Re: my isp is being told *i* am broadcasting spam?
d == dman [EMAIL PROTECTED] writes: d Ok, that's cool. Now run IE on Windows on a client behind your d firewall. Surf to a site running IIS and Nimbda. You've got d Nimda. Lotta goog the firewall did there. Actually, snort[1] and or ACiD grabs those and flags them... A firewall isn't always just a packet filter, although it's a strong base. -- Chris Bayly -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
Shawn, I didn't mean to leave you defending firewalls on my behalf. You've done a good job! After 40 years designing electronic circuits and programming computers, some of which have been in mission critical applications like nuclear subs, I've met many of the personalities which occupy those professions. Some are rocks -- rocks don't learn much -- usually argue both sides of an issue unknowingly, and spare no names for those who don't submit to their logic. Others listen carefully, ask good questions and offer good advice. Noah doesn't believe in firewalls. Running secure servers directly off the Internet is good, (better?) and besides firewalls don't do you any good. As proof of this, Noah quotes an instance of an NT server being cracked via port 80 and that machine subsequently infected other machines on its network. The only proof I see here is the fact that the system design was inadequate. A good design deals with failures in hardware or software with minimal disruption of services, so rather than conclude that firewalls are no good, let's look at the system design some more. We'll say something later about using machines in public space which have a history of vulnerabilites. Servers in the DMZ should not be serving up anything that isn't permissable as public information. They should have no content on them which would be a liability if exposed to the public. Servers in the DMZ should not be allowed to initiate any connections -- except surreptitiously. No server in the DMZ should listen to or accept any input from other servers in the DMZ (shared applications aside). So, your boss insists you run an insecure OS in the DMZ. You know it will be cracked before long, but it's pretty much contained with the constraints stated above. Provided the other servers are secure, as Noah claims they can be, then all you have is a single failed server in the DMZ, which all the other servers know has been compromised because it's breaking the rules and trying to initiate contact. Are the connections all severed and the system effectively disconnected? No, servers in a trusted zone, connected to the DMZ via a firewall can initiate connections to servers in the DMZ. Obviously that should be done using encryption. Trusted servers, polling servers in the DMZ, is a bottleneck and, depending on latency, may leave critical data on the DMZ servers long enough to be cracked. This is where we resort to surreptitious communications. One of the obvious things a server might do, when it is processing on-line transactions, is to print them. But printer isn't listening on the other end, a trusted computer is. To a cracker, what's going out on the printer port looks pretty normal - transaction data. Besides normal transactions going out the printer port, a regular time tick is printed. Does a cracker dare turn off the printer? Not likely. Will a cracker wonder what some of those strange numbers are that get printed? Maybe. Will they figure out that those numbers are an encrypted message which represents a spread spectrum shifted checksum of running processes? Not nearly as fast as the trusted listener will know that something has gone wrong with the DMZ machine. Besides providing that `ping' which the trusted server needs to hear on a regular basis, the ping can also indicate that the trusted server needs to initiate a connection and get/put some information. I'll repeat, as near as memory allows me, that there are two kinds of computers hooked to the Internet, those which have been cracked and those that will be. Running a broad range of services on those Internet connected machines only means they will be cracked sooner than later. I'm aware that this is a `ridiculous' statement, so no further flames are required. Once again, I repeat that security will be better with a firewall, running a minimal chunk of code. Those machines which allow connections to be made from the Internet should be in a DMZ -- including both web servers and mail servers. Servers in a DMZ should not be able to talk to one another unless they are sharing a common application. Data collected on the DMZ servers, which must not become public information, should be quickly pulled off those servers by a trusted machine which initiates the connection via a secure channel. There are many ways to surreptitiously monitor servers in the DMZ to detect their failures and/or compromises, the printer port being just one of them. Operating an OS in the DMZ, which has a history of exploits, may be a political necessity, but as a system designer, it's your job to contain that expected exploit as quickly as possible - a trusted machine can pull the power plug a lot faster than rousting the sys admin out of bed to do it. Complaining that firewalls are little more than a false sense of security doesn't do much to address the requirements of the system or provide a design to meet those requirements. As a consultant who spent more months than I
Re: my isp is being told *i* am broadcasting spam?
begin Noah Meyerhans quotation: You would firewall an ISP's network??? I would switch providers immediately if my ISP ever did such a thing. No, I would firewall the internal servers off from both the outside world and the customers, opening only the ports each needed to access. You're thinking this means putting a firewall between the modems and world. As I've said previously today, I am responsible for the security of a high-profile network (i.e. constantly being scanned and/or actively attacked) with hundreds of users and *no firewall*. And I am responsible for the security of a segment of FedEx's network. It doesn't get much more high-profile than that. I don't have hundreds of users; I have hundreds of SERVERS. The security of these boxes affects not only 200,000 FedEx employees, but millions of customers, including all FedEx invoices. Now, can we stop comparing dicks, and go back to the argument? :-) BTW, I'm not by any means suggesting the firewall relieves any responsibility for internal security. The biggest problem we have is exactly the one you've suggested; some segment of the network that is controlled by another team leaves something open that they shouldn't, a customer-facing box gets infected with something, and that starts pounding servers. Sometimes it affects servers I don't control, but that my servers rely on, and thus I get angry what are you going to do about this questions from management, that I have to answer with I'm going to go to lunch, and update you when they update me. Nine times out of ten, it's the Windows people. I will not give specific examples, but let's just say the color red and the letter N have been involved. :-) However, the firewall does allow us to do things that are absolutely necessary on a network this large, and containing this many mission-critical legacy systems; use insecure protocols without exposing them to the network, and without the people who control the internet-facing routers being in the loop for every software installation on every box in the entire network. We're too large for everything to be coordinated at that level. Our having a firewall helps you too; if some idiot were to, hypothetically, allow his servers to become infected with Code Red, our firewall would hypothetically keep his box from being able to scan the Internet for new hosts to infect, thereby causing that traffic to, instead of overloading other networks, overload our own. Hypothetically. :-) Also, when you hear the word firewall, you may be assuming that means a seperate server that is called the firewall. Remember that using ipchains or iptables to secure a specific server is implementing a firewall on that server. The very act of securing your specific UNIX systems quite likely involves implementing dozens of firewalls. When somebody sets their routers to block outbound martian packets to prevent IP spoofing, they're implementing a firewall. When you, as you said, block specific ports, that's a firewall with a default allow policy. We have lots of firewalls, blocking lots of things from lots of other things. I wish we had more, blocking more things, but I am a medium-sized fish in a damn huge pond. On-topic: a firewall is a useful component of securing a Debian box, or a Debian-based network. A box running Debian can be used to build a particularly effective firewall. To say that a firewall isn't useful because it doesn't prevent EVERYTHING, is the same as saying that keeping your root password a secret isn't useful because it doesn't prevent EVERYTHING, or that seatbelts are useless because you can still die in a car accident. Firewalls are useful. For the uninitiated, they are necessary, even if only a per-box firewall, simply because you may not know HOW to secure every port on your box, and a default-deny firewall puts you in a less insecure position, requiring deliberate action to become less secure, as opposed to deliberate action to become more secure. -- Shawn McMahon| McMahon's Laws of Linux support: http://www.eiv.com | 1) There's more than one way to do it AIM: spmcmahonfedex, smcmahoneiv | 2) Somebody thinks your way is wrong pgp1qTlvsJJaU.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
begin ben quotation: other guy--and i'm saying this for his benefit even more than yours--is placing way too much faith in an idea that's all too close to the catholic's belief in the rhythm method. This is the last thing I'm going to say on this. Quoting Practical Unix and Internet Security, page 637: Firewalls are powerful tools, but they should never be used INSTEAD of other security measures. They should only be used IN ADDITION to such measures. If you don't believe that, fine; but shit-can the ad-hominem attacks based on your lack of knowledge and experience on the subject. -- Shawn McMahon| McMahon's Laws of Linux support: http://www.eiv.com | 1) There's more than one way to do it AIM: spmcmahonfedex, smcmahoneiv | 2) Somebody thinks your way is wrong pgppdirkZNm9a.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
On Sat, Apr 20, 2002 at 07:30:06AM -0500, will trillich wrote: | On Fri, Apr 19, 2002 at 09:28:17AM -0700, Sean 'Shaleh' Perry wrote: | HELO dontuthink.com | 250 server Hello 12-235-84-58.client.attbi.com [12.235.84.58] | MAIL FROM:[EMAIL PROTECTED] | 250 [EMAIL PROTECTED] is syntactically correct | RCPT TO:[EMAIL PROTECTED] | 550 relaying to [EMAIL PROTECTED] prohibited by administrator | | if you are relaying, I do not see how. | | If someone can relay through you they should be able to telnet to your smtp | port and send mail out like I just tried. | | thanks. i did similar tests at paladinCorp.com (specifically, | http://www.paladincorp.com.au/unix/spam/spamlart/ ) and they | found some instaces where my setup didn't retch at certain | questionable email syntaxes: | | here are the ones marked 'potential vulnerability'... Output | from Anti-Relay Tests: | | Spam-Lart v0.3.2 | 220 server ESMTP Exim 3.12 #1 Fri, 19 Apr 2002 08:58:34 -0500 | | rcpt to: [EMAIL PROTECTED]@mail.dontUthink.com | 250 [EMAIL PROTECTED]@mail.dontUthink.com is | syntactically correct | ** FAILURE / Potentital Vulnerability ** | | but i bet that'll look for use '[EMAIL PROTECTED]' ON | MY SERVER. It depends on your site's entire configuration. An old version of my exim-spamassassin config is vulnerable to this sort of spoofing. The problem with that config was only the local part was passed back to exim, and that local part looks like a complete address. I just tested this particular potential vulnerability and received an unkown local-part bounce. That's good. It's better if you reject it at RCPT time, but ok as long as you don't deliver at all. | right. my exim.conf includes | | rbl_domains = rbl.maps.vix.com | rbl_reject_recipients = false | rbl_warn_header = true | host_accept_relay = localhost : 192.168.1.1/24 : 208.33.90.85/32 | # commented-out: | # percent_hack_domains=* | | what sanity checks does that miss? There are lots more sanity checks that exim can perform. I don't have an up-to-date exim 3 config anymore (if I have one at all). I've been using version 4.01 for a while now. There is a site (ORBD?) that allows you to enter your IP address and it will run a barage of relay tests against it and report the results to the email address you specify. It actually tries to send a message and then waits for your host to relay it to their spamtrap address. (obviously, if you reject at RCPT time it won't need to wait at all because you won't have accepted responsibility for the message) There's some other site you can telnet to and it will test the ip you connected from. I don't recall those hostnames right now, though, and I don't think I wrote them down anywhere. -D -- The heart is deceitful above all things and beyond cure. Who can understand it? I the Lord search the heart and examine the mind, to reward a man according to his conduct, according to what his deeds deserve. Jeremiah 17:9-10 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
begin Noah Meyerhans quotation: So what are you suggesting, then? This was Will's mail server we're talking about. First you say it needs to be behind the firewall or else it's doomed to be cracked, then you say it needs to be in the DMZ. A DMZ is still behind the firewall. A DMZ is it's own little isolated corner where all traffic to the Internet goes through the firewall, and all traffic to the LAN goes through the firewall. That way, if the server is cracked, it still can't get to anything except on the ports that are trusted. This enables you to use insecure protocols behind your firewall, yet still have net-facing services such as email, with a higher degree of confidence that a security bug in the net-facing box won't compromise your entire network. -- Shawn McMahon| McMahon's Laws of Linux support: http://www.eiv.com | 1) There's more than one way to do it AIM: spmcmahonfedex, smcmahoneiv | 2) Somebody thinks your way is wrong pgpSphCNDm9zD.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
begin will trillich quotation: thanks. i did similar tests at paladinCorp.com (specifically, http://www.paladincorp.com.au/unix/spam/spamlart/ ) and they found some instaces where my setup didn't retch at certain questionable email syntaxes: Don't use them. The true test is if your system actually relays messages, not whether it rejects the attempt before receipt. There are other sites that will test these same vulnerabilities, but only flag on them if a test email actually gets through. -- Shawn McMahon| McMahon's Laws of Linux support: http://www.eiv.com | 1) There's more than one way to do it AIM: spmcmahonfedex, smcmahoneiv | 2) Somebody thinks your way is wrong pgpAdHUEkCeBq.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
On Sun, Apr 21, 2002 at 02:11:05AM -0400, Shawn McMahon wrote: A DMZ is still behind the firewall. A DMZ is it's own little isolated corner where all traffic to the Internet goes through the firewall, and all traffic to the LAN goes through the firewall. That way, if the server is cracked, it still can't get to anything except on the ports that are trusted. I just don't see how that gets you anything at all if only the trusted ports have any services listening on them. I have seen personally a WinNT box, behind a firewall, with only port 80 visible to the world get cracked. Not only was it cracked, but it was then used as a launch pad for an attack on another box that was also in the DMZ. All that was with only port 80 open. Besides that, this has strayed very far from the statement that originally started the conversation. The original claim by David Smead was that putting a host on the network is a recipe for certain disaster, which I claim is utter nonsense. Basically, my approach is to assume that all ports on all hosts are visible to the world. To me, this as a fundamental fact of networking. With this in mind, construct a secure network infrastructure. It can certainly be done; I live in that world every day and have never felt a desire to have a firewall in front of my network. I realize there are other philosophies on network security, I just happen to disagree with them. 8^) noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpiCX6LJTqiy.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
begin Noah Meyerhans quotation: I just don't see how that gets you anything at all if only the trusted ports have any services listening on them. I have seen personally a WinNT box, behind a firewall, with only port 80 visible to the world get cracked. Not only was it cracked, but it was then used as a launch pad for an attack on another box that was also in the DMZ. All that was with only port 80 open. Ok, I don't see why this has not been sufficient in some circumstances translates to not getting you anything at all. Every security tool ever used fails this test you seem to be using. Basically, my approach is to assume that all ports on all hosts are visible to the world. To me, this as a fundamental fact of networking. That probably works on a small network. Try it with several thousand servers and 200,000 users, not counting internet customers. Or try it with an ISP, where you can't control the configuration on ANY of the users' computers. I've worked in both situations. Firewalls are a godsend. -- Shawn McMahon| McMahon's Laws of Linux support: http://www.eiv.com | 1) There's more than one way to do it AIM: spmcmahonfedex, smcmahoneiv | 2) Somebody thinks your way is wrong pgpWmdp8qIN2m.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
On Sun, Apr 21, 2002 at 02:51:51AM -0400, Shawn McMahon wrote: That probably works on a small network. Try it with several thousand servers and 200,000 users, not counting internet customers. Or try it with an ISP, where you can't control the configuration on ANY of the users' computers. You would firewall an ISP's network??? I would switch providers immediately if my ISP ever did such a thing. (note that I have no problem with them filtering specific ports for a limited time if they're causing specific damage.) As I've said previously today, I am responsible for the security of a high-profile network (i.e. constantly being scanned and/or actively attacked) with hundreds of users and *no firewall*. Security issues are few and far between, and not a single box under my direct control has ever been cracked. Users are welcome to put whatever they want on the network, but they're dealt with quickly if they present a security problem. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgprs3fF1OgF2.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
On Sunday 21 April 2002 12:05 am, Noah Meyerhans wrote: On Sun, Apr 21, 2002 at 02:51:51AM -0400, Shawn McMahon wrote: That probably works on a small network. Try it with several thousand servers and 200,000 users, not counting internet customers. Or try it with an ISP, where you can't control the configuration on ANY of the users' computers. You would firewall an ISP's network??? I would switch providers immediately if my ISP ever did such a thing. (note that I have no problem with them filtering specific ports for a limited time if they're causing specific damage.) As I've said previously today, I am responsible for the security of a high-profile network (i.e. constantly being scanned and/or actively attacked) with hundreds of users and *no firewall*. Security issues are few and far between, and not a single box under my direct control has ever been cracked. Users are welcome to put whatever they want on the network, but they're dealt with quickly if they present a security problem. noah noah, let it go. you're right--if that's what you've been wating to hear. the other guy--and i'm saying this for his benefit even more than yours--is placing way too much faith in an idea that's all too close to the catholic's belief in the rhythm method. shawn, the only way out of the argument is to set up a challenge, and that setup would, for integrity, have to be verifiable by a trusted third party. in any case, the proof would require more resources than this list should be called on to provide. however, if you do get it together, please let us all in on the deal. ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
On Fri, Apr 19, 2002 at 11:29:51AM -0700, Vineet Kumar wrote: * dman ([EMAIL PROTECTED]) [020419 09:10]: Well, there may be other issues on the table here. Will's original question was can I tell if I've been hacked? His exim setup could be sound, but it's definitely feasible that a rootkit could install a mail relay listening on another port and sending out a ton of spam unbeknownst to ps and top. Are your hub lights blinking, Will? yep. lots. when i first set up ipCop (ipcop.org) i got about 18mb of logfile in one afternoon from the default firewall logging rules (via ipchains on potato): Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.64.14.221:65535 224.0.0.5:65535 L=64 S=0x00 I=21723 F=0x T=1 (#8) Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.110.253.177:65535 224.0.0.5:65535 L=64 S=0x00 I=21731 F=0x T= 1 (#8) Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.121.237.41:65535 224.0.0.5:65535 L=64 S=0x00 I=21743 F=0x T=1 (#8) Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 65.195.103.241:65535 224.0.0.5:65535 L=64 S=0x00 I=21747 F=0x T= 1 (#8) Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 65.195.98.249:65535 224.0.0.5:65535 L=64 S=0x00 I=21753 F=0x T=1 (#8) hundreds upon thousands of those, from the moment the firewall (ipcop v0.1.1) came up. to keep from sucking up all available space, i deleted the final (reject-and-log) rule of the incoming ruleset... is all this activity from a goofy setup by my isp? is it something i'm doing? surely this much probing must mean something... If that rootkit was installed by somebody exploiting a samba which should have been blocked from The Outside, this could potentially have been prevented if a packet filter was installed to allow incoming connections only to tcp/25. no samba -- never had it, never will. (considered it at home, but figured out a better way.) -- I use Debian/GNU Linux version 2.2; Linux server 2.2.17 #1 Sun Jun 25 09:24:41 EST 2000 i586 unknown DEBIAN NEWBIE TIP #72 from USM Bish [EMAIL PROTECTED] : Prefer to LOGIN IN VIA CONSOLE INSTEAD OF VIA GUI? No problem. A freshly-installed X window display system by default boots into GUI, instead of having you log in at the text console. This is because of xdm or gdm or kdm. To avoid this and boot into console mode instead: update-rc.d -f xdm remove This will remove all system startup links in /etc/init.d for xdm. You can still get X up and running via startx but it won't intervene in your login process. Also see http://newbieDoc.sourceForge.net/ ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
On Fri, Apr 19, 2002 at 09:28:17AM -0700, Sean 'Shaleh' Perry wrote: HELO dontuthink.com 250 server Hello 12-235-84-58.client.attbi.com [12.235.84.58] MAIL FROM:[EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct RCPT TO:[EMAIL PROTECTED] 550 relaying to [EMAIL PROTECTED] prohibited by administrator if you are relaying, I do not see how. If someone can relay through you they should be able to telnet to your smtp port and send mail out like I just tried. thanks. i did similar tests at paladinCorp.com (specifically, http://www.paladincorp.com.au/unix/spam/spamlart/ ) and they found some instaces where my setup didn't retch at certain questionable email syntaxes: here are the ones marked 'potential vulnerability'... Output from Anti-Relay Tests: Spam-Lart v0.3.2 220 server ESMTP Exim 3.12 #1 Fri, 19 Apr 2002 08:58:34 -0500 rcpt to: [EMAIL PROTECTED]@mail.dontUthink.com 250 [EMAIL PROTECTED]@mail.dontUthink.com is syntactically correct ** FAILURE / Potentital Vulnerability ** but i bet that'll look for use '[EMAIL PROTECTED]' ON MY SERVER. here's a result from a test i did: [EMAIL PROTECTED]: unknown local-part will%dontuthink.com in domain serensoft.com [EMAIL PROTECTED]@serensoft.com: unknown local-part [EMAIL PROTECTED] in domain serensoft.com and i suspect the same would apply for all the rest of these below-- rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED]@[208.33.90.85] 250 [EMAIL PROTECTED]@[208.33.90.85] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED]@mail.dontUthink.com 250 [EMAIL PROTECTED]@mail.dontUthink.com is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED]@[208.33.90.85] 250 [EMAIL PROTECTED]@[208.33.90.85] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED]@mail.dontUthink.com 250 [EMAIL PROTECTED]@mail.dontUthink.com is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED]@[208.33.90.85] 250 [EMAIL PROTECTED]@[208.33.90.85] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED]@mail.dontUthink.com 250 [EMAIL PROTECTED]@mail.dontUthink.com is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED]@[208.33.90.85] 250 [EMAIL PROTECTED]@[208.33.90.85] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct ** FAILURE / Potentital Vulnerability ** rcpt to: [EMAIL
Re: my isp is being told *i* am broadcasting spam?
Below is some information that may be of interest. One thing you should note is the port number being used on the IP numbers. I don't know the format of the log entry, so I'm guessing that an entry has a source and destination IP. I would think from that with the IP for dontuthink.com/serensoft.com that you shouldn't be seeing those packets. But it looks like you're on a cable and only the ISP knows what IPs are out there on that particular cable. - start of probe -- Domain Name: DONTUTHINK.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS.SERENSOFT.COM Name Server: NS1.ZONEEDIT.COM Name Server: NS5.ZONEEDIT.COM Updated Date: 05-nov-2001 Getting host by address Name = (OSPF-ALL.MCAST.NET) Addresses: 224.0.0.5 Domain Name: MCAST.NET Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS.ISI.EDU Name Server: VENERA.ISI.EDU Name Server: NS.SGI.COM Name Server: DNSAUTH1.SYS.GTEI.NET Name Server: DNSAUTH2.SYS.GTEI.NET Name Server: DNSAUTH3.SYS.GTEI.NET Updated Date: 05-nov-2001 Getting host by address Name = (cable-z-221.sigecom.net) Addresses: 63.121.237.221 Domain Name: SIGECOM.NET Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: DNS1.SIGECOM.COM Name Server: DNS2.SIGECOM.COM Updated Date: 05-dec-2001 Getting host by address Name = (cable-u-177.sigecom.net) Addresses: 63.110.253.177 Getting host by address Name = (cable-gg-241.sigecom.net) Addresses: 65.195.103.241 Getting host by address Name = (cable-bb-255.sigecom.net) Addresses: 65.195.98.249 getting host by name Name = (serensoft.com) Addresses: 208.33.90.85 getting host by name Name = (dontuthink.com) Addresses: 208.33.90.85 - end of probe--- -- Sincerely, David Smead http://www.amplepower.com. On Sat, 20 Apr 2002, will trillich wrote: On Fri, Apr 19, 2002 at 11:29:51AM -0700, Vineet Kumar wrote: * dman ([EMAIL PROTECTED]) [020419 09:10]: Well, there may be other issues on the table here. Will's original question was can I tell if I've been hacked? His exim setup could be sound, but it's definitely feasible that a rootkit could install a mail relay listening on another port and sending out a ton of spam unbeknownst to ps and top. Are your hub lights blinking, Will? yep. lots. when i first set up ipCop (ipcop.org) i got about 18mb of logfile in one afternoon from the default firewall logging rules (via ipchains on potato): Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.64.14.221:65535 224.0.0.5:65535 L=64 S=0x00 I=21723 F=0x T=1 (#8) Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.110.253.177:65535 224.0.0.5:65535 L=64 S=0x00 I=21731 F=0x T= 1 (#8) Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.121.237.41:65535 224.0.0.5:65535 L=64 S=0x00 I=21743 F=0x T=1 (#8) Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 65.195.103.241:65535 224.0.0.5:65535 L=64 S=0x00 I=21747 F=0x T= 1 (#8) Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 65.195.98.249:65535 224.0.0.5:65535 L=64 S=0x00 I=21753 F=0x T=1 (#8) hundreds upon thousands of those, from the moment the firewall (ipcop v0.1.1) came up. to keep from sucking up all available space, i deleted the final (reject-and-log) rule of the incoming ruleset... is all this activity from a goofy setup by my isp? is it something i'm doing? surely this much probing must mean something... If that rootkit was installed by somebody exploiting a samba which should have been blocked from The Outside, this could potentially have been prevented if a packet filter was installed to allow incoming connections only to tcp/25. no samba -- never had it, never will. (considered it at home, but figured out a better way.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
will trillich wrote: [ snip ] when i first set up ipCop (ipcop.org) i got about 18mb of logfile in one afternoon from the default firewall logging rules (via ipchains on potato): Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.64.14.221:65535 224.0.0.5:65535 L=64 S=0x00 I=21723 F=0x T=1 (#8) Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.110.253.177:65535 224.0.0.5:65535 L=64 S=0x00 I=21731 F=0x T= 1 (#8) Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.121.237.41:65535 224.0.0.5:65535 L=64 S=0x00 I=21743 F=0x T=1 (#8) Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 65.195.103.241:65535 224.0.0.5:65535 L=64 S=0x00 I=21747 F=0x T= 1 (#8) Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 65.195.98.249:65535 224.0.0.5:65535 L=64 S=0x00 I=21753 F=0x T=1 (#8) hundreds upon thousands of those, from the moment the firewall (ipcop v0.1.1) came up. to keep from sucking up all available space, i deleted the final (reject-and-log) rule of the incoming ruleset... [ snip ] Look here: http://www.iana.org/assignments/protocol-numbers Notice, protocol 89: ``89 OSPFIGP OSPFIGP [RFC1583,JTM4]'' This is router jabber and, although it is impinging on your bandwidth, is otherwise harmless and safe to be ignored. This in no way comments on anything else you are experiencing . . . -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
On Sat, 20 Apr 2002 07:43:18 -0500 will trillich [EMAIL PROTECTED] wrote: when i first set up ipCop (ipcop.org) i got about 18mb of logfile in one afternoon from the default firewall logging rules (via ipchains on potato): Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.64.14.221:65535 224.0.0.5:65535 L=64 S=0x00 I=21723 F=0x T=1 (#8) Well, let's disect a bit of that entry. The PROTO=89 means that the packet you got was using OSPFIGP (Open Shortest Path First IGP). Next, IIRC, the 63.64.14.221:65535 is the source portion of the packet. This appears to be part of sigecom.net. The 224.0.0.5:65535 (or destination) is the part that I'm more interested in. This is part of mcast.net. I too have recently seen a lot of these messages. From what I understand, unless you are using multicast, you can safely block these. I've added rules to my firewalls to silently drop the entire multicast range for now 224.0.0.0/8. Since they are explictly dropped, they never reach my logging chain (I wouldn't suggest running a firewall without one). is all this activity from a goofy setup by my isp? is it something i'm doing? surely this much probing must mean something... From the limited understanding I have of multicast, I believe this to be normal operation. The idea as I understood it was that with Multicast one transmission could be received by anyone interested, thus making broadcasting much more possible. -- Jamin W. Collins -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
On Fri, Apr 19, 2002 at 09:00:15PM -0400, Shawn McMahon wrote: Noah (and I) didn't say a firewall was useless, just that discussing firewalls when the problem is a (potential) mail relay is wholly pointless. Noah did say that. You, to the best of my knowledge, didn't. Yes, I certainly did say as much, and in this case I do believe it would be useless. Putting a mail server behind a (network based) firewall is quite dangerous. Especially if you have other insecure hosts behind that firewall that you think are safe. The idea of a remote exploit in an MTA is hardly novel, and if your mail server gets cracked, then there are likely to be a lot of other vulnerable hosts behind the firewall that suddenly become attackable. Now, I don't declare firewalls to be flat out *bad*, though I do know some very experience network admins that do. They can have their uses. I am not of the school that a firewall should block all traffic except a few specific ports. If I need to protect a certain dangerous service, I will filter that port at the network border, but otherwise I do not filter any traffic. An example of when I would do such a thing is during the recent SNMP vulnerability problem. In a large heterogeneous network, not all vendors will fix their SNMP implementations in a timely manner, so it's best to filter the port at the border until I'm reasonably confident that the systems are no longer vulnerable. I am a firm believer in network availability and flexibility, and that approach has served me well for years. (I am responsible for several machines on a high-profile open network. We do not rely on network-based firewalls for security.) Apologies to Noah for calling him a troll. No problem. I'm sure I've been called worse. Plus, this sort of debate is always interesting. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpt37Vg6EvUi.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
On Thu, Apr 18, 2002 at 09:42:06PM -0700, David Smead wrote: That's why you run those services in a DMZ. So what are you suggesting, then? This was Will's mail server we're talking about. First you say it needs to be behind the firewall or else it's doomed to be cracked, then you say it needs to be in the DMZ. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpTiw0E3rOlx.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
Hi, On Thu, Apr 18, 2002 at 09:57:45PM -0500, will trillich wrote: debian-users: i've got what may be a nasty situation about to happen. any pointers welcome... just got a 'heads up' from an ally at my isp that someone's reported dontUthink.com as a spammer. i'm running debian potato/exim-- Exim version 3.12 #1 built 03-Jan-2002 02:45:13 Copyright (c) University of Cambridge 1999 First thing is confirm nature of complaint by talking to ISP. I suspect some open relay issue. EXIM or any MTA can be used as open relay if it is not configured right. But configuration can be tricky. One simple thing to do will be deny all SMTP connection from outside by netfilter (using ipmasq package and few example script). I used to do this for my LAN and exim. So I get external mail only by fetch mail from ISP pop server. how can i be sure that i've not been cracked and am unbeknownst to me broadcasting/relaying email for others? surely there's something better than just 'sniffit' and waiting for something to happen... the only 'advertising' i've ever done for dontUthink.com is the .sig at the bottom of my emails, as you see below. i do not spam, never had, never will. does 'presumed innocent' operate on the mentality of the average isp? i'm getting the impression it does NOT... ideas? help! (hopefully i'll still be able to get email tomorrow...) It is issue with sending mail. Anyway, just close outgoing SMTP port for now and see what happens. -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED], GnuPG-key: 1024D/D5DE453D . See User's Guide: http://www.debian.org/doc/manuals/users-guide/ See Debian reference: http://www.debian.org/doc/manuals/reference/ . Debian reference Project at: http://qref.sf.net . I welcome your constructive criticisms and corrections. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
That's why you run those services in a DMZ. -- Sincerely, David Smead http://www.amplepower.com. On Thu, 18 Apr 2002, Noah Meyerhans wrote: On Thu, Apr 18, 2002 at 08:05:31PM -0700, David Smead wrote: Are you operating behind a firewall. There are only two kinds of systems operating without firewalls - those that are hacked and those that will be soon. HA! That's the most rediculous thing I've ever heard on this list. The only thing a firewall is good for is to provide you with a false sense of security. If you want to be able to run services like web or mail servers, you by definition must start punching holes in your firewall. The instant you do that, you expose the soft underbelly of your supposedly safe network. noah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
On Thu, Apr 18, 2002 at 09:42:06PM -0700, David Smead wrote: That's why you run those services in a DMZ. And what do you do when a security vulnerability arises in your firewall implementation? Or when an attacker is able to hijack a web browsing session by one of your internal users? The idea that firewalls are the panacea of network security is very dangerous. No network should be trusted, and firewalling off your little subnet is not going to change that. It's been said many times before: the only secure computer is one that's not plugged in. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpXzsTlaOJZS.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
Noah, The more programs running on a computer, the less secure it is. A firewall can run a mimimal system - see the LEAF project with deep Debian roots. If you run a firewall running out of RAM then not only will it be minimal, but no trojans can live beyond a reboot. Of course no computer is invincible, but the idea behind firewalls is valid and is as secure as the implementers have the time and knowledge to stay one step ahead of the crackers. I'll let you tell me how a browser session of an internal user is hijacked and then we'll discuss the missing rule in the firewall. I didn't claim that firewalls are a panacea, or a network can be trusted. I will tell you that sendmail and the general issue of mail handling has been and will continue to be a security issue. You can avoid some of these problems by letting your ISP gather your mail which you later retrieve with what ever program you want. -- Sincerely, David Smead http://www.amplepower.com. On Fri, 19 Apr 2002, Noah Meyerhans wrote: On Thu, Apr 18, 2002 at 09:42:06PM -0700, David Smead wrote: That's why you run those services in a DMZ. And what do you do when a security vulnerability arises in your firewall implementation? Or when an attacker is able to hijack a web browsing session by one of your internal users? The idea that firewalls are the panacea of network security is very dangerous. No network should be trusted, and firewalling off your little subnet is not going to change that. It's been said many times before: the only secure computer is one that's not plugged in. noah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
On Thu, Apr 18, 2002 at 10:16:50PM -0700, David Smead wrote: | Noah, | | The more programs running on a computer, the less secure it is. A | firewall can run a mimimal system - see the LEAF project with deep Debian | roots. If you run a firewall running out of RAM then not only will it be | minimal, but no trojans can live beyond a reboot. Ok, that's cool. Now run IE on Windows on a client behind your firewall. Surf to a site running IIS and Nimbda. You've got Nimda. Lotta goog the firewall did there. | I'll let you tell me how a browser session of an internal user is hijacked | and then we'll discuss the missing rule in the firewall. The missing rule is that you let out requests destined for TCP port 80. (or 8080 or wherever that IIS server happens to be listening) Or, maybe the problem is the (insecure) IE client. -D -- 640K ought to be enough for anybody -Bill Gates, 1981 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
The first mistake is running Windows. The second mistake is not putting Windows machines all on their own subnet with a firewall between it and the `good' machines on the Linux subnet. Aynone who can secure Windows itself with a firewall product has a ready and steady market! -- Sincerely, David Smead http://www.amplepower.com. On Fri, 19 Apr 2002, dman wrote: On Thu, Apr 18, 2002 at 10:16:50PM -0700, David Smead wrote: | Noah, | | The more programs running on a computer, the less secure it is. A | firewall can run a mimimal system - see the LEAF project with deep Debian | roots. If you run a firewall running out of RAM then not only will it be | minimal, but no trojans can live beyond a reboot. Ok, that's cool. Now run IE on Windows on a client behind your firewall. Surf to a site running IIS and Nimbda. You've got Nimda. Lotta goog the firewall did there. | I'll let you tell me how a browser session of an internal user is hijacked | and then we'll discuss the missing rule in the firewall. The missing rule is that you let out requests destined for TCP port 80. (or 8080 or wherever that IIS server happens to be listening) Or, maybe the problem is the (insecure) IE client. -D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
on Thu, Apr 18, 2002, Osamu Aoki ([EMAIL PROTECTED]) wrote: Hi, On Thu, Apr 18, 2002 at 09:57:45PM -0500, will trillich wrote: debian-users: i've got what may be a nasty situation about to happen. any pointers welcome... just got a 'heads up' from an ally at my isp that someone's reported dontUthink.com as a spammer. i'm running debian potato/exim-- Exim version 3.12 #1 built 03-Jan-2002 02:45:13 Copyright (c) University of Cambridge 1999 First thing is confirm nature of complaint by talking to ISP. Ditto. Specifically, headers or IPs in question. I suspect some open relay issue. I suspect spoofed headers. Very easy to do, and many tools don't handle spoofed domains well. I report *to* them, but make clear in my response message that this is an either-or case. Your ISP may not be distinguishing this here. EXIM or any MTA can be used as open relay if it is not configured right. But configuration can be tricky. With exim it's fairly straightforward. Look for the value of: #relay_domains = ...in /etc/exim/exim.conf. how can i be sure that i've not been cracked and am unbeknownst to me broadcasting/relaying email for others? surely there's something better than just 'sniffit' and waiting for something to happen... apt-get install chkrootkit ...not bulletproof, but good for common stuff. Peace. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? Keep software free. Oppose the CBDTPA. Kill S.2048 dead. http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html pgpmrDqliCCDS.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
On Fri, 2002-04-19 at 03:57, will trillich wrote: debian-users: i've got what may be a nasty situation about to happen. any pointers welcome... does 'presumed innocent' operate on the mentality of the average isp? i'm getting the impression it does NOT... ideas? help! (hopefully i'll still be able to get email tomorrow...) Hi Will, port 25 is still open but I wasn't able to relay. Tests: telnet to relay-test.mail-abuse.org. It will automatically connect to your machine's port 25 and run a variety of tests to see if your machine is configured as an open relay. a better open relay test ... http://www.paladincorp.com.au/unix/spam/spamlart rest of um http://www.linux-sec.net/Mail/#Relay These links and tips were given to me by Alvin Oga and Jeremy Gaddis couple of weeks ago. -- Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
firewall limitations (was Re: my isp is being told *i* am broadcasting spam?)
On Thu, Apr 18, 2002 at 11:11:37PM -0700, David Smead wrote: | The first mistake is running Windows. True. | The second mistake is not putting Windows machines all on their own | subnet with a firewall between it and the `good' machines on the Linux | subnet. It makes no difference. The windows machine still gets hosed. The only way to prevent that from happening is to a) disconnect the windows machine b) use a firewall that does the _same thing_ If your firewall is going to behave like a severed cable, you might as well just sever the cable and make it easier on yourself. | Aynone who can secure Windows itself with a firewall product has a ready | and steady market! Firewalls are a good thing to protect against private services and services you didn't know were running, but they can't prevent you from becoming an open relay (or anything else) for services you do allow. Firewalls are a way of reducing network connectivity, ideally without destroying it altogether. I'm not saying you shouldn't use a firewall, just be aware of the limits of its capabilities. -D -- ...In the UNIX world, people tend to interpret `non-technical user' as meaning someone who's only ever written one device driver. --Daniel Pead -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
On Thu, Apr 18, 2002 at 10:16:50PM -0700, David Smead wrote: I will tell you that sendmail and the general issue of mail handling has been and will continue to be a security issue. What does sendmail have to do with this? From Will's original post: Exim version 3.12 #1 built 03-Jan-2002 02:45:13 Copyright (c) University of Cambridge 1999 Exim's history isn't nearly so sordid as sendmail's and, as Debian's default MTA, I suspect that the security team has given it extra- special attention as well. -- When we reduce our own liberties to stop terrorism, the terrorists have already won. - reverius Innocence is no protection when governments go bad. - Tom Swiss -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
begin Noah Meyerhans quotation: HA! That's the most rediculous thing I've ever heard on this list. ridiculous. The only thing a firewall is good for is to provide you with a false sense of security. A firewall is a useful tool for securing a network. If you don't know enough about security to know that, you shouldn't be pontificating on the subject in a public list. Like any other tool, it is neither necessary nor sufficient in and of itself. If you want to be able to run services like web or mail servers, you by definition must start punching holes in your firewall. And, of course, opening a single hole in a firewall makes it completely useless. NOT. Go away, troll. -- Shawn McMahon| McMahon's Laws of Linux support: http://www.eiv.com | 1) There's more than one way to do it AIM: spmcmahonfedex, smcmahoneiv | 2) Somebody thinks your way is wrong pgp7x5WTP8lGF.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
begin Noah Meyerhans quotation: And what do you do when a security vulnerability arises in your firewall implementation? The same thing you do when that happens with any other component of your network; fix it, have plans in place to recover from it, and have monitoring in place to detect it as quickly as your budget allows. Or when an attacker is able to hijack a web browsing session by one of your internal users? See above. The idea that firewalls are the panacea of network security is very dangerous. The idea that anybody who says a firewall is a useful tool automatically thinks it's a panacea is a straw man you created. No network should be trusted, and firewalling off your little subnet is not going to change that. I don't see you putting your root password in your .signature. I mean, after all, if it's that black and white (either security is useless, or you disconnect from the network), then you shouldn't mind doing that. It's been said many times before: the only secure computer is one that's not plugged in. Yes, it has; but there's usually a few hundred more pages in the book after that, or the meeting continues and goes on to doing some useful work. Leave security to the professionals; or even to the amateurs. Just leave it to somebody that recognizes that it has value, OK? -- Shawn McMahon| McMahon's Laws of Linux support: http://www.eiv.com | 1) There's more than one way to do it AIM: spmcmahonfedex, smcmahoneiv | 2) Somebody thinks your way is wrong pgpraRjJnUPjw.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
On Fri, Apr 19, 2002 at 11:22:56AM -0400, Shawn McMahon wrote: | begin Noah Meyerhans quotation: | HA! That's the most rediculous thing I've ever heard on this list. | | ridiculous. | | The | only thing a firewall is good for is to provide you with a false sense | of security. | | A firewall is a useful tool for securing a network. If you don't know | enough about security to know that, you shouldn't be pontificating on | the subject in a public list. Like any other tool, it is neither | necessary nor sufficient in and of itself. | | If you want to be able to run services like web or mail | servers, you by definition must start punching holes in your firewall. | | And, of course, opening a single hole in a firewall makes it completely | useless. NOT. Go away, troll. Noah isn't a troll. He absolutely right here -- if you run a mail server, no firewall will prevent you from becoming an open relay. The only firewall that will prevent your mail server from being an open relay is one which disconnects the mail server from the rest of the world (and prevents you from getting any mail at all). If you are to run a mail server you have to open TCP port 25. Once you've done that, your firewall doesn't help you on port 25 and you must then look to other means for securing that part of your system/network. Noah (and I) didn't say a firewall was useless, just that discussing firewalls when the problem is a (potential) mail relay is wholly pointless. -D -- Pride goes before destruction, a haughty spirit before a fall. Proverbs 16:18 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
HELO dontuthink.com 250 server Hello 12-235-84-58.client.attbi.com [12.235.84.58] MAIL FROM:[EMAIL PROTECTED] 250 [EMAIL PROTECTED] is syntactically correct RCPT TO:[EMAIL PROTECTED] 550 relaying to [EMAIL PROTECTED] prohibited by administrator if you are relaying, I do not see how. If someone can relay through you they should be able to telnet to your smtp port and send mail out like I just tried. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
* dman ([EMAIL PROTECTED]) [020419 09:10]: On Fri, Apr 19, 2002 at 11:22:56AM -0400, Shawn McMahon wrote: | begin Noah Meyerhans quotation: | HA! That's the most rediculous thing I've ever heard on this list. | | ridiculous. pedantic. | | The | only thing a firewall is good for is to provide you with a false sense | of security. | | A firewall is a useful tool for securing a network. If you don't know | enough about security to know that, you shouldn't be pontificating on | the subject in a public list. Like any other tool, it is neither | necessary nor sufficient in and of itself. Well said. | | If you want to be able to run services like web or mail | servers, you by definition must start punching holes in your firewall. | | And, of course, opening a single hole in a firewall makes it completely | useless. NOT. Go away, troll. Noah isn't a troll. He absolutely right here -- if you run a mail server, no firewall will prevent you from becoming an open relay. The only firewall that will prevent your mail server from being an open relay is one which disconnects the mail server from the rest of the world (and prevents you from getting any mail at all). If you are to run a mail server you have to open TCP port 25. Once you've done that, your firewall doesn't help you on port 25 and you must then look to other means for securing that part of your system/network. Noah (and I) didn't say a firewall was useless, just that discussing firewalls when the problem is a (potential) mail relay is wholly pointless. Well, there may be other issues on the table here. Will's original question was can I tell if I've been hacked? His exim setup could be sound, but it's definitely feasible that a rootkit could install a mail relay listening on another port and sending out a ton of spam unbeknownst to ps and top. Are your hub lights blinking, Will? If that rootkit was installed by somebody exploiting a samba which should have been blocked from The Outside, this could potentially have been prevented if a packet filter was installed to allow incoming connections only to tcp/25. Also, I'm pretty sure Noah did say the firewall was useless - that the only thing it's good for is a false sense of security. 'Troll' may be a bit strong, but then, so was his remark about the usefulness of firewalls! -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume.shtml pgpXoZzhuGDQD.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
begin dman quotation: Noah (and I) didn't say a firewall was useless, just that discussing firewalls when the problem is a (potential) mail relay is wholly pointless. Noah did say that. You, to the best of my knowledge, didn't. The original poster was concerned of a number of things, including the possibility that he'd been hacked. The response that triggered Noah was one opining that if the person didn't have a firewall, he should assume he HAS been hacked. A little broad of a brush, perhaps, since it is possible to secure a system such that a firewall adds nothing (one would hope, for instance, that one's firewall is that secure), but I think we can conclude that any user who makes it clear in his post that he doesn't even know where his MTA's logfiles are kept probably would benefit from a firewall. As long as he doesn't assume firewall == secure, of course. Apologies to Noah for calling him a troll. -- Shawn McMahon| McMahon's Laws of Linux support: http://www.eiv.com | 1) There's more than one way to do it AIM: spmcmahonfedex, smcmahoneiv | 2) Somebody thinks your way is wrong pgpNVGs6hbaLr.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
Are you operating behind a firewall. There are only two kinds of systems operating without firewalls - those that are hacked and those that will be soon. -- Sincerely, David Smead http://www.amplepower.com. On Thu, 18 Apr 2002, will trillich wrote: debian-users: i've got what may be a nasty situation about to happen. any pointers welcome... just got a 'heads up' from an ally at my isp that someone's reported dontUthink.com as a spammer. i'm running debian potato/exim-- Exim version 3.12 #1 built 03-Jan-2002 02:45:13 Copyright (c) University of Cambridge 1999 how can i be sure that i've not been cracked and am unbeknownst to me broadcasting/relaying email for others? surely there's something better than just 'sniffit' and waiting for something to happen... the only 'advertising' i've ever done for dontUthink.com is the .sig at the bottom of my emails, as you see below. i do not spam, never had, never will. does 'presumed innocent' operate on the mentality of the average isp? i'm getting the impression it does NOT... ideas? help! (hopefully i'll still be able to get email tomorrow...) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: my isp is being told *i* am broadcasting spam?
On Thu, Apr 18, 2002 at 08:05:31PM -0700, David Smead wrote: Are you operating behind a firewall. There are only two kinds of systems operating without firewalls - those that are hacked and those that will be soon. HA! That's the most rediculous thing I've ever heard on this list. The only thing a firewall is good for is to provide you with a false sense of security. If you want to be able to run services like web or mail servers, you by definition must start punching holes in your firewall. The instant you do that, you expose the soft underbelly of your supposedly safe network. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp9UkLpSyTV4.pgp Description: PGP signature
Re: my isp is being told *i* am broadcasting spam?
On Thu, Apr 18, 2002 at 09:57:45PM -0500, will trillich wrote: just got a 'heads up' from an ally at my isp that someone's reported dontUthink.com as a spammer. i'm running debian potato/exim-- You really need to find out the nature of the complaint. Did the person claim that spam was delivered via your machine? Did they provide message headers to back up that claim? If so, then the first place to check is your mail logs. Or were they just claiming that some email address at your domain was spamming? If that's the case, then it's probably a case of forged headers and there's nothing you can do about it. The vast majority of spam I get comes of Asia yet claims to be from an address @msn.com or similar. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpEjQPv4jV1t.pgp Description: PGP signature