Hi everyone, My sincere apologies to the people who received spam sent through our TidBITS text issue list yesterday. I learned about the problem around 6 PM, just as I was finishing up for the day. I immediately logged into our remote Xserve, shut the server software down, and deleted the entire outgoing mail queue. Although I was moving too quickly to be certain, I believe that no more than about 6,000 people (less than a third of that particular list) received the spam before I was able to stop it.
I brought the server back up and applied a fix that I believed would solve the issue, but while I was discussing the problem with Joe Kissell, I saw the email queue start to fill up - the spammer had struck again and my fix had failed. Once again I shut the server down and deleted the mail queue. Since I was watching, I don't believe the second spam went to more than a few hundred people (our server can send mail extremely quickly, so even a few seconds of operation has non-trivial results). After examining both spam messages, I figured out what had happened, but I was surprised that my fix hadn't solved the problem. Because I had no idea how to resolve the problem at that point, I opted to take the four TidBITS lists and the Take Control Announcements list offline entirely for the evening. I didn't alert everyone then, since I wanted to wait until I had a real fix in hand. Meanwhile, I started discussions with the technical folks at our server vendor. Numerous messages went back and forth as I tried different suggestions, but it wasn't until this afternoon that we discovered the proper combination of settings to block the hole. Then, Glenn Fleishman helped me forge mail from outside my server to simulate a spam attack so we could evaluate the fix. The good news is that I'm fairly certain that this particular hole will not exploited again. The basic problem is that there's the equivalent of a root account in our server software, and that account can do anything, including sending email to mailing lists that otherwise block all other senders. That apparently can't be prevented, but I've changed the email address associated with that account to one that can't be guessed, has never been used, and can be changed regularly. Needless to say, I feel terrible about allowing this to happen, and again, I apologize for the inconvenience. This stuff just isn't as easy as it used to be back in the good old days when there weren't constant attacks from all sides. with little cheer... -Adam -- Look into my head; follow me on Twitter. http://twitter.com/adamengst _____________________________________________________________________ Adam C. Engst: I publish TidBITS and Take Control, write books, [email protected] and make useful introductions in the Mac industry. My work: http://www.tidbits.com/ and http://www.takecontrolbooks.com/ -- If you want to unsubscribe or change your address, use this link http://emperor.tidbits.com/webx?unsub@@.3c557dc4!u=306a67f9
