Re: Simple e-mail virus scanner
## Noah L. Meyerhans ([EMAIL PROTECTED]): On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. This filter was the main reason for me switching my email from my universities systems to my own system. Regards, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
On Wed, Aug 20, 2003 at 08:26:53AM +0400, ? ? wrote: Hello Noah, Does the same approach could be use with sendmail ? Any examples? NLM On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote: So, I'm wondering, does anybody know about any such approach? NLM After getting sick of all the virus crap in my inbox I installed the NLM following in /etc/exim/system_filter.txt: [ snip nice long Content-Type: regexp for exim ] I think sendmail can do similar, but I am not sure where to enable it... for postfix though, have a look at man 5 pcre_table and regexp_table. Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Postfix Security Documentation
Hi, is there any documentation on securing a postfix server readily available? I didn't find anything much at the postfix homepage, nor in the postfix-doc package. I'd be especially interested in chrooting postfix processes. Regs, Sven -- Sven Riedel [EMAIL PROTECTED] Liebigstr. 38 30163 Hannover Python is merely Perl for those who prefer Pascal to C (anon) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
Hi, [EMAIL PROTECTED] writes: Does the same approach could be use with sendmail ? Any examples? I guess, you could integrate this in http://www.spamassassin.org. SpamAssassin already scans the email body for signs of spam, so it shouldn't be too hard, to add another regex. Although, I never did this myself. I just use SpamAssassin out of the box with procmail. There's already a sendmail milter at http://savannah.nongnu.org/projects/spamass-milt/ http://www.mimedefang.org/ is another milter for sendmail, which uses SpamAssassin. Regards, Olaf. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
pam doesn't see nis
I've been running into a problem with NIS on Debian -- everything looks like it should be working, but logins fail with pam saying user unknown. Here's an example -- I can change the password, so clearly NIS is working, yet at the end the login fails: [EMAIL PROTECTED]:~# yppasswd student Changing NIS account information for student on graywhale. Please enter root password: Changing NIS password for student on graywhale. Please enter new password: Please retype new password: The NIS password has been changed on graywhale. [EMAIL PROTECTED]:~# su student su: Authentication service cannot retrieve authentication info. (Ignored) [EMAIL PROTECTED]:/root$ Here's what my auth.log says when I try ssh jellyfish -l student: Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: check pass; user unknown Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=graywhale I saw someone post the identical problem to debian-users (and receive no reply), so I guess it affects a number of people. Oh, and I should mention: I had this working! Late July, after the last nis upgrade. I did some other upgrade, no idea what, and got the problem. ypcat passwd and all kinds of other NIS map commands work fine. This is an updated Debian sid running nis 3.9-6.3. I'm setting this up for a high school lab (remotely), and we're all ready to go aside from this. Please cc me -- any suggestions much appreciated! I'm happy to suppy more information. Cheers, Peter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Postfix Security Documentation
Hi, is there any documentation on securing a postfix server readily available? I didn't find anything much at the postfix homepage, nor in the postfix-doc package. I'd be especially interested in chrooting postfix processes. look at /etc/postfix/sample-master.cf or in postfix doc's or just see your configuration in /etc/postfix/master.cf -- debian user -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Postfix Security Documentation
On Wed, 20 Aug 2003 at 10:55:55 +0200, Sven Riedel wrote: Hi, is there any documentation on securing a postfix server readily available? I didn't find anything much at the postfix homepage, nor in the postfix-doc package. I'd be especially interested in chrooting postfix processes. In Debian, postfix is chrooted by default. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pam doesn't see nis
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=204711 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: After getting sick of all the virus crap in my inbox I installed the Thanks, that looks interesting! I'm using the Debian Stable Exim packages too, so I guess this is something I can just cut'n'paste in! :-) And it seems I really need it now... My server is getting hammered badly, and when fetching my e-mail this morning, my POP client timed out three times before I got it... This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ftp.gnu.org cracked
On Tue, Aug 19, 2003 at 11:27:26PM -0400, Matt Zimmerman wrote: 2) Any unsigned sources in ftp.gnu.org could have been trojaned during the March-July period, and most of GNU packages have their corresponding packages in the Debian archive. The current evidence suggests that this has not happened. FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror. There appears to have been no change between to it then and now: -rw-r--r--1 1001 3000 1892091 Jun 11 03:19 texinfo-4.6.tar.gz -rw-r--r--1 joy joy 1892091 2003-07-11 15:31 texinfo_4.6.orig.tar.gz The md5sum of both files is 5730c8c0c7484494cca7a7e2d7459c64 There is a cryptographically signed README on ftp.gnu.org which lists checksums for the files that GNU have been able to verify. You can check against that. Ah, got it, it wasn't in the mirror hierarchy so I missed it initially. Thanks. 5730c8c0c7484494cca7a7e2d7459c64 gnu/texinfo/texinfo-4.6.tar.gz [Signed on Wed Aug 13 14:27:46 2003 EDT using DSA key ID D679F6CF] That's from the upstream maintainer, Karl Berry. Doesn't seem to be in a web of trust but it should be fine nevertheless. -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Postfix Security Documentation
Quoting Tomasz Papszun [EMAIL PROTECTED]: On Wed, 20 Aug 2003 at 10:55:55 +0200, Sven Riedel wrote: is there any documentation on securing a postfix server readily available? I didn't find anything much at the postfix homepage, nor in the postfix-doc package. I'd be especially interested in chrooting postfix processes. In Debian, postfix is chrooted by default. Not true. A number of processes are chrooted, but not all. Please look at /etc/postfix/master.cf (IIRC). This is a standard feature of Postfix. Sven, do you want to chroot *all* processes? Postfix is supposed to be secure out of the box (except for programming errors, as we recently saw :-( ). So improving Postfix security should be done inside of Postfix. You may want to you the Postfix mailing list (warning: lots of traffic!) and ask there. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pam doesn't see nis
I guess you just have to add +:: in /etc/passwd; + in /etc/shadow and it will be okay. Your sincerely, Huegesh Marimuthu On Wed, 20 Aug 2003, Peter Nome wrote: I've been running into a problem with NIS on Debian -- everything looks like it should be working, but logins fail with pam saying user unknown. Here's an example -- I can change the password, so clearly NIS is working, yet at the end the login fails: [EMAIL PROTECTED]:~# yppasswd student Changing NIS account information for student on graywhale. Please enter root password: Changing NIS password for student on graywhale. Please enter new password: Please retype new password: The NIS password has been changed on graywhale. [EMAIL PROTECTED]:~# su student su: Authentication service cannot retrieve authentication info. (Ignored) [EMAIL PROTECTED]:/root$ Here's what my auth.log says when I try ssh jellyfish -l student: Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: check pass; user unknown Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=graywhale I saw someone post the identical problem to debian-users (and receive no reply), so I guess it affects a number of people. Oh, and I should mention: I had this working! Late July, after the last nis upgrade. I did some other upgrade, no idea what, and got the problem. ypcat passwd and all kinds of other NIS map commands work fine. This is an updated Debian sid running nis 3.9-6.3. I'm setting this up for a high school lab (remotely), and we're all ready to go aside from this. Please cc me -- any suggestions much appreciated! I'm happy to suppy more information. Cheers, Peter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 20 August 2003 10:52, Kjetil Kjernsmo wrote: On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: After getting sick of all the virus crap in my inbox I installed the Thanks, that looks interesting! I'm using the Debian Stable Exim packages too, so I guess this is something I can just cut'n'paste in! :-) And it seems I really need it now... My server is getting hammered badly, and when fetching my e-mail this morning, my POP client timed out three times before I got it... This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... - -- Yannick Van Osselaer Public Key: wwwkeys.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/Q2D693+qyX+enAERAtxeAJ9zNtlCh21Oi78atKvFj+p/iEWCAQCgwPyY FVxoaF9iO/jKMk3kSVTlTvI= =vWFj -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Postfix Security Documentation
On Wed, 20 Aug 2003 at 12:59:39 +0200, Lupe Christoph wrote: Quoting Tomasz Papszun [EMAIL PROTECTED]: On Wed, 20 Aug 2003 at 10:55:55 +0200, Sven Riedel wrote: is there any documentation on securing a postfix server readily available? I didn't find anything much at the postfix homepage, nor in the postfix-doc package. I'd be especially interested in chrooting postfix processes. In Debian, postfix is chrooted by default. Not true. A number of processes are chrooted, but not all. Please look at /etc/postfix/master.cf (IIRC). This is a standard feature of Postfix. Sure, I know it. == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # == smtp inet n - - - - smtpd #628 inet n - - - - qmqpd pickupfifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - - 300 1 qmgr #qmgr fifo n - - 300 1 nqmgr rewrite unix - - - - - trivial-rewrite bounceunix - - - - 0 bounce defer unix - - - - 0 bounce flush unix n - - 1000? 0 flush smtp unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp But I think that (almost?) all process that _can_ be chrooted, _are_ chrooted. How could the 'local' process deliver mail to user mailboxes if it would be chrooted?? If I'm wrong and it's possible somehow, someone may correct me of course. Sven, do you want to chroot *all* processes? Postfix is supposed to be secure out of the box I think the same :-) . (except for programming errors, as we recently saw :-( ). Even those, they were just vulnerable to DoS and bounce scans, not break-ins. So improving Postfix security should be done inside of Postfix. You may want to you the Postfix mailing list (warning: lots of traffic!) and ask there. Lupe Christoph -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pam doesn't see nis
* Huegesh Marimuthu ([EMAIL PROTECTED]) [030820 13:35]: I guess you just have to add +:: in /etc/passwd; + in /etc/shadow and it will be okay. Wrong. This was even deprecated when I started using Linux in 1996. No, nis is just broken on sid. See e.g. http://bugs.debian.org/204682 To the original poster: If you want really working code, take woody. Security updates are also only for woody. It is appreciated if you help testing and bug fixing, but it is not recommended for production use. And please remember - sid is the boy next door who destroys toys. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. Same goes for the few other people who use this mail server. I would be much more careful about installing this filter in a setting where dozens or hundreds of users may be affected by it. And yes, it was based on Nigel Metheringham's filter. I just copypasted the chunks that I used. noah pgp0.pgp Description: PGP signature
Re: Simple e-mail virus scanner
On Wednesday 20 August 2003 06:52 am, Yannick Van Osselaer wrote: On Wednesday 20 August 2003 10:52, Kjetil Kjernsmo wrote: On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... Yes, it goes back to the server doing the sending. Its a double bounce when the bounce message itself bounces. I dont know how this virus is proigating itself, but I would imagine that if it does the sending itself, rejecting at the initial smtp session would not result in a double bounce. However, if it uses some relay (that it either set up itself, or found on a network, etc) and used forged headers, then it will go to some unsusspecting person (of whoever is in the headers). Jay -- Jay Kline http://www.slushpupie.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Stable server hacked
On Thu, Aug 14, 2003 at 12:00:40PM -0400, Matt Zimmerman wrote: On Wed, Aug 13, 2003 at 09:00:51PM -0400, valerian wrote: It actually does a very good job of stopping any kind of stack-smashing attack dead in its tracks (both the stack and heap are marked as non-executable). That takes care of most vulnerabilities, both known and unknown. No, it really doesn't. It might stop some common implementations of exploits, but that's about it. There are many papers available which describe the shortcomings of this kind of prevention. Could you provide some pointers on the topic? You don't need an executable stack to get control of execution, you only need to be able to change the instruction pointer, which is stored on the stack (as data). PaX is not just about non-executable address regions, but address space randomization. In my understanding, the attacker just doesn't know what he should modify the IP to. Given this, are you certain that only a narrow range of exploits (common implementations) can be killed via PaX? bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Postfix Security Documentation
On Wednesday 20 August 2003 06:26 am, Tomasz Papszun wrote: Sure, I know it. == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # == local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp But I think that (almost?) all process that _can_ be chrooted, _are_ chrooted. How could the 'local' process deliver mail to user mailboxes if it would be chrooted?? If I'm wrong and it's possible somehow, someone may correct me of course. It is possible, but with some extra work. You need to have the delivery desination in the chroot jail with it. For example, if you have it chroot to /var/spool/postfix then you want to make /var/spool/postfix/var/spool/mail/ as that will be where mail is delivered to by default. Using mount -o bind /var/spool/mail /var/spool/postfix/var/spool/mail you can have the same stuff in both locations (or reverse it if you are really parinoid about security). Sven, do you want to chroot *all* processes? Postfix is supposed to be secure out of the box I think the same :-) . I think the added steps of chrooting the last three proccess is unneccicary, except for overly parinod experts. I say experts, because in changing the default behavior of postifx, it is possible to open up more security problems than you are preventing, and at the same time make it harder for you to dectect such problems. (except for programming errors, as we recently saw :-( ). Even those, they were just vulnerable to DoS and bounce scans, not break-ins. These sort of things will always be around, in every mail system. It's due to the fact SMTP is such a horrid protocol. But we are stuck with it, so we do the best we can with tradeoffs. So improving Postfix security should be done inside of Postfix. You may want to you the Postfix mailing list (warning: lots of traffic!) and ask there. There is also several irc channels for postfix scattered about- they are not real talkitive, but its certianly less traffic than the postfix list. Jay -- Jay Kline http://www.slushpupie.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
## Noah L. Meyerhans ([EMAIL PROTECTED]): On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. I don't care for these files, but having to resubscribe to Bugtraq every few weeks got on my nerves. The trouble is that these regex filters might see attachments where no attachments are. If you can live with this, go on, it is the easiest and cheappest way to reduce the virii and worms in your inbox. Regards, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
Am Wed, Aug 20, 2003 at 10:40:13AM -0400, Noah L. Meyerhans sagte: On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. Same goes for the few other people who use this mail server. I would be much more careful about installing this filter in a setting where dozens or hundreds of users may be affected by it. And yes, it was based on Nigel Metheringham's filter. I just copypasted the chunks that I used. noah Isn't he saying that if i do the following: hey I get a lot of these document_all.pif recently this message here get filtered? This never happend to me using the example who was at the exim ftp-site for a while (can't find it anymore - who likes a copy of mine?) I was bitten by the more generall approach of mailscanner (apt-cache show mailscanner) where every document1.sxw.pdf is treated as bad. So I had to turn this feature off. As usual never ever take automated action based on a simple thing like filename or whatever. Sort them to a special mailbox and let a human look at it. (me beeing very annoyed about all these there was a virus in your mail I get on top of the mess) These filters can fend off a lot of this stuff and are very cheap (in price and CPU-time). I can only recommend using it (the right way). gruss pascal -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Stable server hacked
On Wed, Aug 20, 2003 at 05:23:30PM +0200, Adam ENDRODI wrote: No, it really doesn't. It might stop some common implementations of exploits, but that's about it. There are many papers available which describe the shortcomings of this kind of prevention. Could you provide some pointers on the topic? There was recently a long thread on bugtraq about this very topic (Subject was Buffer overflow prevention). You'll find some valuable information in there. The thread got kicked off bugtraq to secprog by the moderator and may still be alive there. noah pgp0.pgp Description: PGP signature
Re: Simple e-mail virus scanner
On Wednesday 20 August 2003 17:05, Jay Kline wrote: The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... Yes, it goes back to the server doing the sending. Its a double bounce when the bounce message itself bounces. I dont know how this virus is proigating itself, but I would imagine that if it does the sending itself, rejecting at the initial smtp session would not result in a double bounce. However, if it uses some relay (that it either set up itself, or found on a network, etc) and used forged headers, then it will go to some unsusspecting person (of whoever is in the headers). I've examined a few messages I've got now, and none of them had been through any relays. In fact, they had all been sent directly from dialups or *DSL users. Here are the headers of an example: Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Received: from mail by pooh.kjernsmo.net with spam-scanned (Exim 3.35 #1 (Debian)) id 19pYJ2-0007EM-00 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 21:07:40 +0200 Received: from ppp-67-67-194-5.dsl.austtx.swbell.net ([67.67.194.5] helo=WILLNCANDY) by pooh.kjernsmo.net with esmtp (Exim 3.35 #1 (Debian)) id 19pYIZ-0007E7-00 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 21:07:14 +0200 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Wicked screensaver Date: Wed, 20 Aug 2003 14:07:06 --0500 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_000FCE03 Message-Id: [EMAIL PROTECTED] (BTW, don't send anything to the [EMAIL PROTECTED] address, ever. It is intended as a spamtrap... Unfortunately, viruses like this limit it's usefulness as spamtrap, that's one of the reasons I want to filter this before going to SpamAssassin) OK, so if I get this correctly, a double bounce would result in that I get the bounce, but that that's unlikely to occur. But it is still not clear to me who gets the bounce, it would be the the sender on the envelope, but that's [EMAIL PROTECTED] in this case, right? And that's something I wouldn't want to happen... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
Kjetil Kjernsmo wrote: Dear all, I guess I'm not really looking for a security solution, but I guess you folks are the most likely to know, so I try here... In the last couple of hours, I've got about 25 100KB of the recent Sobig.f M$ virus, along with about the same number of bogus there was a virus in an e-mail you sent. It would be really great to be able to filter those out so that I don't need to see them, that is, get them in a folder I can clean out now and then. But I don't want to run a full-scale virus scanner, because for the time being, I really don't need any, as no e-mail is read on an MS machine here. I figured, most viruses should be able to detect by using simple regexs, right? So, a simple scanner that looks for a number of regexs available from a repository could do the trick...? Or perhaps use something like Vipul's Razor for this kind of stuff...? So, I'm wondering, does anybody know about any such approach? Cheers, Kjetil You may just want to bite the bullet and install amavisd-new. Even though you're not really worried about the viruses per se, it will filter out the crap. If Sobig.F is any indication, this may become more desirable. You may even just want to install amavis without a virus scanner (and just searching for banned filenames), if an AV program imposes too much of a load on your system. Amavis also is nice for catching executable files that are so common with current worms (our install actually was catching Sobig.F this way before the AV signatures were updated). If you're not reading email on an MS machine, I'm guessing it's fairly rare for you to recieve legit emails with .pif, .exe, or .bat attachments. The nice thing is, amavis will do a better job at catching the attachments then some of the ad hoc methods discussed earlier (see the config section on banned filenames). Another plus is that it can be configured to SMTP reject the message, instead of accepting and then bouncing. --Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pam doesn't see nis
Quoting Jamie Heilman [EMAIL PROTECTED]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=204711 Thanks for the help on the NIS problem -- it's a known bug in sid (glibc/libc6 most likely). Sid sometimes gets mistaken for the boy next door who destroys toys, quite unfairly. He's the guy in the choir, with a very occasional spitball. Cheers, Peter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Out of Office AutoReply: Wicked screensaver
Title: Out of Office AutoReply: Wicked screensaver I am TDY until 25 AUG. If you require assistance please contact the following: CDR DAN Shaka Hinson is the acting CO, he can be reached at DSN 949-1169/COMM 559-998-1169 or by e-mail [EMAIL PROTECTED] or...MS. Pam Knotts: x1159 [EMAIL PROTECTED]
Re[2]: Simple e-mail virus scanner
Hello Noah, Does the same approach could be use with sendmail ? Any examples? NLM On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote: So, I'm wondering, does anybody know about any such approach? NLM After getting sick of all the virus crap in my inbox I installed the NLM following in /etc/exim/system_filter.txt: NLM ## --- NLM # Attempt to catch embedded VBS attachments NLM # in emails. These were used as the basis for NLM # the ILOVEYOU virus and its variants - many many varients NLM # Quoted filename - [body_quoted_fn_match] NLM if $message_body matches (?:Content-(?:Type:(?s*)[w-]+/[w-]+|Dispo sition:(?s*)attachment);(?s*)(?:file)?name=|begin(?s+)[0-7]{3,4}( ?s+))(\[^\]+.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[ NLM fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\)[ NLM s;] NLM then NLM fail text This message has been rejected because it has\n\ NLM a potentially executable attachment $1\n\ NLM This form of attachment has been used by\n\ NLM recent viruses or other malware.\n\ NLM If you meant to send this file then please\n\ NLM package it up as a zip file and resend it. NLM seen finish NLM endif NLM # same again using unquoted filename [body_unquoted_fn_match] NLM if $message_body matches (?:Content-(?:Type:(?s*)[w-]+/[w-]+|Dispo sition:(?s*)attachment);(?s*)(?:file)?name=|begin(?s+)[0-7]{3,4}( ?s+))(S+.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs NLM ]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[ NLM s;] NLM then NLM fail text This message has been rejected because it has\n\ NLM a potentially executable attachment $1\n\ NLM This form of attachment has been used by\n\ NLM recent viruses or other malware.\n\ NLM If you meant to send this file then please\n\ NLM package it up as a zip file and resend it. NLM seen finish NLM endif NLM ## --- NLM And put NLM message_filter = /etc/exim/system_filter.txt NLM in /etc/exim/exim.conf NLM It seems to be working. I've seen a couple of rejections get logged in NLM /var/log/exim/mainlog since I installed it an hour ago. Why these NLM rejections don't go to /var/log/exim/rejectlog I don't know, but the NLM point is that the junk is not cluttering my mailbox. NLM noah Best regards, Игорь Ляпин Международный Банк Развития +7 095 7300850 +7 095 7300851 (fax) Игорьmailto:[EMAIL PROTECTED]
Re: Simple e-mail virus scanner
## Noah L. Meyerhans ([EMAIL PROTECTED]): On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. This filter was the main reason for me switching my email from my universities systems to my own system. Regards, cmt -- Spare Space
Re: Simple e-mail virus scanner
On Wed, Aug 20, 2003 at 08:26:53AM +0400, ? ? wrote: Hello Noah, Does the same approach could be use with sendmail ? Any examples? NLM On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote: So, I'm wondering, does anybody know about any such approach? NLM After getting sick of all the virus crap in my inbox I installed the NLM following in /etc/exim/system_filter.txt: [ snip nice long Content-Type: regexp for exim ] I think sendmail can do similar, but I am not sure where to enable it... for postfix though, have a look at man 5 pcre_table and regexp_table. Lars Ellenberg
Postfix Security Documentation
Hi, is there any documentation on securing a postfix server readily available? I didn't find anything much at the postfix homepage, nor in the postfix-doc package. I'd be especially interested in chrooting postfix processes. Regs, Sven -- Sven Riedel [EMAIL PROTECTED] Liebigstr. 38 30163 Hannover Python is merely Perl for those who prefer Pascal to C (anon)
Re: Simple e-mail virus scanner
Hi, Игорь Ляпин [EMAIL PROTECTED] writes: Does the same approach could be use with sendmail ? Any examples? I guess, you could integrate this in http://www.spamassassin.org. SpamAssassin already scans the email body for signs of spam, so it shouldn't be too hard, to add another regex. Although, I never did this myself. I just use SpamAssassin out of the box with procmail. There's already a sendmail milter at http://savannah.nongnu.org/projects/spamass-milt/ http://www.mimedefang.org/ is another milter for sendmail, which uses SpamAssassin. Regards, Olaf.
pam doesn't see nis
I've been running into a problem with NIS on Debian -- everything looks like it should be working, but logins fail with pam saying user unknown. Here's an example -- I can change the password, so clearly NIS is working, yet at the end the login fails: [EMAIL PROTECTED]:~# yppasswd student Changing NIS account information for student on graywhale. Please enter root password: Changing NIS password for student on graywhale. Please enter new password: Please retype new password: The NIS password has been changed on graywhale. [EMAIL PROTECTED]:~# su student su: Authentication service cannot retrieve authentication info. (Ignored) [EMAIL PROTECTED]:/root$ Here's what my auth.log says when I try ssh jellyfish -l student: Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: check pass; user unknown Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=graywhale I saw someone post the identical problem to debian-users (and receive no reply), so I guess it affects a number of people. Oh, and I should mention: I had this working! Late July, after the last nis upgrade. I did some other upgrade, no idea what, and got the problem. ypcat passwd and all kinds of other NIS map commands work fine. This is an updated Debian sid running nis 3.9-6.3. I'm setting this up for a high school lab (remotely), and we're all ready to go aside from this. Please cc me -- any suggestions much appreciated! I'm happy to suppy more information. Cheers, Peter
Re: Postfix Security Documentation
Hi, is there any documentation on securing a postfix server readily available? I didn't find anything much at the postfix homepage, nor in the postfix-doc package. I'd be especially interested in chrooting postfix processes. look at /etc/postfix/sample-master.cf or in postfix doc's or just see your configuration in /etc/postfix/master.cf -- debian user
Re: Postfix Security Documentation
On Wed, 20 Aug 2003 at 10:55:55 +0200, Sven Riedel wrote: Hi, is there any documentation on securing a postfix server readily available? I didn't find anything much at the postfix homepage, nor in the postfix-doc package. I'd be especially interested in chrooting postfix processes. In Debian, postfix is chrooted by default. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
Re: pam doesn't see nis
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=204711
Re: Simple e-mail virus scanner
On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: After getting sick of all the virus crap in my inbox I installed the Thanks, that looks interesting! I'm using the Debian Stable Exim packages too, so I guess this is something I can just cut'n'paste in! :-) And it seems I really need it now... My server is getting hammered badly, and when fetching my e-mail this morning, my POP client timed out three times before I got it... This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: ftp.gnu.org cracked
On Tue, Aug 19, 2003 at 11:27:26PM -0400, Matt Zimmerman wrote: 2) Any unsigned sources in ftp.gnu.org could have been trojaned during the March-July period, and most of GNU packages have their corresponding packages in the Debian archive. The current evidence suggests that this has not happened. FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror. There appears to have been no change between to it then and now: -rw-r--r--1 1001 3000 1892091 Jun 11 03:19 texinfo-4.6.tar.gz -rw-r--r--1 joy joy 1892091 2003-07-11 15:31 texinfo_4.6.orig.tar.gz The md5sum of both files is 5730c8c0c7484494cca7a7e2d7459c64 There is a cryptographically signed README on ftp.gnu.org which lists checksums for the files that GNU have been able to verify. You can check against that. Ah, got it, it wasn't in the mirror hierarchy so I missed it initially. Thanks. 5730c8c0c7484494cca7a7e2d7459c64 gnu/texinfo/texinfo-4.6.tar.gz [Signed on Wed Aug 13 14:27:46 2003 EDT using DSA key ID D679F6CF] That's from the upstream maintainer, Karl Berry. Doesn't seem to be in a web of trust but it should be fine nevertheless. -- 2. That which causes joy or happiness.
Re: Postfix Security Documentation
Quoting Tomasz Papszun [EMAIL PROTECTED]: On Wed, 20 Aug 2003 at 10:55:55 +0200, Sven Riedel wrote: is there any documentation on securing a postfix server readily available? I didn't find anything much at the postfix homepage, nor in the postfix-doc package. I'd be especially interested in chrooting postfix processes. In Debian, postfix is chrooted by default. Not true. A number of processes are chrooted, but not all. Please look at /etc/postfix/master.cf (IIRC). This is a standard feature of Postfix. Sven, do you want to chroot *all* processes? Postfix is supposed to be secure out of the box (except for programming errors, as we recently saw :-( ). So improving Postfix security should be done inside of Postfix. You may want to you the Postfix mailing list (warning: lots of traffic!) and ask there. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Re: Simple e-mail virus scanner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 20 August 2003 10:52, Kjetil Kjernsmo wrote: On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: After getting sick of all the virus crap in my inbox I installed the Thanks, that looks interesting! I'm using the Debian Stable Exim packages too, so I guess this is something I can just cut'n'paste in! :-) And it seems I really need it now... My server is getting hammered badly, and when fetching my e-mail this morning, my POP client timed out three times before I got it... This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... - -- Yannick Van Osselaer Public Key: wwwkeys.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/Q2D693+qyX+enAERAtxeAJ9zNtlCh21Oi78atKvFj+p/iEWCAQCgwPyY FVxoaF9iO/jKMk3kSVTlTvI= =vWFj -END PGP SIGNATURE-
Re: Postfix Security Documentation
On Wed, 20 Aug 2003 at 12:59:39 +0200, Lupe Christoph wrote: Quoting Tomasz Papszun [EMAIL PROTECTED]: On Wed, 20 Aug 2003 at 10:55:55 +0200, Sven Riedel wrote: is there any documentation on securing a postfix server readily available? I didn't find anything much at the postfix homepage, nor in the postfix-doc package. I'd be especially interested in chrooting postfix processes. In Debian, postfix is chrooted by default. Not true. A number of processes are chrooted, but not all. Please look at /etc/postfix/master.cf (IIRC). This is a standard feature of Postfix. Sure, I know it. == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # == smtp inet n - - - - smtpd #628 inet n - - - - qmqpd pickupfifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - - 300 1 qmgr #qmgr fifo n - - 300 1 nqmgr rewrite unix - - - - - trivial-rewrite bounceunix - - - - 0 bounce defer unix - - - - 0 bounce flush unix n - - 1000? 0 flush smtp unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp But I think that (almost?) all process that _can_ be chrooted, _are_ chrooted. How could the 'local' process deliver mail to user mailboxes if it would be chrooted?? If I'm wrong and it's possible somehow, someone may correct me of course. Sven, do you want to chroot *all* processes? Postfix is supposed to be secure out of the box I think the same :-) . (except for programming errors, as we recently saw :-( ). Even those, they were just vulnerable to DoS and bounce scans, not break-ins. So improving Postfix security should be done inside of Postfix. You may want to you the Postfix mailing list (warning: lots of traffic!) and ask there. Lupe Christoph -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
Re: pam doesn't see nis
* Huegesh Marimuthu ([EMAIL PROTECTED]) [030820 13:35]: I guess you just have to add +:: in /etc/passwd; + in /etc/shadow and it will be okay. Wrong. This was even deprecated when I started using Linux in 1996. No, nis is just broken on sid. See e.g. http://bugs.debian.org/204682 To the original poster: If you want really working code, take woody. Security updates are also only for woody. It is appreciated if you help testing and bug fixing, but it is not recommended for production use. And please remember - sid is the boy next door who destroys toys. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: Simple e-mail virus scanner
On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. Same goes for the few other people who use this mail server. I would be much more careful about installing this filter in a setting where dozens or hundreds of users may be affected by it. And yes, it was based on Nigel Metheringham's filter. I just copypasted the chunks that I used. noah pgplDJY1ZeoHP.pgp Description: PGP signature
Re: Simple e-mail virus scanner
On Wednesday 20 August 2003 06:52 am, Yannick Van Osselaer wrote: On Wednesday 20 August 2003 10:52, Kjetil Kjernsmo wrote: On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... Yes, it goes back to the server doing the sending. Its a double bounce when the bounce message itself bounces. I dont know how this virus is proigating itself, but I would imagine that if it does the sending itself, rejecting at the initial smtp session would not result in a double bounce. However, if it uses some relay (that it either set up itself, or found on a network, etc) and used forged headers, then it will go to some unsusspecting person (of whoever is in the headers). Jay -- Jay Kline http://www.slushpupie.com/
Re: Postfix Security Documentation
On Wednesday 20 August 2003 06:26 am, Tomasz Papszun wrote: Sure, I know it. == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # == local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp But I think that (almost?) all process that _can_ be chrooted, _are_ chrooted. How could the 'local' process deliver mail to user mailboxes if it would be chrooted?? If I'm wrong and it's possible somehow, someone may correct me of course. It is possible, but with some extra work. You need to have the delivery desination in the chroot jail with it. For example, if you have it chroot to /var/spool/postfix then you want to make /var/spool/postfix/var/spool/mail/ as that will be where mail is delivered to by default. Using mount -o bind /var/spool/mail /var/spool/postfix/var/spool/mail you can have the same stuff in both locations (or reverse it if you are really parinoid about security). Sven, do you want to chroot *all* processes? Postfix is supposed to be secure out of the box I think the same :-) . I think the added steps of chrooting the last three proccess is unneccicary, except for overly parinod experts. I say experts, because in changing the default behavior of postifx, it is possible to open up more security problems than you are preventing, and at the same time make it harder for you to dectect such problems. (except for programming errors, as we recently saw :-( ). Even those, they were just vulnerable to DoS and bounce scans, not break-ins. These sort of things will always be around, in every mail system. It's due to the fact SMTP is such a horrid protocol. But we are stuck with it, so we do the best we can with tradeoffs. So improving Postfix security should be done inside of Postfix. You may want to you the Postfix mailing list (warning: lots of traffic!) and ask there. There is also several irc channels for postfix scattered about- they are not real talkitive, but its certianly less traffic than the postfix list. Jay -- Jay Kline http://www.slushpupie.com/
Re: Simple e-mail virus scanner
## Noah L. Meyerhans ([EMAIL PROTECTED]): On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. I don't care for these files, but having to resubscribe to Bugtraq every few weeks got on my nerves. The trouble is that these regex filters might see attachments where no attachments are. If you can live with this, go on, it is the easiest and cheappest way to reduce the virii and worms in your inbox. Regards, cmt -- Spare Space
Re: Simple e-mail virus scanner
Am Wed, Aug 20, 2003 at 10:40:13AM -0400, Noah L. Meyerhans sagte: On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. Same goes for the few other people who use this mail server. I would be much more careful about installing this filter in a setting where dozens or hundreds of users may be affected by it. And yes, it was based on Nigel Metheringham's filter. I just copypasted the chunks that I used. noah Isn't he saying that if i do the following: hey I get a lot of these document_all.pif recently this message here get filtered? This never happend to me using the example who was at the exim ftp-site for a while (can't find it anymore - who likes a copy of mine?) I was bitten by the more generall approach of mailscanner (apt-cache show mailscanner) where every document1.sxw.pdf is treated as bad. So I had to turn this feature off. As usual never ever take automated action based on a simple thing like filename or whatever. Sort them to a special mailbox and let a human look at it. (me beeing very annoyed about all these there was a virus in your mail I get on top of the mess) These filters can fend off a lot of this stuff and are very cheap (in price and CPU-time). I can only recommend using it (the right way). gruss pascal
Re: Debian Stable server hacked
On Wed, Aug 20, 2003 at 05:23:30PM +0200, Adam ENDRODI wrote: No, it really doesn't. It might stop some common implementations of exploits, but that's about it. There are many papers available which describe the shortcomings of this kind of prevention. Could you provide some pointers on the topic? There was recently a long thread on bugtraq about this very topic (Subject was Buffer overflow prevention). You'll find some valuable information in there. The thread got kicked off bugtraq to secprog by the moderator and may still be alive there. noah pgpmwBAqUcjtp.pgp Description: PGP signature
Re: Simple e-mail virus scanner
On Wednesday 20 August 2003 17:05, Jay Kline wrote: The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... Yes, it goes back to the server doing the sending. Its a double bounce when the bounce message itself bounces. I dont know how this virus is proigating itself, but I would imagine that if it does the sending itself, rejecting at the initial smtp session would not result in a double bounce. However, if it uses some relay (that it either set up itself, or found on a network, etc) and used forged headers, then it will go to some unsusspecting person (of whoever is in the headers). I've examined a few messages I've got now, and none of them had been through any relays. In fact, they had all been sent directly from dialups or *DSL users. Here are the headers of an example: Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Received: from mail by pooh.kjernsmo.net with spam-scanned (Exim 3.35 #1 (Debian)) id 19pYJ2-0007EM-00 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 21:07:40 +0200 Received: from ppp-67-67-194-5.dsl.austtx.swbell.net ([67.67.194.5] helo=WILLNCANDY) by pooh.kjernsmo.net with esmtp (Exim 3.35 #1 (Debian)) id 19pYIZ-0007E7-00 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 21:07:14 +0200 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Wicked screensaver Date: Wed, 20 Aug 2003 14:07:06 --0500 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_000FCE03 Message-Id: [EMAIL PROTECTED] (BTW, don't send anything to the [EMAIL PROTECTED] address, ever. It is intended as a spamtrap... Unfortunately, viruses like this limit it's usefulness as spamtrap, that's one of the reasons I want to filter this before going to SpamAssassin) OK, so if I get this correctly, a double bounce would result in that I get the bounce, but that that's unlikely to occur. But it is still not clear to me who gets the bounce, it would be the the sender on the envelope, but that's [EMAIL PROTECTED] in this case, right? And that's something I wouldn't want to happen... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Simple e-mail virus scanner
Kjetil Kjernsmo wrote: Dear all, I guess I'm not really looking for a security solution, but I guess you folks are the most likely to know, so I try here... In the last couple of hours, I've got about 25 100KB of the recent Sobig.f M$ virus, along with about the same number of bogus there was a virus in an e-mail you sent. It would be really great to be able to filter those out so that I don't need to see them, that is, get them in a folder I can clean out now and then. But I don't want to run a full-scale virus scanner, because for the time being, I really don't need any, as no e-mail is read on an MS machine here. I figured, most viruses should be able to detect by using simple regexs, right? So, a simple scanner that looks for a number of regexs available from a repository could do the trick...? Or perhaps use something like Vipul's Razor for this kind of stuff...? So, I'm wondering, does anybody know about any such approach? Cheers, Kjetil You may just want to bite the bullet and install amavisd-new. Even though you're not really worried about the viruses per se, it will filter out the crap. If Sobig.F is any indication, this may become more desirable. You may even just want to install amavis without a virus scanner (and just searching for banned filenames), if an AV program imposes too much of a load on your system. Amavis also is nice for catching executable files that are so common with current worms (our install actually was catching Sobig.F this way before the AV signatures were updated). If you're not reading email on an MS machine, I'm guessing it's fairly rare for you to recieve legit emails with .pif, .exe, or .bat attachments. The nice thing is, amavis will do a better job at catching the attachments then some of the ad hoc methods discussed earlier (see the config section on banned filenames). Another plus is that it can be configured to SMTP reject the message, instead of accepting and then bouncing. --Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _
Re: pam doesn't see nis
Quoting Jamie Heilman [EMAIL PROTECTED]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=204711 Thanks for the help on the NIS problem -- it's a known bug in sid (glibc/libc6 most likely). Sid sometimes gets mistaken for the boy next door who destroys toys, quite unfairly. He's the guy in the choir, with a very occasional spitball. Cheers, Peter
Out of Office AutoReply: Wicked screensaver
Title: Out of Office AutoReply: Wicked screensaver I am TDY until 25 AUG. If you require assistance please contact the following: CDR DAN Shaka Hinson is the acting CO, he can be reached at DSN 949-1169/COMM 559-998-1169 or by e-mail [EMAIL PROTECTED] or...MS. Pam Knotts: x1159 [EMAIL PROTECTED]