From owner-freebsd-security  Fri Jun 21 19: 1:51 2002
Delivered-To: freebsd-security@freebsd.org
Received: from blues.jpj.net (blues.jpj.net [208.210.80.156])
	by hub.freebsd.org (Postfix) with ESMTP id 0AAA237B404
	for <security@FreeBSD.ORG>; Fri, 21 Jun 2002 19:01:45 -0700 (PDT)
Received: from blues.jpj.net (localhost.jpj.net [127.0.0.1])
	by blues.jpj.net (8.12.3/8.12.3) with ESMTP id g5M21ZOa040442;
	Fri, 21 Jun 2002 22:01:35 -0400 (EDT)
	(envelope-from trevor@jpj.net)
Received: from localhost (trevor@localhost)
	by blues.jpj.net (8.12.3/8.12.3/Submit) with ESMTP id g5M21Z63040439;
	Fri, 21 Jun 2002 22:01:35 -0400 (EDT)
X-Authentication-Warning: blues.jpj.net: trevor owned process doing -bs
Date: Fri, 21 Jun 2002 22:01:35 -0400 (EDT)
From: Trevor Johnson <trevor@jpj.net>
To: Brett Glass <brett@lariat.org>
Cc: security@FreeBSD.ORG
Subject: Re: Possible security liability: Filling disks with junk or spam
In-Reply-To: <200206220001.SAA26010@lariat.org>
Message-ID: <20020621210455.F13586-100000@blues.jpj.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> A client recently called me in puzzlement, saying that his system was
> misbehaving, and it turned out that this was what had happened. The address
> "news@victim.com" had somehow wound up on quite a few spammers' lists. He'd
> never used or hosted netnews, and so had no need for the pseudo-user. But that
> pseudo-user was there by default, and the system dutifully created a mailbox
> for him/her/it when the very first spam arrived. It started growing by leaps
> and bounds until it was -- I kid you not! -- several hundred megabytes in
> size. At which point the partition ran out of room.
>
> It seems to me that pseudo-users should be non-mailable, just as a basic
> security policy. Ideas for the best way to implement this in the default
> install?

My reading of the RFCs (excerpts follow) is that the "news" and "usenet"
addresses should receive mail when NNTP is in use.  It seems like a task
for the sysadmin.  How about comments in /etc/inetd.conf along the lines
of:

# Enable e-mail to the "ftp" address if you turn this on (RFC 2142).
#ftp    stream  tcp6    nowait  root    /usr/libexec/ftpd       ftpd -l
#
# Enable e-mail to the "uucp" address if you turn this on (RFC 2142).
#uucpd  stream  tcp     nowait  root    /usr/libexec/uucpd      uucpd
#
# Enable e-mail to "usenet" and "news" addresses if you turn this on (RFC 2142).
#nntp   stream  tcp     nowait  usenet  /usr/libexec/nntpd      nntpd

with the addresses commented out in /etc/aliases?  Running "df" every few
months wouldn't hurt, of course.

     6.3.  RESERVED ADDRESS

          It often is necessary to send mail to a site, without  know-
     ing  any  of its valid addresses.  For example, there may be mail
     system dysfunctions, or a user may wish to find  out  a  person's
     correct address, at that site.

--RFC 822 (URL:ftp://ftp.isi.edu/in-notes/rfc822.txt)

      5.2.7  RCPT Command: RFC-821 Section 4.1.1

         A host that supports a receiver-SMTP MUST support the reserved
         mailbox "Postmaster".

--RFC 1123 (URL:ftp://ftp.isi.edu/in-notes/rfc1123.txt)

   Various Internet documents have specified mailbox names to be used
   when reaching the operators of the new service; for example, [RFC822
   6.3, C.6] requires the presence of a <POSTMASTER@domain> mailbox name
   on all hosts that have an SMTP server.  Other protocols have defacto
   standards for well known mailbox names, such as <USENET@domain> for
   NNTP (see [RFC977]), and <WEBMASTER@domain> for HTTP (see [HTTP]).
   Defacto standards also exist for well known mailbox names which have
   nothing to do with a particular protocol, e.g., <ABUSE@domain> and
   <TROUBLE@domain>.
[...]
5.  SUPPORT MAILBOX NAMES FOR SPECIFIC INTERNET SERVICES

   For major Internet protocol services, there is a mailbox defined for
   receiving queries and reports.  (Synonyms are included, here, due to
   their extensive installed base.)

   MAILBOX        SERVICE             SPECIFICATIONS
   -----------    ----------------    ---------------------------
   POSTMASTER     SMTP                [RFC821], [RFC822]
   HOSTMASTER     DNS                 [RFC1033-RFC1035]
   USENET         NNTP                [RFC977]
   NEWS           NNTP                Synonym for USENET
   WEBMASTER      HTTP                [RFC 2068]
   WWW            HTTP                Synonym for WEBMASTER
   UUCP           UUCP                [RFC976]
   FTP            FTP                 [RFC959]

--RFC 2142 (URL:ftp://ftp.isi.edu/in-notes/rfc2142.txt)
-- 
Trevor Johnson


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message