Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
BSD Operating Systems

Stopping Spam And Trojan Horses With BSD 54

Posted by Hemos from the good-tricks-to-know dept.
Brett Glass writes: "This paper, first presented at BSDCon 2000, describes state of the art methods of blocking spam and malware using BSD and Sendmail. The techniques described here are also applicable to other operating systems and mail transfer agents, so this paper is worth reading even if you're using NT, Linux, Postfix, qmail, etc. If you've never heard of a Rumplestiltskin attack, are baffled by the finer points of Sendmail configuration, or want to know how to block worms like ILOVEYOU before they reach vulnerable Windows clients, you'll enjoy this paper. Slides from the presentation are also included."
This discussion has been archived. No new comments can be posted.

Stopping Spam And Trojan Horses With BSD More

Stopping Spam And Trojan Horses With BSD

Comments Filter:
  • Not only was this the best talk that I attended at the Con, But I have been slowly working my way through the paper one point at a time, tightening up my mail servers. It's really an outstanding resource.

    Adding RSS lookups has been the biggest spam killer so far. The first week I had it enabled I was rejecting about 1200 spams a day. Now that the bigger spammers know they can't steal from me so easily, it's down under 100 per day.

    The next step is procmail for filtering malware.

    . Thanks

    - H

  • I'm also interested in this, but I never knew it until you brought it up. It would be very easy for the users to setup a mail filter to move all subjects with '[SPAM]' in the subject to dev/null. It seems that inserting it into the subject line would be much more compatible to all mail readers than custom headers.

  • does anyone know how to configure sendmail, so that if the sender domain matches some RBL (ORBS, etc) "SPAM:" is inserted into the subject line of the header (or some X-SPAM: header is set).

    I looked into this at some length at my previous job, where we couldn't just drop spam in the bit-bucket for policy reasons, but wanted to identify spam so that users could easily filter it out themselves if they wanted to.

    The ideal solution would be something like:
    H?Spam?X-Spam: ${RBL} ${ORBS} ${DUL}
    where the variables ${Spam}, ${RBL}, ${ORBS}, etc. are set by the standard rulesets. This way, those messages identified as spam would have an X-Spam: header providing more details. Normal messages would be passed unchanged.

    Unfortunately, it appears to be impossible to set a variable from inside a ruleset (please tell me if I'm wrong), so this doesn't work.

    The next best thing would be
    HX-Spam: $>CheckSpam
    which would add an X-Spam: header to every message, the value of which would be whatever is returned by the CheckSpam ruleset. Unfortunately, it looks as if sendmail 8.10.2 doesn't allow you to invoke rules from within header definition lines. Brett Glass's article hints otherwise (see Listing 2), but perhaps he's using a newer version of sendmail than I am.

  • Just to clarify Oz and correct Cardinal's confusion...

    There is no separation of kernel and userland in BSD in the same way that there is in a Linux Distribution. There are no "package maintainers" because it isn't a package-based distribution. Everything that makes up the system is engineered by the same team of people. It's all in a single source tree under /usr/src rather than a plethora of third party userland apps by who-knows-who.

    (Not counting third party applications available via Packages or Ports of course.)

  • That was mentioned in a wee little paragraph near the end of the "Web Page Address Harvesting" section, and included some simple sample CGI [turnstep.com].

  • What the rbl rule sets do is simply replace the domain name with a target that is later returned as an error.

    The change you will need to make is on line 24 of cf/feature/ddnsbl.m4. Somehow you are going to
    have to figure out to to get a header added when a condition happens and then return $: OK. I think I would try to set some variable and then create a "H" line with something like H?Var?X-spam: $Var.
  • Set up two domain names on you box, one of them with filters.

    When the users need to communicate with those using open relays, give them an account with no spam filters.
  • Your posts are hard to read. I suggest you start using less abbreviations and more grammar.
    --------
    Genius dies of the same blow that destroys liberty.
  • > > BSD is a mess from a security viewpoint

    > Compared to what OS?

    Why, Windows 95, of course! ;)
    --------
    Genius dies of the same blow that destroys liberty.
  • True, but the way I wrote it doesn't cloud what I'm trying to say.
    --------
    Genius dies of the same blow that destroys liberty.
  • Yes. It does work with OS/2, as does a lot of other ported *nix open source stuff, using the emx libraries and/or Xfree86 to handle it.

    For instance, I just put PMVNC, ported from the Open source code on my OS/2 machine, which I used to access a Linux box and a Win2k box 90 miles from here. I also used a SSH port to access the linux box. I have had a port of NcFTP for a long time on the machine.

    There is also an OS/2 ISP mailing list where they discuss Sendmail usage, SPAM, and a lot of other things; I also participate in that list.

    You can find most of this stuff for OS/2 at http://hobbes.nmsu.edu [nmsu.edu]. Xfree86 and Samba links for OS/2 can also be found at their respective sites.

  • Well, no. But then I don't regard Exchange as a real progran anyway. It is a virus. Or perhaps more correctly, a virus magnet.

    To demonstrate the difference, we run Lotus Notes at work. I have used it for about 5 years. And love it. But often the initial impression a person may have might not approach my fondness or that of the others at work. That is just because you don't know it.

    But hear this: When the "I Love You" thing hit, we might have had 75 infected machines [total] out of over 10,000. We were virutally unaffected. And that was the first hit by the virus. It did NOT spread. And as soon as we knew it was there, a tweak of Notes prevented a user from sending it anywhere.

    OTOH, I know for a fact that some companies that we deal with were completely down for a week or more trying to fix the mess.

    The upside is that Notes is just very reliable and good. Exchange isn't. BTW, we merged with another company of similar size, who was using Exchange. They are converting to Notes right now.

  • I just got this running at my isp account and it appeared to be setup correctly, except that I then read that this blocks only a 1-3 PERCENT of all spam. After looking at my recent list of received spam, I found that most of it comes from 123456@yahoo.com and similar. You can't (easily) block part of yahoo and the spammers can create bogus accounts for each sending so you can't block by email.
  • The ACs are out in force this Xmas eve!

    How sad. Trolls with no families or friends to keep them company on Xmas, so they resort to posting crap and nonesense on /.
  • And were asked to provide links, to provide proof.

    Yet, all you do is keep repeating the same things over and over.

    When you have some links to back up these claims, please post them.
  • BSD is a mess from a security viewpoint

    Compared to what OS?
  • Amazing, the BSD troll now has knowledge of the NSA!

    *yawn*

    Come back with proof!
  • But if you have an acne faced part-time high school student doing your sys admin work with sendmail--you are in big trouble.

    If you're in this situation, you're in big trouble no matter what MTA you're using.

    Sendmail's code isn't as bad as you paint it, though. Thousands of pairs of experienced eyes have pored over it -- certainly more than for any other MTA.

    If you really are concerned about Sendmail, wrap it with smtpd [brettglass.com] or use qmail [qmail.org]. Warning: you'll still need to understand the underlying principles to control relaying and block spam and malware. And don't assume that it will necessarily be that much easier. as this FAQ [summersault.com] explains, using spam prevention tools such as DNS blacklists with qmail is more complex than doing it with Sendmail (which requires only one line per blacklist in your .mc file).

    --Brett

  • There's a qmail anti-spam FAQ at http://www.summersault.com/chris/techno/qmail/qmai l-antispam.html [summersault.com]. Unfortunately, as you'll see, qmail doesn't have an intrinsic ability to check a DNS blacklist. You'll need to use an external wrapper or Procmail recipes, both of which can take a bit of skill to set up. As I've mentioned in another post, Sendmail is actually easier to configure for RBL-style blacklists.

    --Brett

  • (GMAB == "Give me a break")

    Really, guys -- the "BSD is dead" trolls are getting very, very old. BSD is here for keeps and is gaining in popularity; it's not going away just because a few overzealous advocates of other OSes are in denial. Besides, as I've mentioned, every technique I've mentioned in the paper -- even the Sendmail configuration options, which have equivalents in most other MTAs -- is useful on other OS platforms and with other mail software. So, even if you're a total Linux (or qmail, or exim, or Lotus Notes, or Groupwise) fanatic, you still need to know these techniques to be a good sysadmin. I'd like to see more discussion of filtering techniques.... Even the state of the art filters and HTML manglers are nowhere near perfect yet.

    --Brett Glass

  • Most spam that claims to be from Yahoo isn't. The RFC822 "From:" header is spoofed, and the spam is really originating elsewhere.

    If your ISP will let you run Procmail filters (most UNIX-based ones will), your best bet is to set up a Procmail filter which checks the RBL and also looks for other signs of spam. I recommend a couple in the paper.

    --Brett

  • one problem with this , with makeing a program to use finger from inetd
    finger stream tcp nowait nobody /usr/libexec/fingerd fingerd -s -l -p /usr/local/bin/nonetfinger

    BSD inetd will allow you to write stuff in the hosts.allow file for example
    fingerd : ALL \
    : severity auth.info \
    : twist /bin/echo "Go away and dont finger me bitch."
  • yes but the way i explained it, kernel vs os. You cant do linux vs. freebsd. Cuz freebsd is a os and linux is a kernel. I didnt mean any flame btw
  • i disagree. Maybe a year ago. But it is getting more and more ground again. esp with osx.
  • I agree with that somewhat , but normaly when an exploit is found in *BSD it is typicaly fixed faster than in linux just because how they have 'there system of makeing the system' setup. They have a core team that can say 'yeah we need this' or 'no' and in linux its just linus. And I cant say anything about other o/s cuz its closed source and you dunno when its going to be fixed. And both have good and bad points to manage kernel/os.
  • This article was also part of the November Issue of the DaemonNews E-zine. This a link to that article http://www.daemonnews.org/200011/stopspam.html [daemonnews.org].

  • Sendmail and procmail run under linux and that is what the article is about.
  • Remember everyone saying "unix is dead" a few years ago? Yeah, right...

    - Hubert
  • Thanks man...maybe we should start a support group, you know? For people who have tasted the drug known as the outside world. the temptations are immense. Like just the other day I almost did my laundry. Like wtf is up with that? ;-)
  • Haven't heard this one before. Is this "mal-" as in "bad", as in "malicious", "malevolent" and "maladjusted"?
  • I am in the process of setting up FreeBSD on a spare box, and this is utterly completely valuable.

    I have had a few too many for most of this to stick right now, but this is definitely a good asset to have.

    Again, Thank You


  • My Hi-fi _maxes out_ at -0, and is silent at -Inf.

    Does that mean it plays my music backwards?

    Calm down pet.

    Merry Chrissy all.
    FatPhil

    -- Real Men Don't Use Porn. -- Morality In Media Billboards
  • You are free to browse at -1 and read all about the first posts. You are also free to browse at 0, like I am, there you van read all the flamebaits and redundant posts. Whats wrong with negative points. Flamebaits like this are kinda interesting on a boring christmas day. Firstposts never are..
  • Actually, I have used FreeBSD and I have no experience with the FreeBSD elite being unfriendly towards newbies nor do I have the experience of them being helpful... reason - I never asked for help so I don't know. I mailed the NetBSD team a few questions or two and they were very helpful and quick to respond. I have toyed around with OpenBSD once and that's about all. By the way, the BSD's are far from dead. I use linux much more and so do many others, however, I seriously doubt any BSD is going under any time soon.
  • I hope so! Many times while at work, I will write a company a question and "spoof" my home personal box, so I can check the reply at home and not have the non-work replies in my business in-box. I have had very little trouble with this. I have had people write and ask why my source is on another domain than my reply to box. I tell them it seprates the requested mail from the spam mail.
  • It needs a better name.

    It does already have a better name. It's called "Unix".
    8^}
  • It needs a better name. Daemonix sounds good, and fits the mascot.

    Ashes of Empires and bodies of kings,
  • Is that your problem? Negative points? Well, its only a matter of "reference". Its a scale and it happens that "0" is in the middle. If the scale began on 50 and ended on 90, if it began on -456 and ended on -200, what would the difference be?
  • Well, we all mess up occasionally. Some more than others... If you haven't made the connection yet, wait a second and re-read this. Then read my signature.
  • Most security exploits are in userland daemons, not the kernel itself. As such, it's up to the package maintainers to handle fixes, and this is generally done quite fast.
  • And to clarify your confusion, I wasn't referring to BSD at any point in my post.

    Most security exploits are in userland daemons, not the kernel itself.

    ...in Linux.

    Which is a response to the comment by Oz:

    normaly when an exploit is found in *BSD it is typicaly fixed faster than in linux just because how they have 'there system of makeing the system' setup. They have a core team that can say 'yeah we need this' or 'no' and in linux its just linus.

    I was pointing out that "its just linus" is usually not the case, because such exploits tend to be in userland, not the kernel.

  • I just realized how sad it is that I am actually reading this article at 11:20 pm on Christmas Eve, and enjoying it. Then I realize that Hemos actually posted it about the same time... :)

    Great Article. Merry Christmas and Happy Holidays to all!

  • tuz my (checking web site for probable gender..) man , it's good ta have ya back. We have all thought about going out and getting lives, but it would be just plain wrong. Hopefully you don't have any more relapses, but if ya do, don't worry you are always welcome back :)

    as a side note, careful what ya say to Hemos, he is a soft fellow, we all know the Cmdr can take it, but old Hemos doesn't stand up as well to it. (Where is Taco anyway? that lazt sack hasn't posted since yesterday morning!)

    Merry Christmas All.

  • As he [Theo] states in all the replies to this, which seems reasonable to me, that they just fixed a bug during their auditing and that they did not realized that it was a exploit. This seems very reasonable, but people does not seem to get it, which is very sad.
  • a bit offtopic, but: does anyone know how to configure sendmail, so that if the sender domain matches some RBL (ORBS, etc) "SPAM:" is inserted into the subject line of the header (or some X-SPAM: header is set).

    The reason behind this, is to allow users to choose whether to filter or not. Some usere here have contact to ppl on open-relay hosts, and I would like to block them ... ;)


    Samba Information HQ
  • Never used lp in native redhat pre 7.0? That is BSD code.

    Sendmail is another example of BSD derived code.

    Oh, how about the TCP/IP stack? the include file for in_systm.h says "Original taken from BSD UNIX 4.3-RENO"

    If you'd bother to grep for BSD in the linux kernel, you'd find that BSD is core to Linux.

    And you 'use' a "BSD" program to get to slashdot. Yup, the OpenBSD firewall that is (was) protecting the site.

  • See this definition of "malware" [logophilia.com], which is linked from the first use of the word in the paper!

    --Brett

  • Yes; Daemon News [daemonnews.org], which I normally heartily recommend, also reprinted the paper. (A few of the links have been updated in the master copy.) Unfortunately, they printed a very nasty ad hominem attack on Yours Truly in the "Daemon's Advocate" column in their December issue. This was not called for and the editors certainly should have caught it before it went to print. I think that the publication owes me an apology for that one.

    --Brett

  • I did a search on 'Brett' and 'Glass' and didn't find either in Greg's editorial.

    That's because the craven Greg Lehey quoted me without attribution.

    --Brett Glass

  • Are you sure you wanna use tires as a comparison, with all the firestone stuff going on?
    ;-)
    just a thought.
    (but good point tho)

  • Re:Pretty sad... (Score:3)

    by Tuzanor ( 125152 ) on Sunday December 24, 2000 @08:24PM (#1418219) Homepage
    You know, maybe we should all dump /. and get lives...you know, get laid and meet new people. In fact, i'm gonna do that right now. FUCK Taco, FUCK Hemos, and FUCK my Karma. Goodbye forever Slshdot!

    *Gets up and walks away*

    *5 minutes pass*

    *Running sounds back to the computer*

    I'm so sorry everybody, please forgive me, it's christmas, and i was so wrapped up over the presents that i wasn't thinking properly. Taco, you rule, Hemos, you're dedicated and I swear I'll never do anything like that again...till the next time :-) seriously merry xmas all...

  • Trap for harvesters. (Score:4)

    by BlowCat ( 216402 ) on Sunday December 24, 2000 @07:34PM (#1418220)
    Very nice article, but it misses one very funny method for "trapping" e-mail harvesters by feeding them pages with random addresses.

    Look here [roaringpenguin.com].

  • Feh. (Score:5)

    by The Welcome Rain ( 31576 ) on Sunday December 24, 2000 @08:46PM (#1418221)

    The referenced article starts with a particularly ridiculous bit of advocacy that renders the rest of it fairly dubious. It recommends sendmail on the basis of market penetration, but carefully avoids mentioning its security vulnerabilities and accumulation of cruft; it then makes a contrived argument that, since sendmail was developed on a BSD box, it should be run on the same. Nonsense. sendmail works equally poorly on many Un*x variants; there's nothing special about BSD in that regard.

    Why should we judge sendmail on its market penetration but avoid judging BSD in the same way? The paper doesn't bother to justify that. I expect its author(s) figured on a sympathetic audience of BSD advocates.

    If you really want to avoid being screwed, run a better MTA -- qmail and exim are reasonable choices. BSD is of course a reasonable choice of OS for that job, as are a number of Un*ces. But don't pick BSD because it will run sendmail -- that's like buying a Colt M1911A1 because it can be converted to full auto. The choice of platform is good, but the reasoning stinks!

    --

  • filtering on the message body (Score:5)

    by thogard ( 43403 ) on Sunday December 24, 2000 @07:41PM (#1418222) Homepage
    Sendmail has a bad habit if not being able to scan the message body so you have to use an external filter.

    I've got a patch [abnormal.com] to fix this for 8.11.1 that uses the built in regex map to allow sendmail to look for a regex in the body of the message.

Slashdot Top Deals

"Experience has proved that some people indeed know everything." -- Russell Baker

Close