Gordon Messmer <[email protected]> writes: > You're hypothesizing the infection of your Unix server with malware, > and spam is the part you're worried about?
Not the only part. But is it *a* concern? Absolutely. A significant one, I would say. In the first place, it does happen. I've seen a compromised Linux system used for sending spam, and if you make even a passing attempt to follow the goings and comings in the security community you will quickly realize that this is neither far-fetched nor particularly unusual. (It doesn't make mainstream-media headlines, but neither do Unix rootkits.) Granted, with the incident I happened to observe the system in question was not up-to-date on its security updates, so in all likelihood good practices would have prevented that infection. I believe that's typical. Nonetheless, my point stands: it happens. Unethical persons *do* attempt to compromise Linux systems and use them in said manner. Further, it's a much more damaging outcome than anything else an attacker (especially an automated attacker) is likely to do (assuming you have backups of your mail, which is pretty much necessary anyway in case of hard drive failure, which is annoyingly common). A root-kitted system can be fixed in one shift (once you are aware of the problem) by wiping the disk and doing a clean install. (If you have a spare server just about ready to go, you can get back up even faster, and still have the infected filesystem available for forensic analysis.) A tarnished reputation is not so easy to repair. Once people (and automated systems) start putting you in filters and blacklists, it can can take much more than one shift, and much more effort than a clean install, to get things cleared up and back to normal. In security there is a principle called "defense in depth" (or, more cynically, "paranoia", but whatever you call it, it's an important part of the mindset of a good network administrator). You try to protect yourself from being broken into in the first place, but there are no absolute guarantees. A good secure design assumes that there WILL be security failures from time to time and establishes additional measures and barriers to mitigate the damage a successful attack will do, even once the primary security measures are compromised (and also to detect the incursion so that a response can be mounted as soon as possible and the damage repaired). So yes, I do think it would be useful to be able to restrict what outgoing source ports the mail server uses to send mail, and tell the firewall to drop or reject outgoing mail from all other ports (or, even better, silently redirect them somewhere private for analysis, which has the dual benefit of potentially allowing the attacker or the malware to think it is operating successfully while also providing an extra way for the sysadmin to become aware of the problem). -- Nathan Eady Galion Public Library ------------------------------------------------------------------------------ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
