13:27:07 -0700 (PDT) (envelope-from marquis@roble.com) Received: from localhost (localhost [127.0.0.1]) by mx5.roble.com (Postfix) with ESMTP id C40492C6A0 for ; Tue, 11 May 2004 13:27:07 -0700 (PDT) Date: Tue, 11 May 2004 13:27:07 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20040511190058.A8FC516A4DB@hub.freebsd.org> References: <20040511190058.A8FC516A4DB@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20040511202707.C40492C6A0@mx5.roble.com> Subject: Re: rate limiting sshd connections ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 May 2004 20:27:08 -0000 Roger Marquis wrote: > Aside from having more connection limiting features inetd is also > easier to configure on non-standard ports, uses less memory (1K vs > 5K), and has a simpler (and by extension more secure) code base. > "slimmy baddog" wrote: > I would strognly suggest that you dont use inetd for running services but > running all your services as daemons wich is much faster for the system >and safer. That used to be the recommendation, back when 50MHz CPUs were the norm. With 1 GHz and faster CPUs the difference between sshd and inetd starting a child sshd is in the millisecond range i.e, impossible to distinguish by look and feel. As to security I think both code bases have had about the same degree of peer review. The smaller size of the inetd code base is what makes it more secure. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Tue May 11 13:37:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B63916A4CF for ; Tue, 11 May 2004 13:37:15 -0700 (PDT) Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99EC443D2D for ; Tue, 11 May 2004 13:37:12 -0700 (PDT) (envelope-from patpro@patpro.net) Received: from [192.168.0.1] (cassandre [192.168.0.1]) by boleskine.patpro.net (Postfix) with ESMTP id E4111134; Tue, 11 May 2004 22:37:12 +0200 (CEST) In-Reply-To: <20040511202707.C40492C6A0@mx5.roble.com> References: <20040511190058.A8FC516A4DB@hub.freebsd.org> <20040511202707.C40492C6A0@mx5.roble.com> Mime-Version: 1.0 (Apple Message framework v613) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Patrick Proniewski Date: Tue, 11 May 2004 22:37:06 +0200 To: Roger Marquis X-Mailer: Apple Mail (2.613) cc: freebsd-security@freebsd.org Subject: Re: rate limiting sshd connections ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 May 2004 20:37:15 -0000 On 11 mai 2004, at 22:27, Roger Marquis wrote: > "slimmy baddog" wrote: >> I would strognly suggest that you dont use inetd for running services >> but >> running all your services as daemons wich is much faster for the >> system >> and safer. > > That used to be the recommendation, back when 50MHz CPUs were the > norm. With 1 GHz and faster CPUs the difference between sshd and > inetd starting a child sshd is in the millisecond range i.e, impossible > to distinguish by look and feel. in fact, I've seen an Apple XServe (two G4 1GHz processors) running MacOS X Server beeing DOSed by a remote Nagios probe testing it's sshd once per minute. On OSX, sshd runs from xinetd. The box used to need hard reboot once a day until the problem was identified and the nagios probe was disabled. my 2 cents. patpro -- je cherche un poste d'admin-sys Mac/UNIX (ou une jeune et jolie femme riche) http://patpro.net/cv.php From owner-freebsd-security@FreeBSD.ORG Tue May 11 14:33:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62C9316A4CE for ; Tue, 11 May 2004 14:33:00 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [66.180.195.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC2FD43D41 for ; Tue, 11 May 2004 14:32:59 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 24080 invoked by uid 1000); 11 May 2004 21:32:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 May 2004 21:32:59 -0000 Date: Tue, 11 May 2004 14:32:57 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: freebsd-security@freebsd.org In-Reply-To: <20040511202707.C40492C6A0@mx5.roble.com> Message-ID: <20040511141522.W45935@walter> References: <20040511190058.A8FC516A4DB@hub.freebsd.org> <20040511202707.C40492C6A0@mx5.roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: rate limiting sshd connections ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 May 2004 21:33:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Aside from having more connection limiting features inetd is also > > easier to configure on non-standard ports, uses less memory (1K vs > > 5K), and has a simpler (and by extension more secure) code base. > > As to security I think both code bases have had about the same degree of > peer review. The smaller size of the inetd code base is what makes it > more secure. 1) how does this interact with privilege separation? as far as I understand it, privilege separation implies that no raw data from the network will ever be touched by a root-running process. I don't expect that inetd can say the same. 2) if you really are looking for a very simple/secure network listener, tcpserver from the ucspi-tcp package is going to fit that bill _way_ more than inetd. and tcpserver also provides rate-limiting, use of arbitrary ports, an even smaller memory footprint, as well as features that inetd doesn't have (like setting environment variables based on remote address). -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFAoUaLswXMWWtptckRAkBeAKDfVrZE5ezanuxyqVmdANVCLJ73swCfTPXv 5sqmuZRai9vd3nsfNqQskN8= =76iI -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue May 11 19:26:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 376C716A4CE for ; Tue, 11 May 2004 19:26:08 -0700 (PDT) Received: from gw.visp.com.au (gw.visp.com.au [202.6.158.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5776A43D5E for ; Tue, 11 May 2004 19:26:07 -0700 (PDT) (envelope-from tim@spyderweb.com.au) Received: from bofh.spyderweb.com.au (202-6-150-37.ip.visp.com.au [202.6.150.37] (may be forged)) by gw.visp.com.au (8.12.8p2/8.12.8) with ESMTP id i4C2Q9kH021961 for ; Wed, 12 May 2004 11:56:09 +0930 (CST) (envelope-from tim@spyderweb.com.au) Received: from spyderweb.com.au (localhost [127.0.0.1])i4C2Q7ic082712 for ; Wed, 12 May 2004 11:56:07 +0930 (CST) (envelope-from tim@spyderweb.com.au) Date: Wed, 12 May 2004 11:56:07 +0930 From: Tim Aslat To: freebsd security list Message-Id: <20040512115607.23ac80ea@bofh.spyderweb.com.au> Organization: Spyderweb Consulting X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd5.2.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: quick FW question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 02:26:08 -0000 I hope this isn't too off topic, but I'd like a quick solution to a problem. I have a small network behind a NAT firewall (FreeBSD of course) and I'd like to block/redirect all traffic from the internal network to the local mail server (same box as firewall) in order to prevent direct smtp requests to the outside world (mainly virus/trokan programs). I think I have it right in this rule, but I would prefer to get a second, or even a third opinion. ipfw add fwd 127.0.0.1,25 tcp from any to me dst-port 25 Cheers Tim -- Tim Aslat Spyderweb Consulting http://www.spyderweb.com.au Phone: +61 0401088479 From owner-freebsd-security@FreeBSD.ORG Tue May 11 20:06:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F5B316A4CE for ; Tue, 11 May 2004 20:06:52 -0700 (PDT) Received: from corb.mc.mpls.visi.com (corb.mc.mpls.visi.com [208.42.156.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB95543D54 for ; Tue, 11 May 2004 20:06:49 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by corb.mc.mpls.visi.com (Postfix) with ESMTP id 03AE58297; Tue, 11 May 2004 22:06:49 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id i4C36mn02223; Tue, 11 May 2004 22:06:48 -0500 (CDT) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Tue, 11 May 2004 22:06:48 -0500 From: D J Hawkey Jr To: Tim Aslat Message-ID: <20040512030648.GA2102@sheol.localdomain> References: <20040512115607.23ac80ea@bofh.spyderweb.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040512115607.23ac80ea@bofh.spyderweb.com.au> User-Agent: Mutt/1.4.1i cc: freebsd security list Subject: Re: quick FW question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 03:06:52 -0000 On May 12, at 11:56 AM, Tim Aslat wrote: > > I hope this isn't too off topic, but I'd like a quick solution to a > problem. > > I have a small network behind a NAT firewall (FreeBSD of course) and I'd > like to block/redirect all traffic from the internal network to the > local mail server (same box as firewall) in order to prevent direct smtp > requests to the outside world (mainly virus/trokan programs). Set up the mail server as the hub for your internal network, and have the workstations forward mail to it. If you're running sendmail on the workstations, put this in their .mc file: define(`SMART_HOST', `smtp:mailhub.privatedomain') And rebuild their sendmail.cf (I use the same .mc file for all U**X boxen on my network, except for the mail hub). Basically, just point all internal boxen's mailers to the hub. My mail hub, in turn, defines SMART_HOST to be my ISP's mail cluster, and I define MASQUERADE_AS to be my ISP's domain (I use the feature masquerade_envelope, too). You might not be able to do this, of course, it'll depend on your connectivity. You'll need an MX record set up for the mail hub in your DNS. > I think I have it right in this rule, but I would prefer to get a > second, or even a third opinion. > > ipfw add fwd 127.0.0.1,25 tcp from any to me dst-port 25 Given the above approach, the only thing I have in my firewall for SMTP is a rule for stateful outbound on ports 25 and 995 (I use SSL- enabled POP3 to download incoming mail from my ISP's mail cluster). Hope this helps, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Tue May 11 20:41:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32C0116A4CE for ; Tue, 11 May 2004 20:41:11 -0700 (PDT) Received: from gw.visp.com.au (gw.visp.com.au [202.6.158.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 428C143D39 for ; Tue, 11 May 2004 20:41:10 -0700 (PDT) (envelope-from tim@spyderweb.com.au) Received: from bofh.spyderweb.com.au (202-6-150-37.ip.visp.com.au [202.6.150.37] (may be forged)) by gw.visp.com.au (8.12.8p2/8.12.8) with ESMTP id i4C3fDkH025057 for ; Wed, 12 May 2004 13:11:13 +0930 (CST) (envelope-from tim@spyderweb.com.au) Received: from spyderweb.com.au (localhost [127.0.0.1])i4C3fAic083745 for ; Wed, 12 May 2004 13:11:11 +0930 (CST) (envelope-from tim@spyderweb.com.au) Date: Wed, 12 May 2004 13:11:10 +0930 From: Tim Aslat To: freebsd security list Message-Id: <20040512131110.65e9ab02@bofh.spyderweb.com.au> In-Reply-To: <20040512030648.GA2102@sheol.localdomain> References: <20040512115607.23ac80ea@bofh.spyderweb.com.au> <20040512030648.GA2102@sheol.localdomain> Organization: Spyderweb Consulting X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd5.2.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: quick FW question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 03:41:11 -0000 In the immortal words of D J Hawkey Jr ... > Set up the mail server as the hub for your internal network, and have > the workstations forward mail to it. If you're running sendmail on the > workstations, put this in their .mc file: > define(`SMART_HOST', `smtp:mailhub.privatedomain') > And rebuild their sendmail.cf (I use the same .mc file for all U**X > boxen on my network, except for the mail hub). Basically, just point > all internal boxen's mailers to the hub. I'm using Exim, and I already have this part working (smart host) > My mail hub, in turn, defines SMART_HOST to be my ISP's mail cluster, > and I define MASQUERADE_AS to be my ISP's domain (I use the feature > masquerade_envelope, too). You might not be able to do this, of > course, it'll depend on your connectivity. Not really required for this particular setup. > You'll need an MX record set up for the mail hub in your DNS. Got one :) > Given the above approach, the only thing I have in my firewall for > SMTP is a rule for stateful outbound on ports 25 and 995 (I use SSL- > enabled POP3 to download incoming mail from my ISP's mail cluster). Hmmm, that doesn't really solve my problem, but it's useful to have in the archives anyhow. What I want to do is grab any outgoing packets bound for a port 25 and redirect them back to the local mailserver which has spam/virus filtering. This should eliminate problems of viruses/trojans which use their own internal smtp servers to propogate themselves, coming from this network. The reason for this approach is the domain in question being RBL'd a couple of days ago after one of the machines in this network had a virus(actually a couple of thousand of various types). Cheers Tim -- Tim Aslat Spyderweb Consulting http://www.spyderweb.com.au Phone: +61 0401088479 From owner-freebsd-security@FreeBSD.ORG Tue May 11 21:00:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D3B816A4D0 for ; Tue, 11 May 2004 21:00:24 -0700 (PDT) Received: from mail.isg.siue.edu (mail.isg.siue.edu [146.163.5.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA4B943D1F for ; Tue, 11 May 2004 21:00:23 -0700 (PDT) (envelope-from wgrim@cougar.isg.siue.edu) Received: from WEBSHIELD1.isg.siue.edu (webshield1.isg.siue.edu [146.163.5.149])id XAA29733 for ; Tue, 11 May 2004 23:00:21 -0500 (CDT) Received: From cougar ([146.163.5.29]) by WEBSHIELD1.isg.siue.edu (WebShield SMTP v4.5 MR1a); id 1084334420827; Tue, 11 May 2004 23:00:20 -0500 Date: Tue, 11 May 2004 23:00:20 -0500 (CDT) From: William Michael Grim To: Tim Aslat In-Reply-To: <20040512115607.23ac80ea@bofh.spyderweb.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd security list Subject: Re: quick FW question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 04:00:24 -0000 Hello! If you would like to properly forward traffic to your mail server THROUGH the firewall, you need to have your firewall do it through NAT. By doing it through NAT (natd), it will change the IP headers for you so the traffice travels correctly. It took me a while to figure this out when trying to forward ssh and httpd to an internal machine. Setup your rc.conf like this: natd_enable="YES" natd_flags="-f /etc/natd.conf" In my natd.conf, I have a setup like this (you will need to change the redirect lines though): # Useful for trying not to break RFCs. use_sockets same_ports # My public interface interface dc0 # Use this since the public interface is set by DHCP. dynamic unregistered_only log_ipfw_denied redirect_port tcp 192.168.0.101:23 23 redirect_port tcp 192.168.0.101:8080 8080 #redirect_port tcp 192.168.0.101:389 389 #redirect_port tcp 192.168.0.101:636 636 William Michael Grim Student, Southern Illinois University at Edwardsville Unix Network Administrator, SIUE, Computer Science dept. Phone: (217) 341-6552 Email: wgrim@siue.edu On Wed, 12 May 2004, Tim Aslat wrote: > I hope this isn't too off topic, but I'd like a quick solution to a > problem. > > I have a small network behind a NAT firewall (FreeBSD of course) and I'd > like to block/redirect all traffic from the internal network to the > local mail server (same box as firewall) in order to prevent direct smtp > requests to the outside world (mainly virus/trokan programs). > > I think I have it right in this rule, but I would prefer to get a > second, or even a third opinion. > > ipfw add fwd 127.0.0.1,25 tcp from any to me dst-port 25 > > Cheers > > Tim > > -- > Tim Aslat > Spyderweb Consulting > http://www.spyderweb.com.au > Phone: +61 0401088479 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue May 11 21:08:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F35916A4CE for ; Tue, 11 May 2004 21:08:20 -0700 (PDT) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35D7F43D2D for ; Tue, 11 May 2004 21:08:20 -0700 (PDT) (envelope-from marquis@roble.com) Received: from localhost (localhost [127.0.0.1]) by mx5.roble.com (Postfix) with ESMTP id 024F92C6A0; Tue, 11 May 2004 21:08:19 -0700 (PDT) Date: Tue, 11 May 2004 21:08:19 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: References: <20040511190058.A8FC516A4DB@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20040512040819.024F92C6A0@mx5.roble.com> Subject: Re: rate limiting sshd connections ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 04:08:20 -0000 >in fact, I've seen an Apple XServe (two G4 1GHz processors) running >MacOS X Server beeing DOSed by a remote Nagios probe testing it's >sshd once per minute. Once per minute? That's extremely unusual. Do you mean once per second? I've got a Via M9000 that runs at 1GHz and has inetds listening on several IPs that doesn't slow down with multiple simultaneous nmaps. >On OSX, sshd runs from xinetd. Sounds like a configuration issue. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Tue May 11 21:27:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8300916A4CE for ; Tue, 11 May 2004 21:27:08 -0700 (PDT) Received: from gw.visp.com.au (gw.visp.com.au [202.6.158.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC91043D1D for ; Tue, 11 May 2004 21:27:07 -0700 (PDT) (envelope-from tim@spyderweb.com.au) Received: from bofh.spyderweb.com.au (202-6-150-37.ip.visp.com.au [202.6.150.37] (may be forged)) by gw.visp.com.au (8.12.8p2/8.12.8) with ESMTP id i4C4RBkH027147 for ; Wed, 12 May 2004 13:57:11 +0930 (CST) (envelope-from tim@spyderweb.com.au) Received: from spyderweb.com.au (localhost [127.0.0.1])i4C4R8ic084388 for ; Wed, 12 May 2004 13:57:08 +0930 (CST) (envelope-from tim@spyderweb.com.au) Date: Wed, 12 May 2004 13:57:08 +0930 From: Tim Aslat To: freebsd-security@freebsd.org Message-Id: <20040512135708.219d1a5e@bofh.spyderweb.com.au> In-Reply-To: <20040512115607.23ac80ea@bofh.spyderweb.com.au> References: <20040512115607.23ac80ea@bofh.spyderweb.com.au> Organization: Spyderweb Consulting X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd5.2.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: quick FW question [SOLVED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 04:27:08 -0000 Problem solved. Here's the answer (for the archives) # block all SMTP traffic from inside to out while letting the server # through ipfw add allow tcp from any to me 25 ipfw add allow tcp from me to any 25 ipfw add deny tcp from any to any dst-port 25 This prevents any host within the network from sending directly to an SMTP server outside the network. Thanks to "D J Hawkey Jr " for helping me out with this. Cheers Tim -- Tim Aslat Spyderweb Consulting http://www.spyderweb.com.au Phone: +61 0401088479 From owner-freebsd-security@FreeBSD.ORG Tue May 11 21:29:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5938E16A4CE for ; Tue, 11 May 2004 21:29:45 -0700 (PDT) Received: from gw.visp.com.au (gw.visp.com.au [202.6.158.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id A00C243D45 for ; Tue, 11 May 2004 21:29:44 -0700 (PDT) (envelope-from tim@spyderweb.com.au) Received: from bofh.spyderweb.com.au (202-6-150-37.ip.visp.com.au [202.6.150.37] (may be forged)) by gw.visp.com.au (8.12.8p2/8.12.8) with ESMTP id i4C4TnkH027252 for ; Wed, 12 May 2004 13:59:49 +0930 (CST) (envelope-from tim@spyderweb.com.au) Received: from spyderweb.com.au (localhost [127.0.0.1])i4C4Tlic084448 for ; Wed, 12 May 2004 13:59:47 +0930 (CST) (envelope-from tim@spyderweb.com.au) Date: Wed, 12 May 2004 13:59:47 +0930 From: Tim Aslat To: freebsd-security@freebsd.org Message-Id: <20040512135947.5160b7ad@bofh.spyderweb.com.au> In-Reply-To: <20040512135708.219d1a5e@bofh.spyderweb.com.au> References: <20040512115607.23ac80ea@bofh.spyderweb.com.au> <20040512135708.219d1a5e@bofh.spyderweb.com.au> Organization: Spyderweb Consulting X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd5.2.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: quick FW question [SOLVED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 04:29:45 -0000 In the immortal words of Tim Aslat ... > Thanks to "D J Hawkey Jr " for helping > me out with this. Sorry (this is getting to be a bad habit replying to own posts) Sorry, it wasn't D J Hawkey Jr, it was "David Atkinson ", my mistake, that's what you get for posting in a hurry Cheers Tim -- Tim Aslat Spyderweb Consulting http://www.spyderweb.com.au Phone: +61 0401088479 From owner-freebsd-security@FreeBSD.ORG Wed May 12 00:41:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95EDE16A4CE for ; Wed, 12 May 2004 00:41:13 -0700 (PDT) Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3447943D4C for ; Wed, 12 May 2004 00:41:13 -0700 (PDT) (envelope-from patpro@patpro.net) Received: from [192.168.0.1] (cassandre [192.168.0.1]) by boleskine.patpro.net (Postfix) with ESMTP id F1DE11A9; Wed, 12 May 2004 09:41:14 +0200 (CEST) In-Reply-To: <20040512040819.024F92C6A0@mx5.roble.com> References: <20040511190058.A8FC516A4DB@hub.freebsd.org> <20040511202707.C40492C6A0@mx5.roble.com> <20040512040819.024F92C6A0@mx5.roble.com> Mime-Version: 1.0 (Apple Message framework v613) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Patrick Proniewski Date: Wed, 12 May 2004 09:41:06 +0200 To: Roger Marquis X-Mailer: Apple Mail (2.613) cc: freebsd-security@freebsd.org Subject: Re: rate limiting sshd connections ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 07:41:13 -0000 On 12 mai 2004, at 06:08, Roger Marquis wrote: >> in fact, I've seen an Apple XServe (two G4 1GHz processors) running >> MacOS X Server beeing DOSed by a remote Nagios probe testing it's >> sshd once per minute. > > Once per minute? That's extremely unusual. Do you mean once per > second? yes, once per minute, but the box is pretty loaded on the apache front >> On OSX, sshd runs from xinetd. > > Sounds like a configuration issue. like many things on OSXS (for example bind running as root and not chrooted...) patpro -- je cherche un poste d'admin-sys Mac/UNIX (ou une jeune et jolie femme riche) http://patpro.net/cv.php From owner-freebsd-security@FreeBSD.ORG Wed May 12 17:59:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E827116A4CE for ; Wed, 12 May 2004 17:59:58 -0700 (PDT) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id C38D243D39 for ; Wed, 12 May 2004 17:59:57 -0700 (PDT) (envelope-from z3l3zt@hackunite.net) Received: from mail.hackunite.net ([213.112.193.12] [213.112.193.12]) by mxfep02.bredband.com with SMTP <20040513005956.RISI14728.mxfep02.bredband.com@mail.hackunite.net> for ; Thu, 13 May 2004 02:59:56 +0200 Received: from 213.112.193.11 (SquirrelMail authenticated user z3l3zt@hackunite.net) by mail.hackunite.net with HTTP; Thu, 13 May 2004 03:00:12 +0200 (CEST) Message-ID: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> Date: Thu, 13 May 2004 03:00:12 +0200 (CEST) From: "Jesper Wallin" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: z3l3zt@hackunite.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 00:59:59 -0000 Heya folks First of all, sorry if this isn't the correct list, but yet, I think spam is a kind of network attack and should be treated as a security issue.. I run a working mail server using Postfix, MySQL, Courier-IMAP, SpamAssassin and ClamAV (amavisd-new) .. I've checked the configuration file for SpamAssassin, but yet I havn't find any good solution for spam.. Sure, spam will always be a problem and I guess it's impossible to filter 100% of all spam.. Currently, I've made a filter in my mail client which move all mails with a header containing "Spam-Level: ***" to a "spam" directory.. The last 2 months, spam and spam only has been triggered/filtered.. so I think it's quite useful.. yet, it does send the mail.. if it's triggered spam, why does it even send it to the mailbox instead of just blocking it? I assume that's because of a bad configuration made by myself.. Also, a lot of mail which is spam is not triggered as spam, is it possible to improve spamassassin to filter more mails? Like, the way a antivirus program works, (have ids for each virus), does spamassassin has any "spam ids" or something similar to make it filter new mails? Once again, sorry if this mail has been sent to the wrong list, and sorry for asking alot of questions which might already been documented. Regards, Jesper Wallin From owner-freebsd-security@FreeBSD.ORG Wed May 12 19:02:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AEF516A4CE; Wed, 12 May 2004 19:02:34 -0700 (PDT) Received: from mail.yazzy.org (mail.yazzy.org [217.8.140.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 195A043D48; Wed, 12 May 2004 19:02:34 -0700 (PDT) (envelope-from freebsd@yazzy.org) Received: from localhost (yazzy [192.168.98.11]) by mail.yazzy.org (Postfix) with SMTP id E592339814; Thu, 13 May 2004 04:02:27 +0200 (CEST) Date: Thu, 13 May 2004 04:02:22 +0200 From: Martin Jessa To: z3l3zt@hackunite.net Message-Id: <20040513040222.2b80e76e.freebsd@yazzy.org> In-Reply-To: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> References: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> Organization: WRS ASA X-Mailer: Sylpheed version 0.9.4 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 02:02:35 -0000 Hi. To begin with this email should rather go to the ISP list. My advice is to run Exim on your email gateway. I've tested and ran postfix, messagewall, qmail+qmailscanner, mailscanner and exim is just the best stuff ever. Not only it's way faster than perl based messagewall, amavisd and mailscanner etc but it also has neat stuff like making connections back to the sender's MX checking for validity of the sender's email. Since most of the spam is sent with forged reply to address this is one heck of a anti-spam solution. Aditionally you should use RBLs to check your emails, and regular expressions to filter out certain attachement types. Spamassassin can use Bayesian classification to help you perform scanning more efficiently. Search for razor in the ports too. There are many howtos around about that. I personally run Exim on my email router/gw and postfix on my "real" email server. Cheers, YazzY On Thu, 13 May 2004 03:00:12 +0200 (CEST) "Jesper Wallin" wrote: > Heya folks > > First of all, sorry if this isn't the correct list, but yet, I think spam is a kind of > network attack and should be treated as a security issue.. I run a working mail server > using Postfix, MySQL, Courier-IMAP, SpamAssassin and ClamAV (amavisd-new) .. > > I've checked the configuration file for SpamAssassin, but yet I havn't find any good > solution for spam.. Sure, spam will always be a problem and I guess it's impossible to > filter 100% of all spam.. > > Currently, I've made a filter in my mail client which move all mails with a header > containing "Spam-Level: ***" to a "spam" directory.. The last 2 months, spam and spam > only has been triggered/filtered.. so I think it's quite useful.. yet, it does send the > mail.. if it's triggered spam, why does it even send it to the mailbox instead of just > blocking it? I assume that's because of a bad configuration made by myself.. > > Also, a lot of mail which is spam is not triggered as spam, is it possible to improve > spamassassin to filter more mails? Like, the way a antivirus program works, (have ids > for each virus), does spamassassin has any "spam ids" or something similar to make it > filter new mails? > > Once again, sorry if this mail has been sent to the wrong list, and sorry for asking > alot of questions which might already been documented. > > > Regards, > Jesper Wallin > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed May 12 20:06:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 254F116A4CE for ; Wed, 12 May 2004 20:06:27 -0700 (PDT) Received: from vulcan.blacksburg.net (vulcan.blacksburg.net [66.208.157.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1657543D1F for ; Wed, 12 May 2004 20:06:26 -0700 (PDT) (envelope-from mlevans@blacksburg.net) X-Envelope-From: mlevans@blacksburg.net Received: from p0ts1.blacksburg.net (pluto.blacksburg.net [66.208.157.5]) i4D36N7S088026; Wed, 12 May 2004 23:06:24 -0400 (EDT) (envelope-from mlevans@blacksburg.net) Message-Id: <5.1.0.14.0.20040512230320.057426d0@pop.blacksburg.net> X-Sender: mlevans@pop.blacksburg.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 12 May 2004 23:06:23 -0400 To: z3l3zt@hackunite.net, freebsd-security@freebsd.org From: Lyle Evans In-Reply-To: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net > Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 03:06:27 -0000 At 09:00 PM 05/12/04, Jesper Wallin wrote: >Heya folks > >First of all, sorry if this isn't the correct list, but yet, I think spam >is a kind of >network attack and should be treated as a security issue.. A much better place to ask would be the spamassassin mailing list. Send mail to spamassassin-users-subscribe at incubator.apache.org to subscribe >I run a working mail server >using Postfix, MySQL, Courier-IMAP, SpamAssassin and ClamAV (amavisd-new) .. > >I've checked the configuration file for SpamAssassin, but yet I havn't >find any good >solution for spam.. Sure, spam will always be a problem and I guess it's >impossible to >filter 100% of all spam.. > >Currently, I've made a filter in my mail client which move all mails with >a header >containing "Spam-Level: ***" to a "spam" directory.. The last 2 months, >spam and spam >only has been triggered/filtered.. so I think it's quite useful.. yet, it >does send the >mail.. if it's triggered spam, why does it even send it to the mailbox >instead of just >blocking it? I assume that's because of a bad configuration made by myself.. Fundamental misunderstanding of Spamassassin purpose. It is a filter that marks mail as spam it does not delete or "block it". Usually one uses something like procmail as a local delivery agent (or similar) that does the actual deleting or more usually directs it to a separate spam mailbox. Deleting all email marked as spam usually not considered wise because of the possibility of false positives. More common is to mark the lower scoring spam as SPAM and deliver,and only delete (or maybe archive for some time), the high scoring spam. >Also, a lot of mail which is spam is not triggered as spam, is it possible >to improve >spamassassin to filter more mails? Like, the way a antivirus program >works, (have ids >for each virus), Yes read the Spamassassin FAQ and Wiki (and the mailing list archives) and you will find ways. See http://www.spamassassin.org >does spamassassin has any "spam ids" or something similar to make it >filter new mails? Sort of see the FAQ and Wiki. Regards, Lyle Evans lyle@rackears.com rackmount brackets for many networking and ISP equipment chassises http://www.rackears.com From owner-freebsd-security@FreeBSD.ORG Thu May 13 00:53:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F01416A4CE; Thu, 13 May 2004 00:53:35 -0700 (PDT) Received: from www.cyclades.de (mail.cyclades.de [62.225.173.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8144943D1F; Thu, 13 May 2004 00:53:34 -0700 (PDT) (envelope-from mh@kernel32.de) Received: from [192.168.10.145] (helo=kernel32.de) by www.cyclades.de with asmtp (Exim 3.35 #1 (Debian)) id 1BOB1k-0005nt-00; Thu, 13 May 2004 09:53:12 +0200 Message-ID: <40A32939.9000100@kernel32.de> Date: Thu, 13 May 2004 09:52:25 +0200 From: Marian Hettwer User-Agent: Mozilla Thunderbird 0.5 (X11/20040414) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Martin Jessa References: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> <20040513040222.2b80e76e.freebsd@yazzy.org> In-Reply-To: <20040513040222.2b80e76e.freebsd@yazzy.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner: Found to be clean X-MailScanner-SpamCheck: cc: freebsd-isp@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 07:53:35 -0000 Hi Martin, Martin Jessa wrote: > Not only it's way faster than perl based messagewall, amavisd and mailscanner etc but it also has neat stuff like making connections back to the sender's MX checking for validity of the sender's email. This Feature sounds interesting. How is it actually called in exim ? I'd like to check the exim docu to see some details, because it really sounds interesting. Could you provide me with some keywords to search for ? TIA, Marian From owner-freebsd-security@FreeBSD.ORG Thu May 13 05:46:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FA9B16A4CE for ; Thu, 13 May 2004 05:46:43 -0700 (PDT) Received: from web.gwds.net (web.gwds.net [64.49.223.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA47D43D3F for ; Thu, 13 May 2004 05:46:42 -0700 (PDT) (envelope-from jstephen@gwds.net) Received: from [192.168.254.145] (computrain-client-sycamore.2gaap.net [63.89.77.233] (may be forged)) (authenticated bits=0) by web.gwds.net (8.12.11/8.12.11) with ESMTP id i4DCkf26096959 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 13 May 2004 08:46:42 -0400 (EDT) (envelope-from jstephen@gwds.net) From: James Stephenson To: z3l3zt@hackunite.net, freebsd-security@freebsd.org In-Reply-To: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> References: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> Content-Type: text/plain Message-Id: <1084452400.726.26.camel@spongeworthy> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Thu, 13 May 2004 08:46:40 -0400 Content-Transfer-Encoding: 7bit Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 12:46:43 -0000 On Wed, 2004-05-12 at 21:00, Jesper Wallin wrote: > I've checked the configuration file for SpamAssassin, but yet I havn't find any good > solution for spam.. Sure, spam will always be a problem and I guess it's impossible to > filter 100% of all spam.. Jesper: I recently switched from SpamAssassin to an open source program called DSPAM (http://www.nuclearelephant.com/projects/dspam/). It works differently than SpamAssassin in that it processes each message that comes in and creates a DSPAM Signature, which it puts in the header of each e-mail, along with headers specifying whether it thought the e-mail was spam or innocent, and the spam probability of the e-mail. DSPAM starts off without filtering out anything, but the way it works is through "training." You set up an e-mail alias for all your spam and false positives on your server, and you forward spam that wasn't marked as spam to the spam alias, the same for false positives. DSPAM then checks the e-mail for any existing DSPAM signature, matches it against a database, and records what you marked it as. It then uses the Bayes algorithm of probability to detect any incoming e-mail's likeliness of being considered spam based on your habits of marking spam. It works extremely well, but it takes a while to train. I've had mine up for three days now, and it is increasing in accuracy with each day. You just have to make sure that you forward all your e-mails to the spam alias when you receive them, and all false positives as well, or else it will be worthless. Check out the web site, maybe it will help explain it a bit more. One note - the documentation is not that good, so set up could be a bit of a hassle. James Stephenson From owner-freebsd-security@FreeBSD.ORG Thu May 13 08:42:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1289C16A4CE for ; Thu, 13 May 2004 08:42:29 -0700 (PDT) Received: from smtp.rdsnet.ro (smtp.rdsnet.ro [62.231.74.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79A2443D54 for ; Thu, 13 May 2004 08:42:27 -0700 (PDT) (envelope-from itetcu@apropo.ro) Received: (qmail 21593 invoked by uid 89); 13 May 2004 15:36:05 -0000 Received: from unknown (HELO rdsnet.ro) (62.231.74.131) by 0 with SMTP; 13 May 2004 15:36:05 -0000 Received: (qmail 16267 invoked from network); 13 May 2004 15:42:25 -0000 Received: from unknown (HELO buh.cameradicommercio.ro) (81.196.25.19) by mail.rdsnet.ro with SMTP; 13 May 2004 15:42:25 -0000 Received: from it.buh.cameradicommercio.ro (it.buh.cameradicommercio.ro [192.168.0.10]) by buh.cameradicommercio.ro (Postfix) with ESMTP id B906C6140; Thu, 13 May 2004 18:42:14 +0300 (EEST) Received: from localhost (localhost.buh.cameradicommercio.ro [127.0.0.1]) by it.buh.cameradicommercio.ro (Postfix) with ESMTP id 08A163D3; Thu, 13 May 2004 18:46:26 +0300 (EEST) Received: from it.buh.cameradicommercio.ro ([127.0.0.1])port 10024) with ESMTP id 14476-04; Thu, 13 May 2004 18:46:25 +0300 (EEST) Received: from it.buh.cameradicommercio.ro (localhost.buh.cameradicommercio.ro [127.0.0.1]) by it.buh.cameradicommercio.ro (Postfix) with SMTP id 951403C1; Thu, 13 May 2004 18:46:25 +0300 (EEST) Date: Thu, 13 May 2004 18:46:20 +0300 From: Ion-Mihai Tetcu To: James Stephenson Message-Id: <20040513184620.1d84a217@it.buh.cameradicommercio.ro> In-Reply-To: <1084452400.726.26.camel@spongeworthy> References: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> <1084452400.726.26.camel@spongeworthy> X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at it.buh.cameradicommercio.ro cc: freebsd-security@freebsd.org Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 15:42:29 -0000 On Thu, 13 May 2004 08:46:40 -0400 James Stephenson wrote: > On Wed, 2004-05-12 at 21:00, Jesper Wallin wrote: > > > I've checked the configuration file for SpamAssassin, but yet I havn't find any good > > solution for spam.. Sure, spam will always be a problem and I guess it's impossible to > > filter 100% of all spam.. > > Jesper: [.. about how good dspam is ...] > It works extremely well, but it takes a while to train. I've had mine > up for three days now, and it is increasing in accuracy with each day. > You just have to make sure that you forward all your e-mails to the spam > alias when you receive them, and all false positives as well, or else it > will be worthless. Check out the web site, maybe it will help explain > it a bit more. One note - the documentation is not that good, so set up > could be a bit of a hassle. You may want to look in the ports@ archives where a recent discussion about dspam has taken place. On nice thing is that recent version of amavis-new can run dspam. -- IOnut Unregistered ;) FreeBSD "user" From owner-freebsd-security@FreeBSD.ORG Thu May 13 10:04:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4ABCF16A4CE for ; Thu, 13 May 2004 10:04:15 -0700 (PDT) Received: from us19.unix.fas.harvard.edu (us19.unix.fas.harvard.edu [140.247.35.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4FCB43D5D for ; Thu, 13 May 2004 10:04:13 -0700 (PDT) (envelope-from hamburg@fas.harvard.edu) Received: from [140.247.133.37] (roam133-37.student.harvard.edu [140.247.133.37])i4DH4CIT020685 for ; Thu, 13 May 2004 13:04:12 -0400 Mime-Version: 1.0 (Apple Message framework v613) In-Reply-To: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> References: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <8BE22C8E-A4FF-11D8-8FC3-0003939A19AA@fas.harvard.edu> Content-Transfer-Encoding: 7bit From: Michael Hamburg Date: Thu, 13 May 2004 13:04:07 -0400 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.613) Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 17:04:15 -0000 OpenBSD has a great tool called spamd. When used in conjunction with pf, you can redirect spammers to a spam proxy which uses very little of your memory and cpu time, but tries to use as much of theirs as possible. That way, spam from computers on RBLs is blocked directly instead of wasting your time and possibly bandwidth. Of course, if you have qualms about using RBLs (as I do, for instance), you'll have to let the mail deliver. I use a spam blocker called CRM114. It requires only 100K or so of training to achieve impressive filtering rates. It's been quite successful so far: I haven't seen real false positive in months, and the only spam to get through in that time was one new one I'd never seen before, and some of those one-line virus things (I can't afford to block .zip attachments wholesale). I'm considering taking Harvard off my whitelist and using it to filter out spam-like list submissions. My main reservation about recommending CRM114 is that its datafiles are rather large. Mine are 25 megabytes just for my account, although 2M/account is easily doable if you need space. Still, this would be infeasible for a large site. You can also share the datafiles, but this would be rather tricky to do well, especially as mail mixes tend to be unique to the user. The default is just to tag mail as spam, but as with SpamAssassin, you can setup .procmailrc or the like block it outright. It still uses your processor time and bandwidth, though. Mike Hamburg P.S. I use qmail, and I like it but I'm not a mailserver zealot. So long as it's not Sendmail :-) On May 12, 2004, at 9:00 PM, Jesper Wallin wrote: > Heya folks > > First of all, sorry if this isn't the correct list, but yet, I think > spam is a kind of > network attack and should be treated as a security issue.. I run a > working mail server > using Postfix, MySQL, Courier-IMAP, SpamAssassin and ClamAV > (amavisd-new) .. > > I've checked the configuration file for SpamAssassin, but yet I havn't > find any good > solution for spam.. Sure, spam will always be a problem and I guess > it's impossible to > filter 100% of all spam.. > > Currently, I've made a filter in my mail client which move all mails > with a header > containing "Spam-Level: ***" to a "spam" directory.. The last 2 > months, spam and spam > only has been triggered/filtered.. so I think it's quite useful.. yet, > it does send the > mail.. if it's triggered spam, why does it even send it to the mailbox > instead of just > blocking it? I assume that's because of a bad configuration made by > myself.. > > Also, a lot of mail which is spam is not triggered as spam, is it > possible to improve > spamassassin to filter more mails? Like, the way a antivirus program > works, (have ids > for each virus), does spamassassin has any "spam ids" or something > similar to make it > filter new mails? > > Once again, sorry if this mail has been sent to the wrong list, and > sorry for asking > alot of questions which might already been documented. > > > Regards, > Jesper Wallin > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Thu May 13 14:14:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 462B616A4CE for ; Thu, 13 May 2004 14:14:07 -0700 (PDT) Received: from ioskeha.hittite.isp.9tel.net (ioskeha.hittite.isp.9tel.net [62.62.156.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D07143D39 for ; Thu, 13 May 2004 14:14:04 -0700 (PDT) (envelope-from root@gits.dyndns.org) Received: from mail.gits.dyndns.org (unknown [81.185.49.110]) by ioskeha.hittite.isp.9tel.net (Postfix) with ESMTP id 765C817C05E; Thu, 13 May 2004 23:13:33 +0200 (CEST) Received: from mail.gits.dyndns.org (IDENT:3sk29wlmq88t1aot@localhost [127.0.0.1])i4DL4Q6Z078521 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 13 May 2004 23:10:53 +0200 (CEST) (envelope-from root@gits.dyndns.org) Received: (from root@localhost) by mail.gits.dyndns.org (8.12.11/8.12.11/Submit) id i4DKd8Ms098147; Thu, 13 May 2004 22:39:08 +0200 (CEST) (envelope-from root) Message-Id: <200405132039.i4DKd8Ms098147@mail.gits.dyndns.org> To: z3l3zt@hackunite.net, freebsd security Date: Thu, 13 May 2004 22:39:07 +0200 (CEST) From: Cyrille Lefevre X-Face: V|+c;4!|B?E%BE^{E6); aI.[< List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 21:14:07 -0000 --ELM1084480747-8674-0_ Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII take a look here : http://www.merchantsoverseas.com/wwwroot/gorilla then let's try the attached script and patch which may not be up to date. PS : I don't use it since my machine is too slow and this makes mimedefang to give up (timeout) to often. Cyrille Lefevre -- mailto:cyrille.lefevre@laposte.net --ELM1084480747-8674-0_ Content-Transfer-Encoding: 8bit Content-Type: text/x-patch; charset=ISO-8859-15 Content-Disposition: attachment; filename=sa_rules.patch Content-Description: diff -u orig/sa_body.cf sa/sa_body.cf --- orig/sa_body.cf Thu Feb 19 14:56:29 2004 +++ sa/sa_body.cf Sat Jan 31 01:57:22 2004 @@ -4,21 +4,20 @@ # submitted by Yorkshire Dave. -> "Dear Fellow Opportunist" (my favorite ;-) +# "Dear Fellow Opportunist" (my favorite ;-) body L_OPPORT /\bfellow.opportunist/i describe L_OPPORT fellow opportunist -> "You need to act now or you will miss out on a great offer" +# "You need to act now or you will miss out on a great offer" body L_ACTMISS /\bact.now.{1,30}or.{5,20}miss\b/i describe L_ACTMISS act now or miss -body L_MISSOFFER -/\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i +body L_MISSOFFER /\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i describe L_MISSOFFER miss great offer -> "CASH FOREVER" +# "CASH FOREVER" body L_CASHFOREVER /\bcash.{1,3}forever\b/ describe L_CASHFOREVER cash forever @@ -419,8 +418,7 @@ # The following rules submitted by Kai MacTane. -body HIDDEN_VIAGRA -/v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i +body HIDDEN_VIAGRA /v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i describe HIDDEN_VIAGRA Uses obfuscated version of "Viagra" score HIDDEN_VIAGRA 2.00 @@ -1011,7 +1009,7 @@ describe CAREER_BACK_ON_TRACK (LOCAL RULE) Talks about getting a career back on track score CAREER_BACK_ON_TRACK 3 3 3 3 -raw 123X456 /123x456/i +rawbody 123X456 /123x456/i describe 123X456 (LOCAL RULE) 123X456 is a marker for the SoBig.E worm score 123X456 99 99 99 99 diff -u orig/sa_header_other.cf sa/sa_header_other.cf --- orig/sa_header_other.cf Thu Feb 19 14:56:29 2004 +++ sa/sa_header_other.cf Sat Jan 31 02:18:10 2004 @@ -9,8 +9,8 @@ header HINET Received =~ /bHINET-IP/i describe HINET Received line contains HINET-IP (common spam gate from pacrim) -header TO-EVERYONE To:addr =~ /every(?:one|body)/i -describe TO-EVERYONE To: everyone or everybody +header TO_EVERYONE To:addr =~ /every(?:one|body)/i +describe TO_EVERYONE To: everyone or everybody # The following rules submitted by Daniel Bird. @@ -97,27 +97,27 @@ score L_f_Refi 0.4 # Spamsign in misc headers -Header L_hR_NOREPLY Return-path =~ /<>/ +header L_hR_NOREPLY Return-path =~ /<>/ describe L_hR_NOREPLY Return path is set to empty (common for bounces) (RM) score L_hR_NOREPLY 1.1 -Header L_hr_clkheremail Received =~ /clkheremail\.com/ +header L_hr_clkheremail Received =~ /clkheremail\.com/ describe L_hr_clkheremail Spam passed through clkheremail.com relay (RM) score L_hr_clkheremail 3.1 -Header L_hr_HeloIP Received =~ /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i +header L_hr_HeloIP Received =~ /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i describe L_hr_HeloIP Received has helo=IP - may be valid DSL router w/nat - may be spam (RM) score L_hr_HeloIP 0.5 -Header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/ +header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/ describe L_hx_PSSBulk Uses PSS Bulk Mailer (RM) score L_hx_PSSBulk 1.1 -Header L_hx_XaM3API exists:X-XaM3-API-Version +header L_hx_XaM3API exists:X-XaM3-API-Version describe L_hx_XaM3API X-XaM3-API-Version header found, often spamsign (RM) score L_hx_XaM3API 1.1 -Header L_hx_JLH exists:X-JLH +header L_hx_JLH exists:X-JLH describe L_hx_JLH X-JLH header found, possible spamsign (RM) score L_hx_JLH 1.1 diff -u orig/sa_header_subject.cf sa/sa_header_subject.cf --- orig/sa_header_subject.cf Thu Feb 19 14:56:29 2004 +++ sa/sa_header_subject.cf Sat Jan 31 02:08:47 2004 @@ -27,59 +27,59 @@ # The following rules submitted by Robert Menschel. # Spamsign subjects -Header L_s_casino Subject =~ /c[a\@]sin[o0]/i +header L_s_casino Subject =~ /c[a\@]sin[o0]/i describe L_s_casino Subject mentions a casino (RM) score L_s_casino 1.1 -Header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i +header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i describe L_s_CopyDVD Subject mentions copying DVDs (RM) score L_s_CopyDVD 3.1 -Header L_s_Drugs Subject =~ /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i +header L_s_Drugs Subject =~ /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i describe L_s_Drugs Subject mentions known spam subject (RM) score L_s_Drugs 2.1 -Header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i +header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i describe L_s_GetPaid Subject mentions getting paid for something (RM) score L_s_GetPaid 1.1 -Header L_s_HelpInvest Subject =~ /help.{1,10}invest/i +header L_s_HelpInvest Subject =~ /help.{1,10}invest/i describe L_s_HelpInvest Subject mentions help in investing something (RM) score L_s_HelpInvest 1.1 -Header L_s_MaskedWords1 Subject =~ /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i +header L_s_MaskedWords1 Subject =~ /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i describe L_s_MaskedWords1 masked spam word(s) in subject (RM) score L_s_MaskedWords1 9.1 -Header L_s_MaskedWords2 Subject =~ /che\@p|F0r|d0main|Ple\@se|m0ve/i +header L_s_MaskedWords2 Subject =~ /che\@p|F0r|d0main|Ple\@se|m0ve/i describe L_s_MaskedWords2 masked spam word(s) in subject (RM) score L_s_MaskedWords2 9.1 -Header L_s_MaskedWords3 Subject =~ /p\@tients|ph0t0|b0y|g1rl|vide0/i +header L_s_MaskedWords3 Subject =~ /p\@tients|ph0t0|b0y|g1rl|vide0/i describe L_s_MaskedWords3 masked spam word(s) in subject (RM) score L_s_MaskedWords3 9.1 -Header L_s_MaskedWords4 Subject =~ /5emin|ch[à\@]rge|Êbãy|pen1s/i +header L_s_MaskedWords4 Subject =~ /5emin|ch[à\@]rge|Êbãy|pen1s/i describe L_s_MaskedWords4 masked spam word(s) in subject (RM) score L_s_MaskedWords4 7.1 -Header L_s_MaskedWordsC Subject =~ /reaI|excIusive/ +header L_s_MaskedWordsC Subject =~ /reaI|excIusive/ describe L_s_MaskedWordsC masked spam word(s) in subject - case sensitive (RM) score L_s_MaskedWordsC 9.1 -Header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i +header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i describe L_s_PleaseRead Subject includes request to please read the message (RM) score L_s_PleaseRead 0.6 -Header L_s_profile Subject =~ /I\ saw\ your\ profile/i +header L_s_profile Subject =~ /I\ saw\ your\ profile/i describe L_s_profile Subject mentions your profile (RM) score L_s_profile 1.1 -Header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i +header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i describe L_s_porn Subject seems to be about porn (RM) score L_s_porn 2.1 -Header L_s_Tax Subject =~ /T[a\@]x/i +header L_s_Tax Subject =~ /T[a\@]x/i describe L_s_Tax Subject mentions taxes (RM) score L_s_Tax 1.1 diff -u orig/sa_meta.cf sa/sa_meta.cf --- orig/sa_meta.cf Thu Feb 19 14:56:29 2004 +++ sa/sa_meta.cf Sat Jan 31 03:00:13 2004 @@ -9,9 +9,11 @@ #Check for a beginning HTML tag rawbody __MK_HTML_TAG_START /\ rawbody __MK_HTML_TAG_END /\<\/html\>/i +describe #Check to see if the HTML message is made correctly. Seeing a lot of SPAM that isn't meta MK_BAD_HTML_4 HTML_MESSAGE && !__MK_HTML_TAG_START && !__MK_HTML_TAG_END @@ -102,8 +104,7 @@ header __THEBAT_UA User-Agent =~ /The Bat/ meta L_FORGED_MUA_THEBAT ( __THEBAT_UA && !__THEBAT_MSGID ) -describe L_FORGED_MUA_THEBAT Forged message pretending to be from the -bat! +describe L_FORGED_MUA_THEBAT Forged message pretending to be from the bat! #spewing virus reports to forged sender addresses is spamming, talking # about them on mailing lists isn't. @@ -111,7 +112,8 @@ body __VIRUS_WARNING_FWD /(attachment|email|file|message|scanner).{0,50}(contain(s|ed)|infect(ion|ed)|report(s|ed)|detected).{0,50}virus/is body __VIRUS_WARNING_REV /virus.{0,50}(found|infect(ion|ed)|reported|detected).{0,50}(attachment|email|file|message)/is body __FORGING_VIRUS /(braid.a|bugbear|klez|sobig|winevar|yaha.e)/i -meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD || __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || IN_REP_TO)) describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus scanner +meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD || __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || IN_REP_TO)) +describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus scanner # The following rules were submitted by Sandy S. (The last S is for Secret!) diff -u orig/sa_oct03_rules.cf sa/sa_oct03_rules.cf --- orig/sa_oct03_rules.cf Thu Feb 19 14:56:29 2004 +++ sa/sa_oct03_rules.cf Sat Jan 31 02:57:16 2004 @@ -223,7 +223,7 @@ rawbody MY_ONECHAR_SCRIPT /\/..?\.(pl|plx|cgi|asp)/ describe MY_ONECHAR_SCRIPT 1 or 2 letter script name found. -score MY_ONE_CHAR_SCRIPT .33 +score MY_ONECHAR_SCRIPT .33 rawbody MY_THISIS /this is spam/i describe MY_THISIS They said this is spam themselves! diff -u orig/sa_uri.cf sa/sa_uri.cf --- orig/sa_uri.cf Thu Feb 19 14:56:29 2004 +++ sa/sa_uri.cf Sat Jan 31 02:10:42 2004 @@ -358,8 +358,7 @@ uri MY_BLUETABS /fastbluetabs\.com/i score MY_BLUETABS 5.000 -describe MY_BLUETABS Message contains a link or email address to -fastbluetabs.com +describe MY_BLUETABS Message contains a link or email address to fastbluetabs.com uri MY_CERTREWARDS /certrewards\.com/i score MY_CERTREWARDS 5.000 --ELM1084480747-8674-0_-- From owner-freebsd-security@FreeBSD.ORG Thu May 13 14:21:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E73816A4CE; Thu, 13 May 2004 14:21:49 -0700 (PDT) Received: from carrick.bishnet.net (carrick.bishnet.net [217.204.9.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id B857043D3F; Thu, 13 May 2004 14:21:48 -0700 (PDT) (envelope-from tdb@carrick.bishnet.net) Received: from tdb by carrick.bishnet.net with local (Exim 4.33; FreeBSD) id 1BONeC-0009js-VY; Thu, 13 May 2004 22:21:44 +0100 Date: Thu, 13 May 2004 22:21:44 +0100 From: Tim Bishop To: Marian Hettwer Message-ID: <20040513212144.GA37257@carrick.bishnet.net> References: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> <20040513040222.2b80e76e.freebsd@yazzy.org> <40A32939.9000100@kernel32.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline In-Reply-To: <40A32939.9000100@kernel32.de> User-Agent: Mutt/1.4.2.1i X-PGP-Key: 0x5AE7D984 X-PGP-Fingerprint: 1453 086E 9376 1A50 ECF6 AE05 7DCE D659 5AE7 D984 Sender: "T.D.Bishop" X-Bishnet-MailScanner-Information: Contact postmaster@bishnet.net X-Bishnet-MailScanner-VirusCheck: Found to be clean X-Bishnet-MailScanner-From: tdb@carrick.bishnet.net cc: freebsd-isp@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 21:21:49 -0000 --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 13, 2004 at 09:52:25AM +0200, Marian Hettwer wrote: > Martin Jessa wrote: > >Not only it's way faster than perl based messagewall, amavisd and > >mailscanner etc but it also has neat stuff like making connections > >back to the sender's MX checking for validity of the sender's email. >=20 > This Feature sounds interesting. How is it actually called in exim ? > I'd like to check the exim docu to see some details, because it really > sounds interesting. >=20 > Could you provide me with some keywords to search for ? In Exim you're looking for sender callout verification. http://www.exim.org/exim-html-4.30/doc/html/spec_38.html#SECT38.21 It's pretty trivial to turn on, and in my experience works well. Cheers, Tim. --=20 Tim Bishop http://www.bishnet.net/tim PGP Key: 0x5AE7D984 --Kj7319i9nmIyA2yE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAo+bofc7WWVrn2YQRArwBAJ9xN4xcQdhYlwhOMETzDsH/ryqr4wCgnN1g c/f1xNAz1hGYOslRO1wNBEI= =bH6k -----END PGP SIGNATURE----- --Kj7319i9nmIyA2yE-- From owner-freebsd-security@FreeBSD.ORG Thu May 13 14:48:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EF9916A4CE for ; Thu, 13 May 2004 14:48:39 -0700 (PDT) Received: from redix.it (host49-169.pool8172.interbusiness.it [81.72.169.49]) by mx1.FreeBSD.org (Postfix) with SMTP id 7D81643D46 for ; Thu, 13 May 2004 14:48:33 -0700 (PDT) (envelope-from roberto@redix.it) Received: (qmail 26779 invoked by uid 72); 13 May 2004 21:48:31 -0000 Received: from 151.31.34.32 (SquirrelMail authenticated user roberto) by mail.redix.it with HTTP; Thu, 13 May 2004 23:48:31 +0200 (CEST) Message-ID: <3063.151.31.34.32.1084484911.squirrel@mail.redix.it> In-Reply-To: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> References: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> Date: Thu, 13 May 2004 23:48:31 +0200 (CEST) From: roberto@redix.it To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 21:48:39 -0000 > Heya folks > > First of all, sorry if this isn't the correct list, but yet, I think spam > is a kind of network attack and should be treated as a security issue.. > I run a working mail server using Postfix, MySQL, Courier-IMAP, >SpamAssassin and ClamAV (amavisd-new) ... > Regards, > Jesper Wallin > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > I'm trying to solve the spam problem on my email server too. I'm glad to share my and your ideas on the topic. At the moment I can suggest the following: 1) use Realtime Black List (see http://spamhaus.org for example); 2) use Sender Policy Framework (see http://spf.pobox.com); 3) accept email only after the sender had confirmed your reply; 4) use spamassasin; N.B.: only 1,2 save your bandwidth as the SMTP transaction is blocked if necessary; Any comments are welcome, Regards, Roberto From owner-freebsd-security@FreeBSD.ORG Thu May 13 15:01:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B4B316A4CE for ; Thu, 13 May 2004 15:01:13 -0700 (PDT) Received: from cybhqfrwd02.office.outpost.com (near.outpost.com [69.44.121.165]) by mx1.FreeBSD.org (Postfix) with SMTP id 176FB43D5A for ; Thu, 13 May 2004 15:01:12 -0700 (PDT) (envelope-from PBaker@outpost.com) Received: (qmail 6627 invoked from network); 13 May 2004 20:38:28 -0000 Received: from cybhqmsx02.office.outpost.com (10.2.6.93) by cybhqfrwd02.office.outpost.com with SMTP; 13 May 2004 20:38:28 -0000 Received: by cybhqmsx02.office.outpost.com with Internet Mail Service (5.5.2650.21) id ; Thu, 13 May 2004 17:50:01 -0400 Message-ID: <777BCABEE522D5119E3E00508B6CA0B802E9AA95@CYBHQMSX05> From: Patrick Baker To: "'freebsd-security@freebsd.org'" Date: Thu, 13 May 2004 18:01:11 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 22:01:13 -0000 I use postfix with mysql which forwards mail to a content filter ( amavisd-new ) which does the virus scanning and Spam detection. Using Spam assassin I have DCC, Razor, and Bayesian Learning. All mail is forwarded through unless its a virus --> onto Cyrus, then I have Sieve read the mail headers to filter all Spam into a junk folder. If Spam still comes through I just have all my customers forward the mail to report-spam@domain.tld . A cron job runs at 6am every morning to learn from these Spam emails and put them into the Bayesian database. I only use one RBL which is relays.ordb.org, I don't like RBL's really because they have some pretty idiotic polices not to mention they're so secretive. Spam really isn't a threat - its more annoying then anything else - some customers like to read through it sometimes - I cant stop them if they want to. Yet every two days, all mail that's in the junk folder is automatically purged. Regards, Patrick From owner-freebsd-security@FreeBSD.ORG Thu May 13 16:13:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7458D16A4CE for ; Thu, 13 May 2004 16:13:16 -0700 (PDT) Received: from xsb.com (mail.portjeff.net [216.168.142.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55BEF43D41 for ; Thu, 13 May 2004 16:13:14 -0700 (PDT) (envelope-from c.rued@xsb.com) Received: from xsb.com [129.49.16.170] by xsb.com with ESMTP (SMTPD32-7.15) id A00527C00FA; Thu, 13 May 2004 19:08:53 -0400 Message-ID: <40A40107.1010207@xsb.com> Date: Thu, 13 May 2004 19:13:11 -0400 From: Christopher Rued User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040421 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: cyrille.lefevre@laposte.net References: <200405132039.i4DKd8Ms098147@mail.gits.dyndns.org> In-Reply-To: <200405132039.i4DKd8Ms098147@mail.gits.dyndns.org> Content-Type: multipart/mixed; boundary="------------030100020200050206080300" X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd security Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 23:13:16 -0000 This is a multi-part message in MIME format. --------------030100020200050206080300 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit hehe ... my SpamAssassin marked this as spam :-) Cyrille Lefevre wrote: > take a look here : > > http://www.merchantsoverseas.com/wwwroot/gorilla > > then let's try the attached script and patch which may not be up to date. > > PS : I don't use it since my machine is too slow and this makes mimedefang > to give up (timeout) to often. > > Cyrille Lefevre > > > ------------------------------------------------------------------------ > > diff -u orig/sa_body.cf sa/sa_body.cf > --- orig/sa_body.cf Thu Feb 19 14:56:29 2004 > +++ sa/sa_body.cf Sat Jan 31 01:57:22 2004 > @@ -4,21 +4,20 @@ > > # submitted by Yorkshire Dave. > > -> "Dear Fellow Opportunist" (my favorite ;-) > +# "Dear Fellow Opportunist" (my favorite ;-) > > body L_OPPORT /\bfellow.opportunist/i > describe L_OPPORT fellow opportunist > > -> "You need to act now or you will miss out on a great offer" > +# "You need to act now or you will miss out on a great offer" > > body L_ACTMISS /\bact.now.{1,30}or.{5,20}miss\b/i > describe L_ACTMISS act now or miss > > -body L_MISSOFFER > -/\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i > +body L_MISSOFFER /\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i > describe L_MISSOFFER miss great offer > > -> "CASH FOREVER" > +# "CASH FOREVER" > > body L_CASHFOREVER /\bcash.{1,3}forever\b/ > describe L_CASHFOREVER cash forever > @@ -419,8 +418,7 @@ > > # The following rules submitted by Kai MacTane. > > -body HIDDEN_VIAGRA > -/v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i > +body HIDDEN_VIAGRA /v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i > describe HIDDEN_VIAGRA Uses obfuscated version of "Viagra" > score HIDDEN_VIAGRA 2.00 > > @@ -1011,7 +1009,7 @@ > describe CAREER_BACK_ON_TRACK (LOCAL RULE) Talks about getting a career back on track > score CAREER_BACK_ON_TRACK 3 3 3 3 > > -raw 123X456 /123x456/i > +rawbody 123X456 /123x456/i > describe 123X456 (LOCAL RULE) 123X456 is a marker for the SoBig.E worm > score 123X456 99 99 99 99 > > diff -u orig/sa_header_other.cf sa/sa_header_other.cf > --- orig/sa_header_other.cf Thu Feb 19 14:56:29 2004 > +++ sa/sa_header_other.cf Sat Jan 31 02:18:10 2004 > @@ -9,8 +9,8 @@ > header HINET Received =~ /bHINET-IP/i > describe HINET Received line contains HINET-IP (common spam gate from pacrim) > > -header TO-EVERYONE To:addr =~ /every(?:one|body)/i > -describe TO-EVERYONE To: everyone or everybody > +header TO_EVERYONE To:addr =~ /every(?:one|body)/i > +describe TO_EVERYONE To: everyone or everybody > > > # The following rules submitted by Daniel Bird. > @@ -97,27 +97,27 @@ > score L_f_Refi 0.4 > > # Spamsign in misc headers > -Header L_hR_NOREPLY Return-path =~ /<>/ > +header L_hR_NOREPLY Return-path =~ /<>/ > describe L_hR_NOREPLY Return path is set to empty (common for bounces) (RM) > score L_hR_NOREPLY 1.1 > > -Header L_hr_clkheremail Received =~ /clkheremail\.com/ > +header L_hr_clkheremail Received =~ /clkheremail\.com/ > describe L_hr_clkheremail Spam passed through clkheremail.com relay (RM) > score L_hr_clkheremail 3.1 > > -Header L_hr_HeloIP Received =~ /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i > +header L_hr_HeloIP Received =~ /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i > describe L_hr_HeloIP Received has helo=IP - may be valid DSL router w/nat - may be spam (RM) > score L_hr_HeloIP 0.5 > > -Header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/ > +header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/ > describe L_hx_PSSBulk Uses PSS Bulk Mailer (RM) > score L_hx_PSSBulk 1.1 > > -Header L_hx_XaM3API exists:X-XaM3-API-Version > +header L_hx_XaM3API exists:X-XaM3-API-Version > describe L_hx_XaM3API X-XaM3-API-Version header found, often spamsign (RM) > score L_hx_XaM3API 1.1 > > -Header L_hx_JLH exists:X-JLH > +header L_hx_JLH exists:X-JLH > describe L_hx_JLH X-JLH header found, possible spamsign (RM) > score L_hx_JLH 1.1 > > diff -u orig/sa_header_subject.cf sa/sa_header_subject.cf > --- orig/sa_header_subject.cf Thu Feb 19 14:56:29 2004 > +++ sa/sa_header_subject.cf Sat Jan 31 02:08:47 2004 > @@ -27,59 +27,59 @@ > # The following rules submitted by Robert Menschel. > > # Spamsign subjects > -Header L_s_casino Subject =~ /c[a\@]sin[o0]/i > +header L_s_casino Subject =~ /c[a\@]sin[o0]/i > describe L_s_casino Subject mentions a casino (RM) > score L_s_casino 1.1 > > -Header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i > +header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i > describe L_s_CopyDVD Subject mentions copying DVDs (RM) > score L_s_CopyDVD 3.1 > > -Header L_s_Drugs Subject =~ /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i > +header L_s_Drugs Subject =~ /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i > describe L_s_Drugs Subject mentions known spam subject (RM) > score L_s_Drugs 2.1 > > -Header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i > +header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i > describe L_s_GetPaid Subject mentions getting paid for something (RM) > score L_s_GetPaid 1.1 > > -Header L_s_HelpInvest Subject =~ /help.{1,10}invest/i > +header L_s_HelpInvest Subject =~ /help.{1,10}invest/i > describe L_s_HelpInvest Subject mentions help in investing something (RM) > score L_s_HelpInvest 1.1 > > -Header L_s_MaskedWords1 Subject =~ /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i > +header L_s_MaskedWords1 Subject =~ /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i > describe L_s_MaskedWords1 masked spam word(s) in subject (RM) > score L_s_MaskedWords1 9.1 > > -Header L_s_MaskedWords2 Subject =~ /che\@p|F0r|d0main|Ple\@se|m0ve/i > +header L_s_MaskedWords2 Subject =~ /che\@p|F0r|d0main|Ple\@se|m0ve/i > describe L_s_MaskedWords2 masked spam word(s) in subject (RM) > score L_s_MaskedWords2 9.1 > > -Header L_s_MaskedWords3 Subject =~ /p\@tients|ph0t0|b0y|g1rl|vide0/i > +header L_s_MaskedWords3 Subject =~ /p\@tients|ph0t0|b0y|g1rl|vide0/i > describe L_s_MaskedWords3 masked spam word(s) in subject (RM) > score L_s_MaskedWords3 9.1 > > -Header L_s_MaskedWords4 Subject =~ /5emin|ch[à\@]rge|Êbãy|pen1s/i > +header L_s_MaskedWords4 Subject =~ /5emin|ch[à\@]rge|Êbãy|pen1s/i > describe L_s_MaskedWords4 masked spam word(s) in subject (RM) > score L_s_MaskedWords4 7.1 > > -Header L_s_MaskedWordsC Subject =~ /reaI|excIusive/ > +header L_s_MaskedWordsC Subject =~ /reaI|excIusive/ > describe L_s_MaskedWordsC masked spam word(s) in subject - case sensitive (RM) > score L_s_MaskedWordsC 9.1 > > -Header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i > +header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i > describe L_s_PleaseRead Subject includes request to please read the message (RM) > score L_s_PleaseRead 0.6 > > -Header L_s_profile Subject =~ /I\ saw\ your\ profile/i > +header L_s_profile Subject =~ /I\ saw\ your\ profile/i > describe L_s_profile Subject mentions your profile (RM) > score L_s_profile 1.1 > > -Header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i > +header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i > describe L_s_porn Subject seems to be about porn (RM) > score L_s_porn 2.1 > > -Header L_s_Tax Subject =~ /T[a\@]x/i > +header L_s_Tax Subject =~ /T[a\@]x/i > describe L_s_Tax Subject mentions taxes (RM) > score L_s_Tax 1.1 > > diff -u orig/sa_meta.cf sa/sa_meta.cf > --- orig/sa_meta.cf Thu Feb 19 14:56:29 2004 > +++ sa/sa_meta.cf Sat Jan 31 03:00:13 2004 > @@ -9,9 +9,11 @@ > > #Check for a beginning HTML tag > rawbody __MK_HTML_TAG_START /\ +describe > #Check for a closing HTML tag > rawbody __MK_HTML_TAG_END /\<\/html\>/i > +describe > > #Check to see if the HTML message is made correctly. Seeing a lot of SPAM that isn't > meta MK_BAD_HTML_4 HTML_MESSAGE && !__MK_HTML_TAG_START && !__MK_HTML_TAG_END > @@ -102,8 +104,7 @@ > > header __THEBAT_UA User-Agent =~ /The Bat/ > meta L_FORGED_MUA_THEBAT ( __THEBAT_UA && !__THEBAT_MSGID ) > -describe L_FORGED_MUA_THEBAT Forged message pretending to be from the > -bat! > +describe L_FORGED_MUA_THEBAT Forged message pretending to be from the bat! > > #spewing virus reports to forged sender addresses is spamming, talking > # about them on mailing lists isn't. > @@ -111,7 +112,8 @@ > body __VIRUS_WARNING_FWD /(attachment|email|file|message|scanner).{0,50}(contain(s|ed)|infect(ion|ed)|report(s|ed)|detected).{0,50}virus/is > body __VIRUS_WARNING_REV /virus.{0,50}(found|infect(ion|ed)|reported|detected).{0,50}(attachment|email|file|message)/is > body __FORGING_VIRUS /(braid.a|bugbear|klez|sobig|winevar|yaha.e)/i > -meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD || __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || IN_REP_TO)) describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus scanner > +meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD || __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || IN_REP_TO)) > +describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus scanner > > # The following rules were submitted by Sandy S. (The last S is for Secret!) > > diff -u orig/sa_oct03_rules.cf sa/sa_oct03_rules.cf > --- orig/sa_oct03_rules.cf Thu Feb 19 14:56:29 2004 > +++ sa/sa_oct03_rules.cf Sat Jan 31 02:57:16 2004 > @@ -223,7 +223,7 @@ > > rawbody MY_ONECHAR_SCRIPT /\/..?\.(pl|plx|cgi|asp)/ > describe MY_ONECHAR_SCRIPT 1 or 2 letter script name found. > -score MY_ONE_CHAR_SCRIPT .33 > +score MY_ONECHAR_SCRIPT .33 > > rawbody MY_THISIS /this is spam/i > describe MY_THISIS They said this is spam themselves! > diff -u orig/sa_uri.cf sa/sa_uri.cf > --- orig/sa_uri.cf Thu Feb 19 14:56:29 2004 > +++ sa/sa_uri.cf Sat Jan 31 02:10:42 2004 > @@ -358,8 +358,7 @@ > > uri MY_BLUETABS /fastbluetabs\.com/i > score MY_BLUETABS 5.000 > -describe MY_BLUETABS Message contains a link or email address to > -fastbluetabs.com > +describe MY_BLUETABS Message contains a link or email address to fastbluetabs.com > > uri MY_CERTREWARDS /certrewards\.com/i > score MY_CERTREWARDS 5.000 > > > ------------------------------------------------------------------------ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Christopher Rued Software Engineer XSB, Inc. 631-444-6818 --------------030100020200050206080300-- From owner-freebsd-security@FreeBSD.ORG Fri May 14 01:08:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F165316A4CE for ; Fri, 14 May 2004 01:08:23 -0700 (PDT) Received: from mail.telsatgp.com.pl (pa79.pleszew.sdi.tpnet.pl [217.96.180.79]) by mx1.FreeBSD.org (Postfix) with SMTP id 0E92543D3F for ; Fri, 14 May 2004 01:08:21 -0700 (PDT) (envelope-from sgp@telsatgp.com.pl) Received: (qmail 95027 invoked from network); 14 May 2004 08:08:20 -0000 Received: from slawek.telsatgp.com.pl (HELO Slawek) (192.168.5.5) by pa79.pleszew.sdi.tpnet.pl with SMTP; 14 May 2004 08:08:20 -0000 Message-ID: <00e201c4398a$e56aac60$0505a8c0@Slawek> From: "Slawek" To: , References: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net><20040513040222.2b80e76e.freebsd@yazzy.org> <40A32939.9000100@kernel32.de> <20040513212144.GA37257@carrick.bishnet.net> Date: Fri, 14 May 2004 10:10:18 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 FL-Build: Fidolook 2002 (SL) 6.0.2800.85 - 28/1/2003 19:07:30 X-Organisation: Telsat GP Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 May 2004 08:08:24 -0000 Hello! In message to "Marian Hettwer" sent Thu, 13 May 2004 22:21:44 +0100 you wrote: >>> Not only it's way faster than perl based messagewall, amavisd and >>> mailscanner etc but it also has neat stuff like making connections >>> back to the sender's MX checking for validity of the sender's email. >> >> This Feature sounds interesting. How is it actually called in exim ? >> I'd like to check the exim docu to see some details, because it really >> sounds interesting. >> >> Could you provide me with some keywords to search for ? TB> In Exim you're looking for sender callout verification. TB> http://www.exim.org/exim-html-4.30/doc/html/spec_38.html#SECT38.21 TB> It's pretty trivial to turn on, and in my experience works well. One should be careful with source address checking as it may block mails in e-mail discussion lists when source e-mail address is nonexistent. Using things like "NO_SPAM" or "DELETE_THIS" in e-mail address is common (and justified) in discussion lists. -- Slawomir Piotrowski From owner-freebsd-security@FreeBSD.ORG Fri May 14 03:04:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CD8316A4CE; Fri, 14 May 2004 03:04:58 -0700 (PDT) Received: from ei.bzerk.org (ei.xs4all.nl [213.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE8CF43D2F; Fri, 14 May 2004 03:04:56 -0700 (PDT) (envelope-from fbsd-security@bzerk.org) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.12.10/8.12.10) with ESMTP id i4EA7Fg7062524; Fri, 14 May 2004 12:07:15 +0200 (CEST) (envelope-from fbsd-security@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.12.10/8.12.10/Submit) id i4EA7BAS062523; Fri, 14 May 2004 12:07:11 +0200 (CEST) (envelope-from fbsd-security@bzerk.org) X-Authentication-Warning: ei.bzerk.org: bulk set sender to fbsd-security@bzerk.org using -f Date: Fri, 14 May 2004 12:07:11 +0200 From: Ruben de Groot To: Martin Jessa Message-ID: <20040514100711.GA62071@ei.bzerk.org> References: <1886.213.112.193.11.1084410012.squirrel@mail.hackunite.net> <20040513040222.2b80e76e.freebsd@yazzy.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040513040222.2b80e76e.freebsd@yazzy.org> User-Agent: Mutt/1.4.2.1i cc: freebsd-isp@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 May 2004 10:04:58 -0000 On Thu, May 13, 2004 at 04:02:22AM +0200, Martin Jessa typed: > Not only it's way faster than perl based messagewall, amavisd and mailscanner etc but it also has neat stuff like making connections back to the sender's MX checking for validity of the sender's email. Off course, this can be done using sendmail (milter-sender) or postfix (http://www.postfix.org/ADDRESS_VERIFICATION_README.html) just as well. Ruben From owner-freebsd-security@FreeBSD.ORG Fri May 14 04:41:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB8C816A4CE for ; Fri, 14 May 2004 04:41:05 -0700 (PDT) Received: from relay2.mecon.ar (relay2.mecon.gov.ar [168.101.16.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAD5E43D48 for ; Fri, 14 May 2004 04:41:03 -0700 (PDT) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (racing.mecon.gov.ar [168.101.133.15]) by relay2.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i4EBf05L063551; Fri, 14 May 2004 08:41:01 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (meyosp.mecon.gov.ar [10.11.0.149]) by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i4EBf0rh075026; Fri, 14 May 2004 08:41:00 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (bal740r0.mecon.ar [10.11.1.11]) by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i4EBf03i075023; Fri, 14 May 2004 08:41:00 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (localhost [127.0.0.1]) i4EBf0f7000371; Fri, 14 May 2004 08:41:00 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: (from fpscha@localhost) by bal740r0.mecon.gov.ar (8.12.8p2/8.12.6/Submit) id i4EBexTF000370; Fri, 14 May 2004 08:40:59 -0300 (ART) (envelope-from fernando@mecon.gov.ar) X-Authentication-Warning: bal740r0.mecon.gov.ar: fpscha set sender to fernando@mecon.gov.ar using -f Date: Fri, 14 May 2004 08:40:59 -0300 From: Fernando Schapachnik To: Patrick Baker Message-ID: <20040514114059.GD306@bal740r0.mecon.gov.ar> References: <777BCABEE522D5119E3E00508B6CA0B802E9AA95@CYBHQMSX05> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <777BCABEE522D5119E3E00508B6CA0B802E9AA95@CYBHQMSX05> User-Agent: Mutt/1.4.2.1i X-OS: FreeBSD 4.7 - http://www.freebsd.org cc: "'freebsd-security@freebsd.org'" Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 May 2004 11:41:05 -0000 As everybody is throwing in their favorite anti-spam solutions, here's mine: http://www.paganini.net/ask/ >From the home page: ASK takes advantage of the fact that most spammers use invalid or fake "From:" address in their messages. When a new message arrives and the sender is unknown, ASK sends a "confirmation message" back, informing the sender that the original message has been queued, pending confirmation. When the sender confirms (a simple reply), ASK delivers the original message and adds the sender to a "whitelist". Further messages from this sender will be immediately delivered. It is also possible to ignore messages based on specific criteria, like sender's email, subject and so on. This reduced spam in my inbox from houndreds to 0. Regards. Fernando. From owner-freebsd-security@FreeBSD.ORG Fri May 14 04:49:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 155BE16A4CF for ; Fri, 14 May 2004 04:49:05 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 6133643D1F for ; Fri, 14 May 2004 04:49:01 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 28916 invoked from network); 14 May 2004 11:40:48 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 14 May 2004 11:40:47 -0000 Received: (qmail 3374 invoked by uid 1000); 14 May 2004 09:51:16 -0000 Date: Fri, 14 May 2004 12:51:16 +0300 From: Peter Pentchev To: Fernando Schapachnik Message-ID: <20040514095116.GA977@straylight.m.ringlet.net> Mail-Followup-To: Fernando Schapachnik , Patrick Baker , "'freebsd-security@freebsd.org'" References: <777BCABEE522D5119E3E00508B6CA0B802E9AA95@CYBHQMSX05> <20040514114059.GD306@bal740r0.mecon.gov.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline In-Reply-To: <20040514114059.GD306@bal740r0.mecon.gov.ar> User-Agent: Mutt/1.5.6i cc: "'freebsd-security@freebsd.org'" cc: Patrick Baker Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 May 2004 11:49:05 -0000 --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 14, 2004 at 08:40:59AM -0300, Fernando Schapachnik wrote: > As everybody is throwing in their favorite anti-spam solutions, here's mi= ne: >=20 > http://www.paganini.net/ask/ Ah, something similar to TMDA? For another point of view on that kind of software, check e.g. Jeremy Zawodny's experience and some of the readers' comments: http://jeremy.zawodny.com/blog/archives/001931.html I'm not saying it's all bad _if_implemented_correctly_, just.. sometimes it's good to know both sides of a story ;) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This inert sentence is my body, but my soul is alive, dancing in the sparks= of your brain. --HlL+5n6rz5pIUxbD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFApJaU7Ri2jRYZRVMRAqMxAKCkErf+5vI/h+qKcr4gfk611dcaJwCeOYif U9e3kLLn0+J507cfjf0EDtQ= =Lg// -----END PGP SIGNATURE----- --HlL+5n6rz5pIUxbD-- From owner-freebsd-security@FreeBSD.ORG Fri May 14 05:05:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F79716A4CF for ; Fri, 14 May 2004 05:05:34 -0700 (PDT) Received: from relay2.mecon.ar (relay2.mecon.gov.ar [168.101.16.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CD7F43D5A for ; Fri, 14 May 2004 05:05:33 -0700 (PDT) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (racing.mecon.gov.ar [168.101.133.15]) by relay2.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i4EC5W5L067044; Fri, 14 May 2004 09:05:32 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (meyosp.mecon.gov.ar [10.11.0.149]) by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i4EC5Wrl089429; Fri, 14 May 2004 09:05:32 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (bal740r0.mecon.ar [10.11.1.11]) by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i4EC5V0X089422; Fri, 14 May 2004 09:05:31 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (localhost [127.0.0.1]) i4EC5Vf7000460; Fri, 14 May 2004 09:05:31 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: (from fpscha@localhost) by bal740r0.mecon.gov.ar (8.12.8p2/8.12.6/Submit) id i4EC5VEv000459; Fri, 14 May 2004 09:05:31 -0300 (ART) (envelope-from fernando@mecon.gov.ar) X-Authentication-Warning: bal740r0.mecon.gov.ar: fpscha set sender to fernando@mecon.gov.ar using -f Date: Fri, 14 May 2004 09:05:31 -0300 From: Fernando Schapachnik To: Patrick Baker , "'freebsd-security@freebsd.org'" Message-ID: <20040514120531.GE306@bal740r0.mecon.gov.ar> References: <777BCABEE522D5119E3E00508B6CA0B802E9AA95@CYBHQMSX05> <20040514114059.GD306@bal740r0.mecon.gov.ar> <20040514095116.GA977@straylight.m.ringlet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20040514095116.GA977@straylight.m.ringlet.net> User-Agent: Mutt/1.4.2.1i X-OS: FreeBSD 4.7 - http://www.freebsd.org Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 May 2004 12:05:34 -0000 En un mensaje anterior, Peter Pentchev escribió: > > http://www.paganini.net/ask/ > > Ah, something similar to TMDA? For another point of view on > that kind of software, check e.g. Jeremy Zawodny's experience and > some of the readers' comments: > > http://jeremy.zawodny.com/blog/archives/001931.html I don't know TMDA in depth, but with ASK, that most probably wouldn't happen. Here's why: every user has to define a "mailkey", which is some phrase that is present in his .sig. Nowadays is pretty common to get replies quoting the full message. ASK delivers (and also whitelists, if so configured) mail containing your mailkey. Even confirmation messages are customizable and multi-language. Unreplied messages are queued (you can get the listing by email, process each of them individually and edit black/white/ignore-lists, all by simple emailing to your own account). The current beta version would connect to the senders' SMTP and see if the reply address is valid, prior to even queueing and challenging a message from an unknown address. Also, I don't know why this guy is so upset. Only thing he has to do is reply. Not really that hard. Is like complaining about security checks in a building, even though you were invited. Regards. Fernando. From owner-freebsd-security@FreeBSD.ORG Fri May 14 05:49:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88FE516A4CE for ; Fri, 14 May 2004 05:49:47 -0700 (PDT) Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05D1C43D2D for ; Fri, 14 May 2004 05:49:47 -0700 (PDT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk ([137.222.16.62]) by dire.bris.ac.uk with esmtp (Exim 4.34) id 1BOc8D-0004Jv-OU; Fri, 14 May 2004 13:49:44 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 3.16 #1) id 1BOc7i-0006H0-00; Fri, 14 May 2004 13:49:10 +0100 Date: Fri, 14 May 2004 13:49:10 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Fernando Schapachnik In-Reply-To: <20040514120531.GE306@bal740r0.mecon.gov.ar> Message-ID: References: <777BCABEE522D5119E3E00508B6CA0B802E9AA95@CYBHQMSX05> <20040514095116.GA977@straylight.m.ringlet.net> <20040514120531.GE306@bal740r0.mecon.gov.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Jan Grant X-Spam-Score: 0.0 X-Spam-Level: / cc: "'freebsd-security@freebsd.org'" cc: Patrick Baker Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 May 2004 12:49:47 -0000 On Fri, 14 May 2004, Fernando Schapachnik wrote: > I don't know TMDA in depth, but with ASK, that most probably wouldn't happen. > Here's why: every user has to define a "mailkey", which is some phrase that is > present in his .sig. Nowadays is pretty common to get replies quoting the > full message. ASK delivers (and also whitelists, if so configured) mail > containing your mailkey. So, it's a hack that is defeated by decent sig-stripping mail clients, and adds (dubious) value to the practice of including the entirety of a message. > Also, I don't know why this guy is so upset. Only thing he has to do is reply. > Not really that hard. Is like complaining about security checks in a building, > even though you were invited. These systems are rude. They're also broken. They offload personal effort from the user onto other members of the internet community. That makes them antisocial too. And come to mention it, if someone invites me to their building then I'd consider it a common courtesy for _them_ to make arrangements to minimise any security hassle I'd receive. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ I'm the dandy information superhighwayman. From owner-freebsd-security@FreeBSD.ORG Fri May 14 06:13:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31C8E16A4CE for ; Fri, 14 May 2004 06:13:01 -0700 (PDT) Received: from relay2.mecon.ar (relay2.mecon.gov.ar [168.101.16.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96B6D43D3F for ; Fri, 14 May 2004 06:12:59 -0700 (PDT) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (racing.mecon.gov.ar [168.101.133.15]) by relay2.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i4EDCn5L081008; Fri, 14 May 2004 10:12:49 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (meyosp.mecon.gov.ar [10.11.0.149]) by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i4EDCnrl043612; Fri, 14 May 2004 10:12:49 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (bal740r0.mecon.ar [10.11.1.11]) by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i4EDCn0X043607; Fri, 14 May 2004 10:12:49 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (localhost [127.0.0.1]) i4EDCnf7000878; Fri, 14 May 2004 10:12:49 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: (from fpscha@localhost) by bal740r0.mecon.gov.ar (8.12.8p2/8.12.6/Submit) id i4EDCmHZ000877; Fri, 14 May 2004 10:12:48 -0300 (ART) (envelope-from fernando@mecon.gov.ar) X-Authentication-Warning: bal740r0.mecon.gov.ar: fpscha set sender to fernando@mecon.gov.ar using -f Date: Fri, 14 May 2004 10:12:47 -0300 From: Fernando Schapachnik To: Jan Grant Message-ID: <20040514131247.GH306@bal740r0.mecon.gov.ar> References: <777BCABEE522D5119E3E00508B6CA0B802E9AA95@CYBHQMSX05> <20040514114059.GD306@bal740r0.mecon.gov.ar> <20040514095116.GA977@straylight.m.ringlet.net> <20040514120531.GE306@bal740r0.mecon.gov.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.4.2.1i X-OS: FreeBSD 4.7 - http://www.freebsd.org cc: "'freebsd-security@freebsd.org'" cc: Patrick Baker Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 May 2004 13:13:01 -0000 En un mensaje anterior, Jan Grant escribió: > On Fri, 14 May 2004, Fernando Schapachnik wrote: > > > I don't know TMDA in depth, but with ASK, that most probably wouldn't happen. > > Here's why: every user has to define a "mailkey", which is some phrase that is > > present in his .sig. Nowadays is pretty common to get replies quoting the > > full message. ASK delivers (and also whitelists, if so configured) mail > > containing your mailkey. > > So, it's a hack that is defeated by decent sig-stripping mail clients, > and adds (dubious) value to the practice of including the entirety of a > message. Not really. Your mailkey can be just your name written in a particular way (maybe including an initial or second name), so the tipical "John S. Doe wrote:" quote will sufice. And its rare that "customized" spams uses that much info. Anyway, is not bulletproof, but like I said previously, it cut my spam intake from a lot to zero, with zero lost email. > These systems are rude. They're also broken. They offload personal > effort from the user onto other members of the internet community. That > makes them antisocial too. And come to mention it, if someone invites I disagree. It asks for a little colaboration from someone that wants to contact you in order to defeat a bigger, common enemy. Being it a one timer, is not that different from a 3-way handshake. Guess we are really off-topic here. Regards. Fernando. From owner-freebsd-security@FreeBSD.ORG Sat May 15 00:09:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA30316A4CE for ; Sat, 15 May 2004 00:09:15 -0700 (PDT) Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6AD4143D1F for ; Sat, 15 May 2004 00:09:15 -0700 (PDT) (envelope-from gsutter@zer0.org) Received: from localhost (localhost [127.0.0.1]) by mail1.zer0.org (Postfix) with ESMTP id 8AC05239AEB; Sat, 15 May 2004 00:09:14 -0700 (PDT) Received: from mail1.zer0.org ([127.0.0.1]) by localhost (klapaucius.zer0.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28687-08; Sat, 15 May 2004 00:09:14 -0700 (PDT) Received: by mail1.zer0.org (Postfix, from userid 1001) id 5A6E6239A0D; Sat, 15 May 2004 00:09:14 -0700 (PDT) Date: Sat, 15 May 2004 00:09:14 -0700 From: Gregory Sutter To: Fernando Schapachnik Message-ID: <20040515070914.GD73800@klapaucius.zer0.org> References: <777BCABEE522D5119E3E00508B6CA0B802E9AA95@CYBHQMSX05> <20040514114059.GD306@bal740r0.mecon.gov.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sXc4Kmr5FA7axrvy" Content-Disposition: inline In-Reply-To: <20040514114059.GD306@bal740r0.mecon.gov.ar> Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster X-PGP-Fingerprint: D161 E4EA 4BFA 2427 F3F9 5B1F 2015 31D5 845D FEDD X-PGP-Key: http://zer0.org/~gsutter/gsutter.pgp X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.5.1i X-Virus-Scanned: by amavisd-new at zer0.org cc: freebsd-security@freebsd.org Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 May 2004 07:09:16 -0000 --sXc4Kmr5FA7axrvy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004-05-14 08:40 -0300, Fernando Schapachnik wro= te: > As everybody is throwing in their favorite anti-spam solutions, here's mi= ne: >=20 > http://www.paganini.net/ask/ >=20 > From the home page: > > ASK takes advantage of the fact that most spammers use invalid or > fake "From:" address in their messages. When a new message arrives > and the sender is unknown, ASK sends a "confirmation message" > back, informing the sender that the original message has been > queued, pending confirmation. When the sender confirms (a simple > reply), ASK delivers the original message and adds the sender to a > "whitelist". Further messages from this sender will be immediately > delivered. (I apologize for posting this O/T message.) Here's a well-thought-out argument against systems of this type: Challenge-Response Anti-Spam Systems Considered Harmful http://kmself.home.netcom.com/Rants/challenge-response.html Greg --=20 Gregory S. Sutter The best way to accelerate Windows mailto:gsutter@zer0.org is at 9.8 m/s^2. http://zer0.org/~gsutter/=20 --sXc4Kmr5FA7axrvy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iD8DBQFApcIaIBUx1YRd/t0RArzdAJ4ygartbGdrk8ID1JcVXiudFKdJ4gCfTsnz 6jfGVekoc2ODZCec1MeAfz0= =cYTE -----END PGP SIGNATURE----- --sXc4Kmr5FA7axrvy-- From owner-freebsd-security@FreeBSD.ORG Sat May 15 04:24:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F3F716A4CE for ; Sat, 15 May 2004 04:24:19 -0700 (PDT) Received: from huva.hittite.isp.9tel.net (huva.hittite.isp.9tel.net [62.62.156.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7863C43D53 for ; Sat, 15 May 2004 04:24:18 -0700 (PDT) (envelope-from clefevre-lists@9online.fr) Received: from pc2k (178-116-118-80.kaptech.net [80.118.116.178]) by huva.hittite.isp.9tel.net (Postfix) with SMTP id 4033E9DE2E; Sat, 15 May 2004 13:25:41 +0200 (CEST) Message-ID: <045a01c43a6f$290a2c90$7890a8c0@dyndns.org> From: "Cyrille Lefevre" To: "Gregory Sutter" , "Fernando Schapachnik" References: <777BCABEE522D5119E3E00508B6CA0B802E9AA95@CYBHQMSX05><20040514114059.GD306@bal740r0.mecon.gov.ar> <20040515070914.GD73800@klapaucius.zer0.org> Date: Sat, 15 May 2004 13:24:16 +0200 Organization: ACME MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 cc: freebsd-security@freebsd.org Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 May 2004 11:24:19 -0000 > On 2004-05-14 08:40 -0300, Fernando Schapachnik wrote: > > As everybody is throwing in their favorite anti-spam solutions, here's mine: > > > > http://www.paganini.net/ask/ > > > > From the home page: > > > > ASK takes advantage of the fact that most spammers use invalid or > > fake "From:" address in their messages. When a new message arrives > > and the sender is unknown, ASK sends a "confirmation message" > > back, informing the sender that the original message has been > > queued, pending confirmation. When the sender confirms (a simple > > reply), ASK delivers the original message and adds the sender to a > > "whitelist". Further messages from this sender will be immediately > > delivered. > > (I apologize for posting this O/T message.) > > Here's a well-thought-out argument against systems of this type: > > Challenge-Response Anti-Spam Systems Considered Harmful > http://kmself.home.netcom.com/Rants/challenge-response.html I don't know ask, but I'm using tmda which is configured to NOT send any query. this way, the offending messages are queued until I release or delete them using tmda-pending. so, such tool may not be so problematic, but the configuration or the implementation may be :( the first versions of tmda don't allow to not bounce, the first thing I've done was to patch tmda to go this way, then I submit the patch which wasn't accepted at first. the time beeing, it was implemented differently, but the idea was kept :P here is the trick : echo 'ACTION_INCOMING = "hold"' >> ~/.tmda/config don't know if ask may hold queries instead of bouncing ? Cyrille Lefevre. -- home: mailto:cyrille.lefevre@laposte.net From owner-freebsd-security@FreeBSD.ORG Sat May 15 15:46:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C497516A4CE for ; Sat, 15 May 2004 15:46:59 -0700 (PDT) Received: from mail.1plan.net (ns1.1plan.net [216.240.143.74]) by mx1.FreeBSD.org (Postfix) with SMTP id C401543D31 for ; Sat, 15 May 2004 15:46:55 -0700 (PDT) (envelope-from aanton@reversedhell.net) Received: (qmail 47168 invoked by uid 98); 15 May 2004 22:53:51 -0000 Received: from aanton@reversedhell.net by cp by uid 101 with qmail-scanner-1.20 Clear:RC:1(81.196.32.25):CR:PGP(signed):SA:0(-100.0/4.7):. Processed in 1.402614 secs); 15 May 2004 22:53:51 -0000 X-Spam-Status: No, hits=-100.0 required=4.7 X-Qmail-Scanner-Mail-From: aanton@reversedhell.net via cp X-Qmail-Scanner: 1.20 (Clear:RC:1(81.196.32.25):CR:PGP(signed):SA:0(-100.0/4.7):. Processed in 1.402614 secs) Received: from unknown (HELO reversedhell.net) (81.196.32.25) by ns1.1plan.net with SMTP; 15 May 2004 22:53:50 -0000 Message-ID: <40A69DDD.30603@reversedhell.net> Date: Sun, 16 May 2004 01:46:53 +0300 From: Anton Alin-Adrian User-Agent: Mozilla Thunderbird 0.5 (X11/20040503) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.83.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig50494E6F7C055A8B68812667" Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 May 2004 22:47:00 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig50494E6F7C055A8B68812667 Content-Type: multipart/mixed; boundary="------------090801040700050009080104" This is a multi-part message in MIME format. --------------090801040700050009080104 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit It's half off topic, half not. Something has to be done, and it takes technical skills and knowleged ppl to handle the issues.At least this is how I rationate when deciding where to ask. I started an anti-spam project on my own. At some point others offered to help, but we all know boring real-life shuts down all the enthusiasm. M.Jessa> Not only it's way faster than perl based messagewall, amavisd and M.Jessa> mailscanner etc but it also has neat stuff like making connections M.Jessa> back to the sender's MX checking for validity of the sender's M.Jessa> email. So far I can only release this code. It implements exactly what was mentioned about exim. I use it with qmail because qmail I have, but can be used with postfix/sendmail with ease. So now not only exim can do that hack. I just wanted to make the code available so users can benefit from it (hopefully). PS - this is how i use it: .qmail-file: | /usr/local/bin/check /usr/local/bin/safecat /path/to/Maildir/tmp /path/to/Maildir/new #the above after | is on a single line. Hope there are not many bugs. Yours Sincerely, -- Alin-Adrian Anton Reversed Hell Networks GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E --------------090801040700050009080104 Content-Type: text/plain; name="check.c" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="check.c" /* * The MX query routines are Copyrighted (C) 2004 by HL Combrinck and are licensed under GPL (see below), * and they provide "Sample C code to resolve MX records for an address". * * * This program is derivative work based on his original functions, and is distributed under the following terms: * * LICENSE: * * The program provides functions for testing if an e-mail address was faked by a spammer or it's real, and it's * part of the L.A.U.R.A anti-spam project and campaign. * * Copyright (C) 2004 Anton Alin-Adrian aanton()reversedhell.net * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * * END OF LICENSE * */ #include #include #include #include #include #include #include #include #include #include #include #define PORT 25 /* SMTP default port */ #define MAXDATASIZE 1024 /* we don't need more */ /* !!!!!!!!!!!!!!!!!!!!!!!!!!!!! REPLACE WITH YOUR *REAL* DOMAIN & *FAKE* E-MAIL USER !!!!!!!!!!!!!!!!!!!!!!! */ #define MY_VALID_MAIL_DOMAIN "INEXISTENT-USER-HERE@reversedhell.net" /* replace user with something decent like 'antispamrobot' */ #define MY_VALID_DOMAIN "reversedhell.net" /* must be your real domain you are connecting from */ struct mx { int pref; char host[1024]; }; #ifndef HFIXEDSZ # define HFIXEDSZ 12 #endif #ifndef INT16SZ # define INT16SZ sizeof(cit_int16_t) #endif #ifndef INT32SZ # define INT32SZ sizeof(cit_int32_t) #endif int totalsize=0; /* * Compare the preference of two MX records. Check the actual * number listed in the MX record - if they're the same, randomize. */ int mxcomp(int p1, int p2) { if (p1 > p2) return(1); else if (p1 < p2) return(0); else return(rand() % 2); } /* * sort_mxrecs() * * Sort MX records * */ void sort_mxrecs (struct mx *mxrecs, int nmx) { int a, b; struct mx t1, t2; if (nmx < 2) return; for (a = nmx - 2; a >= 0; --a) { for (b = 0; b <= a; ++b) { if (mxcomp(mxrecs[b].pref,mxrecs[b+1].pref)) { memcpy(&t1, &mxrecs[b], sizeof(struct mx)); memcpy(&t2, &mxrecs[b+1], sizeof(struct mx)); memcpy(&mxrecs[b], &t2, sizeof(struct mx)); memcpy(&mxrecs[b+1], &t1, sizeof(struct mx)); } } } } /* * getmx() * * Get MX recs for an address. * * Upon success, it fills 'mxbuff' with one or more MX hosts, delimited by * ':' chars, and returns the number of hosts. 0 if none found. * */ int getmx(char *mxbuff, char *dest, int maxbuffsz) { union { u_char bytes[1024]; HEADER header; } ans; int ret; unsigned char *startptr, *endptr, *ptr; char expanded_buf[1024]; unsigned short pref, type; int n = 0; int qdcount; struct mx *mxrecs = NULL; int nmx = 0; ret = res_query (dest, C_IN, T_MX, (unsigned char *)ans.bytes, sizeof(ans)); if (ret < 0) { mxrecs = malloc(sizeof(struct mx)); mxrecs[0].pref = 0; strcpy(mxrecs[0].host, dest); nmx = 0; } else { if (ret > sizeof(ans)) ret = sizeof(ans); startptr = &ans.bytes[0]; endptr = &ans.bytes[ret]; ptr = startptr + HFIXEDSZ; /* skip header */ for (qdcount = ntohs(ans.header.qdcount); qdcount--; ptr += ret + QFIXEDSZ) { if ((ret = dn_skipname(ptr, endptr)) < 0) return(0); } while(1) { memset (expanded_buf, 0, sizeof(expanded_buf)); ret = dn_expand (startptr, endptr, ptr, expanded_buf, sizeof(expanded_buf)); if (ret < 0) break; ptr += ret; GETSHORT (type, ptr); ptr += INT16SZ + INT32SZ; GETSHORT (n, ptr); if (type != T_MX) ptr += n; else { GETSHORT(pref, ptr); ret = dn_expand(startptr, endptr, ptr, expanded_buf, sizeof(expanded_buf)); ptr += ret; ++nmx; if (mxrecs == NULL) mxrecs = malloc(sizeof(struct mx)); else mxrecs = realloc (mxrecs, (sizeof(struct mx) * nmx)); mxrecs[nmx - 1].pref = pref; strcpy(mxrecs[nmx - 1].host, expanded_buf); } } } /* sort by MX pref */ sort_mxrecs(mxrecs, nmx); strcpy(mxbuff, ""); for (n=0; nh_addr); memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { //perror("connect"); close(sockfd); return -2; } if ((numbytes=recv(sockfd, buf, MAXDATASIZE-1, 0)) == -1) { perror("recv"); close(sockfd); return -1; } buf[3]='\0'; if (atoi(buf)!=220) { close(sockfd); return -1; } memset(buf,0x0,sizeof(buf)); snprintf(buf,sizeof(buf),"helo %s\r\n",MY_VALID_DOMAIN); if (send(sockfd,buf,strlen(buf),0)==-1) { perror("send"); close(sockfd); return -1; } memset(buf,0x0,sizeof(buf)); if ((numbytes=recv(sockfd, buf, MAXDATASIZE-1, 0)) == -1) { perror("recv"); close(sockfd); return -1; } buf[3]='\0'; if (atoi(buf)!=250) { close(sockfd); return -1; } memset(buf,0x0,sizeof(buf)); snprintf(buf,sizeof(buf),"MAIL FROM:<%s>\r\n",MY_VALID_MAIL_DOMAIN); if (send(sockfd,buf,strlen(buf),0)==-1) { perror("send"); close(sockfd); return -1; } memset(buf,0x0,sizeof(buf)); if ((numbytes=recv(sockfd, buf, MAXDATASIZE-1, 0)) == -1) { perror("recv"); close(sockfd); return -1; } buf[3]='\0'; if (atoi(buf)!=250) { close(sockfd); return -1; } memset(buf,0x0,sizeof(buf)); snprintf(buf,sizeof(buf),"RCPT TO:<%s>\r\n",addy); if (send(sockfd,buf,strlen(buf),0)==-1) { perror("send"); close(sockfd); return -1; } memset(buf,0x0,sizeof(buf)); if ((numbytes=recv(sockfd, buf, MAXDATASIZE-1, 0)) == -1) { perror("recv"); close(sockfd); return -1; } buf[3]='\0'; if (atoi(buf)!=250) { close(sockfd); return -2; } return 0; } // checkmail int loopcheckmail(char *addy) { int n,ret; char buf[1024], *ptr; char *myhost; myhost=(char *) malloc(strlen(addy)+1); myhost=strchr(addy,'@')+1; n = getmx (buf, myhost, sizeof(buf)-1); if (!n) { ret=checkmail(addy,myhost); } else { ptr=strchr(buf,':'); if (ptr!=NULL) *ptr='\0'; ret=checkmail(addy,buf); } return ret; } char *read_mail_buffer(FILE *fp) { char c='\0'; int i=0; long int size=1024+1; int padder=1024; char *ptr,*s; if ((s=(char *) malloc((size_t)size))==NULL) { perror("malloc"); exit(EXIT_FAILURE); } memset(s,(char)0x0,(size_t) size); ptr=s; while ((c!=(char)EOF)){ c=(char) getc(fp); if (i>=size-1) { size+=padder; if ( (s=(char *)realloc(s,(size_t)size) ) == NULL) { perror("realloc"); exit(EXIT_FAILURE); } ptr=s+i*sizeof(char); if (totalsize > 700000) padder=padder*2; } i++; *(ptr++)=c; } *(--ptr)='\0'; totalsize=size; return (char *) s; } int filtervalidmail(char *s) { char *ptr; char *addy; char *left,*right; int i,j,stop=0; char c; ptr = strcasestr(s,"From:"); if (ptr==NULL) return -1; ptr+=5; ptr=strchr(ptr,'@'); left=ptr; right=ptr; while (isalnum(*(--left)) ) { c=*(--left); ptr=strchr(ptr,'<')+1; for (i=0;*(ptr++)!='>';i++); addy=(char *) malloc((i+1)*sizeof(char)); memset(addy,0x0,i+1); } int main (int argc,char *argv[]) { int ret; char *bigbuf; /* if (argc < 2) { fprintf(stderr,"What to check? Give me valid e-mail format.\n"); exit(EXIT_FAILURE); } ret=loopcheckmail(argv[1]); switch (ret) { case -1: fprintf(stderr,"IRRELEVANT: Error..\n"); break; case -2: fprintf(stderr,"BLOCK!\n"); break; case 0: fprintf(stderr,"IRRELEVANT\n"); break; } */ bigbuf=read_mail_buffer(stdin); filtervalidmail(bigbuf); return 0; } --------------090801040700050009080104-- --------------enig50494E6F7C055A8B68812667 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFApp3i0yNjnR4v/y4RAnQVAJ4i0ugAIDwqI2hQvU02Q0+mMibAcwCgwiP3 JR+al0ccDXcrxSB9yXqkCOA= =UzGe -----END PGP SIGNATURE----- --------------enig50494E6F7C055A8B68812667--