Slashdot Mirror
Stopping Spam And Trojan Horses With BSD
Brett Glass writes: "This paper, first presented at BSDCon 2000, describes state of the art methods of blocking spam and malware using BSD and Sendmail. The techniques described here are also applicable to other operating systems and mail transfer agents, so this paper is worth reading even if you're using NT, Linux, Postfix, qmail, etc. If you've never heard of a Rumplestiltskin attack, are baffled by the finer points of Sendmail configuration, or want to know how to block worms like ILOVEYOU before they reach vulnerable Windows clients, you'll enjoy this paper. Slides from the presentation are also included."
Adding RSS lookups has been the biggest spam killer so far. The first week I had it enabled I was rejecting about 1200 spams a day. Now that the bigger spammers know they can't steal from me so easily, it's down under 100 per day.
The next step is procmail for filtering malware.
. Thanks
- H
I'm also interested in this, but I never knew it until you brought it up. It would be very easy for the users to setup a mail filter to move all subjects with '[SPAM]' in the subject to dev/null. It seems that inserting it into the subject line would be much more compatible to all mail readers than custom headers.
I looked into this at some length at my previous job, where we couldn't just drop spam in the bit-bucket for policy reasons, but wanted to identify spam so that users could easily filter it out themselves if they wanted to.
The ideal solution would be something like:
H?Spam?X-Spam: ${RBL} ${ORBS} ${DUL}
where the variables ${Spam}, ${RBL}, ${ORBS}, etc. are set by the standard rulesets. This way, those messages identified as spam would have an X-Spam: header providing more details. Normal messages would be passed unchanged.
Unfortunately, it appears to be impossible to set a variable from inside a ruleset (please tell me if I'm wrong), so this doesn't work.
The next best thing would be
HX-Spam: $>CheckSpam
which would add an X-Spam: header to every message, the value of which would be whatever is returned by the CheckSpam ruleset. Unfortunately, it looks as if sendmail 8.10.2 doesn't allow you to invoke rules from within header definition lines. Brett Glass's article hints otherwise (see Listing 2), but perhaps he's using a newer version of sendmail than I am.
Just to clarify Oz and correct Cardinal's confusion...
/usr/src rather than a plethora of third party userland apps by who-knows-who.
There is no separation of kernel and userland in BSD in the same way that there is in a Linux Distribution. There are no "package maintainers" because it isn't a package-based distribution. Everything that makes up the system is engineered by the same team of people. It's all in a single source tree under
(Not counting third party applications available via Packages or Ports of course.)
--
My comments and opinions completely reflect those of anyone and anything I am remotely associated with.
That was mentioned in a wee little paragraph near the end of the "Web Page Address Harvesting" section, and included some simple sample CGI.
What the rbl rule sets do is simply replace the domain name with a target that is later returned as an error.
The change you will need to make is on line 24 of cf/feature/ddnsbl.m4. Somehow you are going to
have to figure out to to get a header added when a condition happens and then return $: OK. I think I would try to set some variable and then create a "H" line with something like H?Var?X-spam: $Var.
Set up two domain names on you box, one of them with filters.
When the users need to communicate with those using open relays, give them an account with no spam filters.
-- From Denmark
Your posts are hard to read. I suggest you start using less abbreviations and more grammar.
--------
Genius dies of the same blow that destroys liberty.
> > BSD is a mess from a security viewpoint
;)
> Compared to what OS?
Why, Windows 95, of course!
--------
Genius dies of the same blow that destroys liberty.
True, but the way I wrote it doesn't cloud what I'm trying to say.
--------
Genius dies of the same blow that destroys liberty.
For instance, I just put PMVNC, ported from the Open source code on my OS/2 machine, which I used to access a Linux box and a Win2k box 90 miles from here. I also used a SSH port to access the linux box. I have had a port of NcFTP for a long time on the machine.
There is also an OS/2 ISP mailing list where they discuss Sendmail usage, SPAM, and a lot of other things; I also participate in that list.
You can find most of this stuff for OS/2 at http://hobbes.nmsu.edu. Xfree86 and Samba links for OS/2 can also be found at their respective sites.
To demonstrate the difference, we run Lotus Notes at work. I have used it for about 5 years. And love it. But often the initial impression a person may have might not approach my fondness or that of the others at work. That is just because you don't know it.
But hear this: When the "I Love You" thing hit, we might have had 75 infected machines [total] out of over 10,000. We were virutally unaffected. And that was the first hit by the virus. It did NOT spread. And as soon as we knew it was there, a tweak of Notes prevented a user from sending it anywhere.
OTOH, I know for a fact that some companies that we deal with were completely down for a week or more trying to fix the mess.
The upside is that Notes is just very reliable and good. Exchange isn't. BTW, we merged with another company of similar size, who was using Exchange. They are converting to Notes right now.
I just got this running at my isp account and it appeared to be setup correctly, except that I then read that this blocks only a 1-3 PERCENT of all spam. After looking at my recent list of received spam, I found that most of it comes from 123456@yahoo.com and similar. You can't (easily) block part of yahoo and the spammers can create bogus accounts for each sending so you can't block by email.
"The area of penetration will no doubt be sensitive." ~ Spock
The ACs are out in force this Xmas eve!
/.
How sad. Trolls with no families or friends to keep them company on Xmas, so they resort to posting crap and nonesense on
Feed the need: Digitaladdiction.net
And were asked to provide links, to provide proof.
Yet, all you do is keep repeating the same things over and over.
When you have some links to back up these claims, please post them.
If it was said on slashdot, it MUST be true!
BSD is a mess from a security viewpoint
Compared to what OS?
If it was said on slashdot, it MUST be true!
Amazing, the BSD troll now has knowledge of the NSA!
*yawn*
Come back with proof!
If it was said on slashdot, it MUST be true!
If you're in this situation, you're in big trouble no matter what MTA you're using.
Sendmail's code isn't as bad as you paint it, though. Thousands of pairs of experienced eyes have pored over it -- certainly more than for any other MTA.
If you really are concerned about Sendmail, wrap it with smtpd or use qmail. Warning: you'll still need to understand the underlying principles to control relaying and block spam and malware. And don't assume that it will necessarily be that much easier. as this FAQ explains, using spam prevention tools such as DNS blacklists with qmail is more complex than doing it with Sendmail (which requires only one line per blacklist in your .mc file).
--Brett
--Brett
Really, guys -- the "BSD is dead" trolls are getting very, very old. BSD is here for keeps and is gaining in popularity; it's not going away just because a few overzealous advocates of other OSes are in denial. Besides, as I've mentioned, every technique I've mentioned in the paper -- even the Sendmail configuration options, which have equivalents in most other MTAs -- is useful on other OS platforms and with other mail software. So, even if you're a total Linux (or qmail, or exim, or Lotus Notes, or Groupwise) fanatic, you still need to know these techniques to be a good sysadmin. I'd like to see more discussion of filtering techniques.... Even the state of the art filters and HTML manglers are nowhere near perfect yet.
--Brett Glass
If your ISP will let you run Procmail filters (most UNIX-based ones will), your best bet is to set up a Procmail filter which checks the RBL and also looks for other signs of spam. I recommend a couple in the paper.
--Brett
one problem with this , with makeing a program to use finger from inetd /usr/libexec/fingerd fingerd -s -l -p /usr/local/bin/nonetfinger
/bin/echo "Go away and dont finger me bitch."
finger stream tcp nowait nobody
BSD inetd will allow you to write stuff in the hosts.allow file for example
fingerd : ALL \
: severity auth.info \
: twist
yes but the way i explained it, kernel vs os. You cant do linux vs. freebsd. Cuz freebsd is a os and linux is a kernel. I didnt mean any flame btw
i disagree. Maybe a year ago. But it is getting more and more ground again. esp with osx.
I agree with that somewhat , but normaly when an exploit is found in *BSD it is typicaly fixed faster than in linux just because how they have 'there system of makeing the system' setup. They have a core team that can say 'yeah we need this' or 'no' and in linux its just linus. And I cant say anything about other o/s cuz its closed source and you dunno when its going to be fixed. And both have good and bad points to manage kernel/os.
This article was also part of the November Issue of the DaemonNews E-zine. This a link to that article http://www.daemonnews.org/200011/stopspam.html.
Sendmail and procmail run under linux and that is what the article is about.
Remember everyone saying "unix is dead" a few years ago? Yeah, right...
- Hubert
Thanks man...maybe we should start a support group, you know? For people who have tasted the drug known as the outside world. the temptations are immense. Like just the other day I almost did my laundry. Like wtf is up with that? ;-)
Haven't heard this one before. Is this "mal-" as in "bad", as in "malicious", "malevolent" and "maladjusted"?
BH
Fools! They laughed at me at the Sorbonne...!
I have had a few too many for most of this to stick right now, but this is definitely a good asset to have.
Again, Thank You
"It is a greater offense to steal men's labor, than their clothes"
My Hi-fi _maxes out_ at -0, and is silent at -Inf.
Does that mean it plays my music backwards?
Calm down pet.
Merry Chrissy all.
FatPhil
-- Real Men Don't Use Porn. -- Morality In Media Billboards
Also FatPhil on SoylentNews, id 863
You are free to browse at -1 and read all about the first posts. You are also free to browse at 0, like I am, there you van read all the flamebaits and redundant posts. Whats wrong with negative points. Flamebaits like this are kinda interesting on a boring christmas day. Firstposts never are..
Actually, I have used FreeBSD and I have no experience with the FreeBSD elite being unfriendly towards newbies nor do I have the experience of them being helpful... reason - I never asked for help so I don't know. I mailed the NetBSD team a few questions or two and they were very helpful and quick to respond. I have toyed around with OpenBSD once and that's about all. By the way, the BSD's are far from dead. I use linux much more and so do many others, however, I seriously doubt any BSD is going under any time soon.
I hope so! Many times while at work, I will write a company a question and "spoof" my home personal box, so I can check the reply at home and not have the non-work replies in my business in-box. I have had very little trouble with this. I have had people write and ask why my source is on another domain than my reply to box. I tell them it seprates the requested mail from the spam mail.
The truth shall set you free!
It needs a better name.
It does already have a better name. It's called "Unix".
8^}
It needs a better name. Daemonix sounds good, and fits the mascot.
Ashes of Empires and bodies of kings,
The truth about Michael
Is that your problem? Negative points? Well, its only a matter of "reference". Its a scale and it happens that "0" is in the middle. If the scale began on 50 and ended on 90, if it began on -456 and ended on -200, what would the difference be?
Airegin
Well, we all mess up occasionally. Some more than others... If you haven't made the connection yet, wait a second and re-read this. Then read my signature.
-If you see a BIG shining blue light coming from a house that's semi on fire in Asheville, NC, you know it's me. -A l
Most security exploits are in userland daemons, not the kernel itself. As such, it's up to the package maintainers to handle fixes, and this is generally done quite fast.
And to clarify your confusion, I wasn't referring to BSD at any point in my post.
Most security exploits are in userland daemons, not the kernel itself.
...in Linux.
Which is a response to the comment by Oz:
normaly when an exploit is found in *BSD it is typicaly fixed faster than in linux just because how they have 'there system of makeing the system' setup. They have a core team that can say 'yeah we need this' or 'no' and in linux its just linus.
I was pointing out that "its just linus" is usually not the case, because such exploits tend to be in userland, not the kernel.
I just realized how sad it is that I am actually reading this article at 11:20 pm on Christmas Eve, and enjoying it. Then I realize that Hemos actually posted it about the same time... :)
Great Article. Merry Christmas and Happy Holidays to all!
As he [Theo] states in all the replies to this, which seems reasonable to me, that they just fixed a bug during their auditing and that they did not realized that it was a exploit. This seems very reasonable, but people does not seem to get it, which is very sad.
a bit offtopic, but: does anyone know how to configure sendmail, so that if the sender domain matches some RBL (ORBS, etc) "SPAM:" is inserted into the subject line of the header (or some X-SPAM: header is set).
... ;)
The reason behind this, is to allow users to choose whether to filter or not. Some usere here have contact to ppl on open-relay hosts, and I would like to block them
Samba Information HQ
Never used lp in native redhat pre 7.0? That is BSD code.
Sendmail is another example of BSD derived code.
Oh, how about the TCP/IP stack? the include file for in_systm.h says "Original taken from BSD UNIX 4.3-RENO"
If you'd bother to grep for BSD in the linux kernel, you'd find that BSD is core to Linux.
And you 'use' a "BSD" program to get to slashdot. Yup, the OpenBSD firewall that is (was) protecting the site.
If it was said on slashdot, it MUST be true!
Are you sure you wanna use tires as a comparison, with all the firestone stuff going on?
;-)
just a thought.
(but good point tho)
Stop over-analyzing your analizations
Look here.
The referenced article starts with a particularly ridiculous bit of advocacy that renders the rest of it fairly dubious. It recommends sendmail on the basis of market penetration, but carefully avoids mentioning its security vulnerabilities and accumulation of cruft; it then makes a contrived argument that, since sendmail was developed on a BSD box, it should be run on the same. Nonsense. sendmail works equally poorly on many Un*x variants; there's nothing special about BSD in that regard.
Why should we judge sendmail on its market penetration but avoid judging BSD in the same way? The paper doesn't bother to justify that. I expect its author(s) figured on a sympathetic audience of BSD advocates.
If you really want to avoid being screwed, run a better MTA -- qmail and exim are reasonable choices. BSD is of course a reasonable choice of OS for that job, as are a number of Un*ces. But don't pick BSD because it will run sendmail -- that's like buying a Colt M1911A1 because it can be converted to full auto. The choice of platform is good, but the reasoning stinks!
--
Some keywords for the NSA in the Lord of the Rings universe: One Ring bind find Sauron quest Nazgul freedom
Sendmail has a bad habit if not being able to scan the message body so you have to use an external filter.
I've got a patch to fix this for 8.11.1 that uses the built in regex map to allow sendmail to look for a regex in the body of the message.