Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stopping Spam And Trojan Horses With BSD

Posted by Hemos on from the good-tricks-to-know dept.

Brett Glass writes: "This paper, first presented at BSDCon 2000, describes state of the art methods of blocking spam and malware using BSD and Sendmail. The techniques described here are also applicable to other operating systems and mail transfer agents, so this paper is worth reading even if you're using NT, Linux, Postfix, qmail, etc. If you've never heard of a Rumplestiltskin attack, are baffled by the finer points of Sendmail configuration, or want to know how to block worms like ILOVEYOU before they reach vulnerable Windows clients, you'll enjoy this paper. Slides from the presentation are also included."

15 of 54 comments (clear)

  1. It's not always just Linus by Cardinal · · Score: 2

    Most security exploits are in userland daemons, not the kernel itself. As such, it's up to the package maintainers to handle fixes, and this is generally done quite fast.

  2. Cardinal explained by Cardinal · · Score: 2

    And to clarify your confusion, I wasn't referring to BSD at any point in my post.

    Most security exploits are in userland daemons, not the kernel itself.

    ...in Linux.

    Which is a response to the comment by Oz:

    normaly when an exploit is found in *BSD it is typicaly fixed faster than in linux just because how they have 'there system of makeing the system' setup. They have a core team that can say 'yeah we need this' or 'no' and in linux its just linus.

    I was pointing out that "its just linus" is usually not the case, because such exploits tend to be in userland, not the kernel.

  3. Pretty sad... by sacherjj · · Score: 2

    I just realized how sad it is that I am actually reading this article at 11:20 pm on Christmas Eve, and enjoying it. Then I realize that Hemos actually posted it about the same time... :)

    Great Article. Merry Christmas and Happy Holidays to all!

    1. Re:Pretty sad... by Jose · · Score: 2

      tuz my (checking web site for probable gender..) man , it's good ta have ya back. We have all thought about going out and getting lives, but it would be just plain wrong. Hopefully you don't have any more relapses, but if ya do, don't worry you are always welcome back :)

      as a side note, careful what ya say to Hemos, he is a soft fellow, we all know the Cmdr can take it, but old Hemos doesn't stand up as well to it. (Where is Taco anyway? that lazt sack hasn't posted since yesterday morning!)

      Merry Christmas All.

      --
      The basic sleazeware produced in a drunken fury by a bunch of UCBerkeley grad students was still the core of BIND. --PV
    2. Re:Pretty sad... by Tuzanor · · Score: 3
      You know, maybe we should all dump /. and get lives...you know, get laid and meet new people. In fact, i'm gonna do that right now. FUCK Taco, FUCK Hemos, and FUCK my Karma. Goodbye forever Slshdot!

      *Gets up and walks away*

      *5 minutes pass*

      *Running sounds back to the computer*

      I'm so sorry everybody, please forgive me, it's christmas, and i was so wrapped up over the presents that i wasn't thinking properly. Taco, you rule, Hemos, you're dedicated and I swear I'll never do anything like that again...till the next time :-) seriously merry xmas all...

  4. Re:BSD security sucks by blasphemi · · Score: 2

    As he [Theo] states in all the replies to this, which seems reasonable to me, that they just fixed a bug during their auditing and that they did not realized that it was a exploit. This seems very reasonable, but people does not seem to get it, which is very sad.

  5. Sendmail and RBL Lists by mbyte · · Score: 2

    a bit offtopic, but: does anyone know how to configure sendmail, so that if the sender domain matches some RBL (ORBS, etc) "SPAM:" is inserted into the subject line of the header (or some X-SPAM: header is set).

    The reason behind this, is to allow users to choose whether to filter or not. Some usere here have contact to ppl on open-relay hosts, and I would like to block them ... ;)


    Samba Information HQ

  6. Re:ive never used a BSD program by mr · · Score: 2

    Never used lp in native redhat pre 7.0? That is BSD code.

    Sendmail is another example of BSD derived code.

    Oh, how about the TCP/IP stack? the include file for in_systm.h says "Original taken from BSD UNIX 4.3-RENO"

    If you'd bother to grep for BSD in the linux kernel, you'd find that BSD is core to Linux.

    And you 'use' a "BSD" program to get to slashdot. Yup, the OpenBSD firewall that is (was) protecting the site.

    --
    If it was said on slashdot, it MUST be true!
  7. Re:Malware? by Brett+Glass · · Score: 2
    See this definition of "malware", which is linked from the first use of the word in the paper!

    --Brett

  8. Re:Article on Daemon News by Brett+Glass · · Score: 2
    Yes; Daemon News, which I normally heartily recommend, also reprinted the paper. (A few of the links have been updated in the master copy.) Unfortunately, they printed a very nasty ad hominem attack on Yours Truly in the "Daemon's Advocate" column in their December issue. This was not called for and the editors certainly should have caught it before it went to print. I think that the publication owes me an apology for that one.

    --Brett

  9. Re:Article on Daemon News by Brett+Glass · · Score: 2
    I did a search on 'Brett' and 'Glass' and didn't find either in Greg's editorial.

    That's because the craven Greg Lehey quoted me without attribution.

    --Brett Glass

  10. Re:Why? Because they're in different markets by jmenezes · · Score: 2

    Are you sure you wanna use tires as a comparison, with all the firestone stuff going on?
    ;-)
    just a thought.
    (but good point tho)

    --
    Stop over-analyzing your analizations
  11. Trap for harvesters. by BlowCat · · Score: 4
    Very nice article, but it misses one very funny method for "trapping" e-mail harvesters by feeding them pages with random addresses.

    Look here.

  12. Feh. by The+Welcome+Rain · · Score: 5

    The referenced article starts with a particularly ridiculous bit of advocacy that renders the rest of it fairly dubious. It recommends sendmail on the basis of market penetration, but carefully avoids mentioning its security vulnerabilities and accumulation of cruft; it then makes a contrived argument that, since sendmail was developed on a BSD box, it should be run on the same. Nonsense. sendmail works equally poorly on many Un*x variants; there's nothing special about BSD in that regard.

    Why should we judge sendmail on its market penetration but avoid judging BSD in the same way? The paper doesn't bother to justify that. I expect its author(s) figured on a sympathetic audience of BSD advocates.

    If you really want to avoid being screwed, run a better MTA -- qmail and exim are reasonable choices. BSD is of course a reasonable choice of OS for that job, as are a number of Un*ces. But don't pick BSD because it will run sendmail -- that's like buying a Colt M1911A1 because it can be converted to full auto. The choice of platform is good, but the reasoning stinks!

    --

    --
    Some keywords for the NSA in the Lord of the Rings universe: One Ring bind find Sauron quest Nazgul freedom
  13. filtering on the message body by thogard · · Score: 5

    Sendmail has a bad habit if not being able to scan the message body so you have to use an external filter.

    I've got a patch to fix this for 8.11.1 that uses the built in regex map to allow sendmail to look for a regex in the body of the message.