Slashdot Mirror

It already has. Back in 2006 with some AOLServer code working around an Oracle driver bug of some sort.

http://taint.org/2006/07/20/17...

Well, maybe this is a blessing. While it's open source, maybe multiple eye's need to look at it for final validation.

No it's a curse. I have input fuzzing, unit tests, code coverage profiling and Valgrind memory tests. Such a bug wouldn't have slipped past me with both eyes shut -- no seriously! If I fuck up accidentally like this THE COMPUTER TELLS ME SO without ever having to do anything but make the mistake and type make test all. I test every line of code on every side of my #ifdef options, in all my projects. If you're implementing ENCRYPTION AND/OR SECURITY SOFTWARE then I expect such practices as the absolute minimum effort -- I mean, that's what I do, even when it's just me coding on dinky indie games as a hobby. I don't want to be known as the guy who's game was used to compromise users' credentials or data, that would be game over for me.

These ass-hats have just shown the world that they can't be trusted to use the fucking tools we wrote that would have prevented this shit if they'd have just ran them. It's really not acceptable. It's hard to comprehend the degree of unacceptable this is. It reeks of intentional disaster masquerading as coy "accidental" screw up, "silly me, I just didn't do anything you're supposed to do when you're developing industry standard security software". No. Just, no. An ancient optimization that was made default even though it only mattered on SOME slower platforms? Yeah, OK, that's fucking dumb, I can buy it as an accident. However, NOT TESTING BOTH BRANCHES for that option? What the actual fuck? I could see someone missing an edge case in their unit test, but not even using input fuzzing at all? It's not hard, shit, I have a script that generates the basic unit fuzzing code from the function signatures in .H files, you know, so you don't miss a stub...

"Never attribute to malice what can be adequately explained by stupidity." -- The level of stupidity required is unexplainable. How the fuck are they this inept and in charge of THIS project? THAT'S the real issue. This isn't even the fist time OpenSSL shit the bed so bad. In <- this linked example, it was Debian maintainers and not the OpenSSL maintainers fault (directly): Instead of adding an exception to the Valgrind ignore list (which you most frequently must have in any moderately sized project, esp one that handles its own memory management) they instead commented out the source of entropy, making all the SSL connections and keys generated by OpenSSL easily exploitable since it gutted the entropy of the random number generator (which is a known prime target for breakage that's very hard to get right even if you're not evil, so any change thereto needs to be extremely well vetted). Last time the OpenSSL maintainers brazenly commented they "would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was." -- Except that they silently stopped paying attention to to the public bug tracker / questions and quietly moved to another dev area, making it nearly impossible to contact them to ask them about anything (a big no-no in Open Source dev), but it gives you a better idea about the sort of maintainers these fuck-tards are.

We don't know absolutely for sure, but we're pretty damn close to absolutely certain that OpenSSL and other security products (see: RSA's BSafe) are being targeted for anti-sec by damn near all the powers that be. So, now we find out OpenSSL has an obsolete optimization -- a custom memory pool (red flag goes up right away if you see memory reuse in a security product, that shit MUST be even more throughly checked than entropy-pools, since it can cause remote code execution, memory leaks, and internal state exposure... you don't say?). We find that optimization would have been caught by basic fuzz test with Valgrind, which apparently folks have been using previously according to the comments in the prior S

Quite honestly, I have never met a 'victim' of spam in real life or on the Net, not a single time. I'm on the Net for more than 15 years now and nobody I have ever met had a genuine problem with his inbox or bandwidth because of spam. I don't deny that there occasionally are extreme cases but as far as I can see these are fairly rare.

I've seen businesses that rely on email effectively halted due to joe-jobbing/backscatter. That is as much due to misconfigured servers as spam, but it is nonetheless a real world problem that you refuse to recognise for whatever reason. joe-job spam only gets 17.4 million results in google, so I can see how you don't think it's a real issue.

Sorry, you're either trolling or more stupid than the "spam victims" you denigrated.

It's too bad the Russian spam solution turned out to be a hoax.

Good thing then that their wireless passwords for the routers they give out are easy to crack

http://taint.org/2007/10/01/185837a.html

It's shortened approximately from the age of the known universe to a bit over 10 minutes. See http://taint.org/2008/05/16/165301a.html, which has some useful info.

Original story is on

http://loonov.com/russian-viagra-and-penis-enlargement-spammer-murdered.htm#

      Domain Name: LOONOV.COM
      Registrar: ESTDOMAINS, INC.
      Whois Server: whois.estdomains.com
      Referral URL: http://www.estdomains.com/
      Name Server: NS0.HQHOST.NET
      Name Server: NS1.HQHOST.NET
      Status: clientTransferProhibited
      Updated Date: 11-oct-2007
      Creation Date: 11-oct-2007
      Expiration Date: 11-oct-2008

Fake hoax information link
http://taint.org/2007/10/11/203243a.html

Domain loonov.com registered Oct 11th... FAKE!!!!

Considering this is the first time I've heard of it, probably not as much as it should have been. Did it help SpamAssassin

According to Justin Mason, it didn't help SpamAssassin much, at least where testing the effectiveness of rules was concerned. The main problems were that (1) the data was too anonymized to be able to properly test header checks and (2) submissions weren't verified, meaning someone would have to go through the archive and check to make sure there wasn't any legit mail that had accidentally been dropped into the wrong folder. (And, of course, unless you're the original recipient, you can't be absolutely certain whether something was solicited or not.)

I've been dealing with this a lot recently -- I just wrote up a short howto doc over on my blog yesterday, in fact, using Postfix on the MX to catch most of the bounces, with SpamAssassin to filter out the remainder.

It's not called scamming, but it may in fact cost them the case. Sure a patent is valid for 20 years, but waiting a long time to enforce it could lose your rights to it early under US law.

My ISP recently added C/R to their mail servers, and I've lost mailing list traffic as a result. To me this illustrates a key problem with C/R: by being selfish, you win in the short term. If everyone acted so selfishly, email would not be an effective tool for communication.

See also Justin Mason's collection of anti-challenge-response links.

Here is an insightful blog posting from Justin Mason about using RBL's (and bl.spamcop.net in particular which this HOW-TO mentions) for filtering spam. You could see a staggering amount of false positives unless any rbl is only one part of a scoring system which decides whether a mail should be rejected.

I was interested myself in installing whatever Gmail uses, cos it does feel like the gmail filter works very well. I had an existing (old) spamassassin installation, but the following investigation convinced me to stay with SA and just upgrade.

http://taint.org/2004/04/15/033025a.html

Whether it holds statistical value or not, is debatable.

Still, Gmail impresses. (And can only get better).

Sure.

The issue with the mail function is that PHP grabs the four variables specified when calling the mail() function, then puts it into a template and pushes it to sendmail/postfix/qmail/etc stdin. Someone can include a template inside the template and php happily treats it as a separate mail even with a totally different from and to field.

The easiest workaround is that you configure your mailserver that the www-data/php user can only send mail to the local network.

More workarounds here. Some discussion about the issue here.

Note: It is possible to exploit this vulnerable mail() implementation even if you hardcode everything but the body. PHP has this vulnerability in 3-5.

They're called "pla beuk" in Laos, FWIW.

Reportedly, the Mekong river is lower in level in places than it used to be. This also meant that much of the river is less navigable during less of the year now, and travelling by these speedboats is more dangerous. This lowering was apparently caused by damming upriver. I wouldn't be surprised if the lower level of the river has had an effect on the population of these fish and other freshwater aquatic wildlife, such as the pink river dolphins and the giant stingrays, for obvious reasons. It's a shame -- like other major world rivers, the Mekong has a unique ecosystem.

well, it will once MS finally patents them like they did sudo.

http://taint.org/2004/08/20/024522a.html

--
Check out my music video!

Since this is still in the application stage, some good instances of prior art can invalidate, or severely restrict, the final patient. More details here.

Actually, it appears likely that the article is getting the wrong end of the stick entirely, confusing WHOIS and DNS. more details...

Video. Wonder how long that poor schmuck's server will last, but it's not on the Comedy Central page for the Daily Show that I can see.

Hate to rain on your parade here, but SpamAssassin does use blocklists by default (as described in the FAQ). It is the existence of such blocklists that has forced certain major ISPs to stop writing "pink contracts" to known spammers and they are the only anti-spam measure that reduces the cost that ISPs have to bear in terms of mail-server storage and excess bandwidth that spam causes. Rest assured that the spam epidemic would be far worse without DNSBLs and the cost of Internet access far higher.

Whitelists may work for some people, but others may need to keep their inboxes open (e.g. vendor support).

'Snopes was set up in early 1995 by the CIA as a way to debunk popular conspiracy theories, Companies and individuals can now pay to have their urban legend denied on the site, a prime beneficiary being Richard Gere.'

If you are a European and bothered by software patents, now is the time to write to (or even email) MEPs asking them to oppose this directive; it's the 'proposed software patentability directive as amended by JURI' (COM(2002)92 2002/0047). The letter should support the FFII/Eurolinux and/or Green position.

• 1. Mrs AHERN, Nuala Group of the Greens/European Free Alliance
• 2. Mr ANDREWS, Niall Union for Europe of the Nations Group
• 3. Mrs BANOTTI, Mary Elizabeth Group of the European People's Party (Christian Democrats) and European Democrats
• 4. Mr COLLINS, Gerard Union for Europe of the Nations Group
• 5. Mr COX, Pat Group of the European Liberal, Democrat and Reform Party
• 6. Mr CROWLEY, Brian Union for Europe of the Nations Group
• 7. Mr CUSHNAHAN, John Walls Group of the European People's Party (Christian Democrats) and European Democrats
• 8. Mr DE ROSSA, Proinsias Group of the Party of European Socialists
• 9. Mrs DOYLE, Avril Group of the European People's Party (Christian Democrats) and European Democrats
• 10. Mr FITZSIMONS, James (Jim) Union for Europe of the Nations Group
• 11. Mr HYLAND, Liam Union for Europe of the Nations Group
• 12. Mr McCARTIN, John Joseph Group of the European People's Party (Christian Democrats) and European Democrats
• 13. Mrs McKENNA, Patricia Group of the Greens/European Free Alliance
• 14. Mr O' NEACHTAIN, Sean Union for Europe of the Nations Group
• 15. Mrs SCALLON, Dana Rosemary Group of the European People's Party (Christian Democrats) and European Democrats

.com site

sf repo

also have a look at spamassasin for windows, the plug and play way

What a lot of people have suggested (and some have implemented) is to whitelist their incoming email. If you aren't on the list, they aren't interested.

Unfortunately, that does precisely what the anti-spam crowd wants.

Huh? The anti-spam crowd wants to make email useless? That's nonsense. For one thing, "the anti-spam crowd" is meaningless: *everybody* is anti-spam. Even spammers are anti-spam: they just claim that their spam isn't spam.

If you're talking about anti-spam activists, then you're right that some people suggest whitelisting, but I think a lot more activists are in favour of blacklisting and various methods of filtering. They're activists because they want to use email, and spam is making that harder.

Good blacklists and filters make it a lot better. For example, I get around 50 spams a day to my inbox, but only 2-3 a week make it past the SpamAssassin filter and SpamCop filtering service. SpamAssassin gets a few false positives each week; SpamCop gets almost none.

The latest version of SpamAssassin also has a Bayesian junk mail filter in it. Tie this together with Exim and SA-Exim, and you've got a tarpit which can learn from the kind of spam which it receives.

Tarpits rule. Why just reject spam, when you can hold the spammer's connection open and continue to suck up resources on his mail server for days? And when the spammer hits enough tarpits, he'll be dead in the water... even quicker if he's stupid enough to try a dictionary attack. If you run a mail server, stick a tarpit on it, and you'll be doing a lot to help stop spammers.

In the long run, I think you're right, but thank the stars for spamassassin in the meantime! When I first installed it, about a year ago I think, it was blocking about 8000 message/month just to me! I checked earlier today for other reasons, and found it's grown to 13,000 blocked messages in the last month adding up to 116Meg. It's just f***ing insane. Unfortunately, the 4% it lets through adds up to over 500 messages in the last month, and it did manage to block 3 real messages, but it's still worth it...

If you are posting your email address to a public area (e.g., Usenet), then you might as well get a new email address.

Oh really?

spampd: Spam Proxy Daemon

spampdacts as an SMTP relay server, and in the process of relaying a message it passes the mail through SA. If SA decides the mail could be spam, then spampd will ask SA to add some headers and a report to the message indicating it's spam and why. spampd is written in Perl and should theoretically run on any platform supported by Perl.

SPEWS can rot in hell. A properly configured SpamAssassin will block 98% of spam and have 0.01% false positives (I haven't gotten one false positive in a year, but I will someday).

Please, please don't support SPEWS. I beg you.

I know it bothers a lot of people...but I mean come on..

MIMEDefang + MCaffee (enter favorite virus scanner here) + Spamassassin makes the spam and viruses pretty much go away.

And here is a great HOWto by Mickey Hill on making it all work together.

Legislation is not going to solve this problem, and only ties up our courts/government with drivel. As many people have mentioned, how is this going to work with international spammers? It's not. Just kill the spam.

Hey this isnt the spamassasin its a pathetic ca$hwear rippoff trying to cash in on the open source versions name

SpamAssassin works great for me. It eats about 90% of my spam, you just hack up a little procmail file for it, and you're done.

With so many people using SpamAssassin these days, I can't see how this is a timely or newsworthy item. More like from the been-there-done-that-dept..

They were not rhetorical and I welcome your answers. In fact, I'd still like to know whether you think that the junk fax laws should be repealed and why.

Junk fax laws are valid because the technological solution is too complex. Not that it helped me any -- I get several junk faxes per day, and the "removal" numbers are usually bogus.

You seem to believe that normal citizens should invest tens, if not hundreds, of hours each learning about, installing, configuring, and maintaining spam-filtering software

Not true. I'm talking about technological changes that would be transparent to users, like SSL/SMTP or servers that scan for viruses.

There are thousands of marginal candidates that run for offices all over the country. Does each one have a right to spam you?

This is a perfect example of the problems with your laws. Spam is just one of numerous possible types of "bad" e-mail. Under your scheme, you would have to pass a law for each one. You would need increasingly elaborate conditions to differentiate "good" from "bad" to ensure fairness. It would need to be international, or e.g. people could just do their dirty work from Mexico.

Rule-based filters like spamassassin face similar problems. It is the wrong approach. Complex rules are ever-changing and costly to maintain. When they work, it is always at the cost of false positives (i.e. people's freedoms being tramped upon). The correct solution is the transitive trust model, where recipients can decide for themselves what they want to receive.

Well, that's not how e-mail works and it's not going to be changed any time soon -- no matter what hindsight has taught us. We have standards for e-mail in use by millions of users and computers all over the world.

I think this change is inevitable. It's ridiculous that anyone can trivially forge a message from the CEO of any company, when digital signatures are so easy to implement.

If this technology is not implemented by open groups, I guarantee that Microsoft will solve it for you with something like Palladium. They control a huge share of e-mail accounts via hotmail.com and Outlook, and could easily leverage AOL as well. Of course, MS and AOL would choose the centralized trust model (like Verisign) rather than the distributed trust model.

If you're going to spend your effort lobbying for something, pick the least opressive solution. I choose software. Software is the future of everything.

-Gonz

Using the term "Big Brother" (from Orwell's 1984) is simply inflammatory. From now on, please use "the government" when referring to the government.

Sure. But you have to agree not to use long sequences of rhetorical questions and confusing boldfaced sentences. ;-)

So where does all of this end? If they can steal my bandwidth, time, and storage with spam, what's next? Should we repeal the junk fax law so that they can steal my expensive thermal paper, too?

Telephone suffers from specific technical problems that make it difficult to screen without humans continuously expending effort. Even if you have caller-ID and can recognize the name, you still have to get up and look at the box. So, I'll concede that maybe government is the last resort. My point, though, is that with e-mail we have a different situation. Existing systems like spamassassin (which filters over 20 spams a day for me) are proof alone.

The Central Hudson test recognizes the constitutionality of regulations restricting advertising that concerns an illegal product or service, or which is deceptive.

What about when the "product" or "service" is completely free? Spam that attracts visitors to banner-supported web sites, or politically motivated spam?

When a sender falsifies e-mail header information and provides a forged from:/reply-to: address, that's deceptive and passes the aforementioned Central Hudson test as speech which can be constitutionally regulated.

Yes, assuming your particular country has a constitution, ANY problem can be constitutionally regulated. But my argument is that this is only a good idea when there aren't easy alternatives. E-mail needs to be updated from its 1970's design anyway. The fact that senders can be trivially forged is totally unacceptable, in an age where public key cryptosystems are so readily available.

Receiving e-mail should NOT be mandatory. Mail servers should automatically reject messages from unvalidated senders. The technological solution of transitive trust is simple, and it would fix many other problems involving authenticity and content filtering.

-Gonz

Looks like it's time to start coding SpamAssassin for SMS!

I'm glad I don't have any of those devices...

Wyatt

One other thing to watch out for... I had become fairly lazy about scanning the desktop since incoming mail was virtually 100% clean and since nobody uses floppies any more. Then I had a user download an infected file from her personal webmail account. I went crazy trying to figure out how this thing got in until I finally got a confession on the webmail use.

Use qmail as the MTA. It's way more secure, and more compatible with with cutting edge virus scanners and spam filters like spamassassin.

Ideally your exchange server should end up being nothing more than a storage place for email (seems like you're doing that). I'll be doing this in about two weeks at my company, too. Good luck!

I recently set our mail server to block all messages that contain <img src="http://\d{2,3}\. This has cut down the amount of spam we get by a good 90%. There are still some messages that have height tags or otherwise don't fit the regexp.

Why not give Spamassasin a try? It has very good filters and almost no spam comes thorugh it.

I've been using spamassassin on my qmail server and it r4wKs hardcore. Striaight up kills spam. It has some very very intelligent features. Check it out.

SpamAssasin can be found Here in case anyone would like to look into it :)

http://razor.sourceforge.net ?

SpamAssissin (http://spamassassin.taint.org/) uses this approach.

David

I tested a program called Spam Assassin that does this sort of analysis. It was so beautiful, so magical, so goddamn hilarious that people came in from other rooms to see what the hell I was laughing at.

It has a zillion clever tests, all weighted by spam-predicting ability. You can used these to calculate a final score for a message and then handle the message differently depending on how spammy it looks. The standard approach is to junk the really spammy stuff, put the clearly good stuff in your inbox, and put the semi-spammy messages in a special forlder that you can dig through later.

I haven't installed it for production yet, but I ran it on a few thousand old emails and it did a very good job.

I tested a program called Spam Assassin that does this sort of analysis. It was so beautiful, so magical, so goddamn hilarious that people came in from other rooms to see what the hell I was laughing at.

It has a zillion clever tests, all weighted by spam-predicting ability. You can used these to calculate a final score for a message and then handle the message differently depending on how spammy it looks. The standard approach is to junk the really spammy stuff, put the clearly good stuff in your inbox, and put the semi-spammy messages in a special forlder that you can dig through later.

I haven't installed it for production yet, but I ran it on a few thousand old emails and it did a very good job.

SPAM is a burden to everyone. As a system admin, I was told to do something about it. After some research, the best solution was to impliment SpamAssassin on our linux mail server. I tried sendmail SPAM filters, procmail rules, etc. SpamAssassin is undoubtedly the best solution and I recommend it to everyone. It needs to be implimented at the server level, so email your ISP if you don't have root access. It is a simple perl script that can be run with sendmail (using a C++ version) or in procmail (perl). It is very easy to setup using perl CMOS.

How does it work so well? Spamassassin checks the headers and body of every email passing in to the mail server. It searches the email for certain keywords and phrases and other SPAM characteristics and assigns points to the email based on these. It works very well and has many options --including the ability to have "black lists" and "white lists" in file glob format.

So far I have blocked about 94% of the SPAM coming in through our mail server. It only misses a couple and is highly configurable! Download and install it!

Cheers,
Tom

I setup SpamAssassin on my mail server and it catches about 70%+ of all the spam I get. That's a big chunk! Just thought I'd share.

• MimeDefang
• OpenAntiVirus
• Spam Assasin
• Sendmail

Or you could just use SpamAssassin, which is designed specifically to do this and has many more rules that have been created by others.

--Bruce

This would be an awesome tool to block spam. If this program could look at the text of an email message and determine that it is a solicitation of some kind

SpamAssassin will do this part for you.

It turns out that SpamAssassin has an example in its README file of how to set it up with Mutt so that hitting "X" on a spam reports it to the Razor spam filtering database.

Of course, if SpamAssassin is working properly, the spams you see will be few and far between anyway. Quite a nice program.

In addition to spamcop that complains to the sender's ISP, there is also Razor that reports the spam to a filtering network so that it can easilly be filtered out by a spam filter such as SpamAssassin True you won't be vigilante against them, but it'll cut down the the spam for everyone that uses the filters.