[SECURITY] [DSA 517-1] New CVS packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 517-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 10th, 2004 http://www.debian.org/security/faq - -- Package: cvs Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0414 Derek Robert Price discovered a potential buffer overflow vulnerability in the CVS server, based on a malformed Entry, which serves the popular Concurrent Versions System. For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-9woody6. For the unstable distribution (sid) this problem has been fixed in version 1.12.8-1. We recommend that you upgrade your cvs package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6.dsc Size/MD5 checksum: 693 78cbaadcaaca26b6314519f07438f315 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6.diff.gz Size/MD5 checksum:53411 8929158c0e561a3a9dfffb3fe139ebcc http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian.orig.tar.gz Size/MD5 checksum: 2621658 500965ab9702b31605f8c58aa21a6205 Alpha architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_alpha.deb Size/MD5 checksum: 1178980 a0cbfe582bc24d6aeaabf73864cf5ea7 ARM architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_arm.deb Size/MD5 checksum: 1105486 b72090d480345f2d53a9865508ccbde6 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_i386.deb Size/MD5 checksum: 1086270 045983b8647b3c1ddfdf790f38827099 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_ia64.deb Size/MD5 checksum: 1271230 345ffdefe2745de88627909480628d3c HP Precision architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_hppa.deb Size/MD5 checksum: 1147628 d13cf3f32407ec327dff62079825aa97 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_m68k.deb Size/MD5 checksum: 1065934 61ace03fa7975fd2d16b52973635823a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_mips.deb Size/MD5 checksum: 1130030 a246813a0ec77d80ca670dd4d8b3cf6e Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_mipsel.deb Size/MD5 checksum: 1131336 0e207672b627d0273967a98893d85afd PowerPC architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_powerpc.deb Size/MD5 checksum: 1116424 d43475e6515397d7b2cdabbf3841e4eb IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_s390.deb Size/MD5 checksum: 1097264 547f092cf847da218eea35301575319c Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody6_sparc.deb Size/MD5 checksum: 1107512 c960e899d7e95b357a1fff411d86bd6e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAyDFHW5ql+IAeqTIRAiCWAKCUYkcmWjLglEe3wWwL1Uy/TR6FVQCfdVWw 5+MIEiHtNnT1nu4Q5F5Hkek= =DvXe -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [bulletproof.net.au #27507] [Comment] [SECURITY] [DSA 515-1] New lha packages fix several vulnerabilities
The Gateway seems not have security.debian in its sources list. wanted to download the package manually with wget, however a dpkg shows that is needs other libs I am stalling this for now until I know what I want to do. Intel IA-32 architecture: http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i -2woody1_i386.deb Size/MD5 checksum: 50090 7548e83cb7049fe43243f804eb456ed7 that's because the gatweays are potato we need to manually backport the package, put it in our repository, then we can update from there -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Spam fights
Hi all! As I see, there ia a lot of issues regarding spam, so I'd like to add something from me:) Because my email was used on many discussion lists, I was receiving sometimes over 100 spam emails per day. A long time ago I've started fighting with them using many different methods. Currently I'm using two methods which are reducing spam to 1-2 per day: spamassassin and sender verification. From my expirience, most of spam was send from non-existing, or ISP-blocked emails, so sender verification has decreased spam radically. In mean time, I've found additional way for spam filtering, but it requires some development. The basic idea is simple and already in use: We are allowing all emails from whitelits. For unknown sender, automated confirmation request is send. If confirmation comes, receiver can decide to put new sender on white or black list (by reply with prepared subject and token). This method has one hole: spamer can use any address from whitelist. To avoid this, the white list should contain list of allowed SMTP servers (source IP addresses) for every email. I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. best regards JT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: We are allowing all emails from whitelits. Who is we in this context? Individual users or mailing list administrators? For unknown sender, automated confirmation request is send. If For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. This means that even though my anti-virus software is updated regularly I still get hit by viruses through those stupid confirmation messages! My response to these scumbags who send me the confirmation messages is that if they are on a mailing list I'm on then I black-list their email address if it's known (or their mail server if their email address is not clear). If a confirmation message appears to be in response to a virus then I respond to it. Let the scumbag get another copy of the virus... I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
I second that. If I receive a confirmation message I never respond to it! (well, when I first received such a message, I wanted to try how it works - that was the only confirmation I responded to). Maybe that's impolite, but I do not want to waste my time answering to that spam. Dmitry On Thursday 10 June 2004 11:58, Russell Coker [EMAIL PROTECTED] wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: We are allowing all emails from whitelits. Who is we in this context? Individual users or mailing list administrators? For unknown sender, automated confirmation request is send. If For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. This means that even though my anti-virus software is updated regularly I still get hit by viruses through those stupid confirmation messages! My response to these scumbags who send me the confirmation messages is that if they are on a mailing list I'm on then I black-list their email address if it's known (or their mail server if their email address is not clear). If a confirmation message appears to be in response to a virus then I respond to it. Let the scumbag get another copy of the virus... I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
cvs exploits - when triggerable?
Hi all! http://security.e-matters.de/advisories/092004.html In most cases, this is a bit vague on when an attacker can trigger the bugs. pserver without authentication? pserver anonymous access? pserver readonly access? pserver commit access? ssh/local access? In a few cases, it is mentioned that CVSROOT commit access is needed, so these are no problem. But the others? greetings -- vbi [please don't cc: me] -- Could this mail be a fake? (Answer: No! - http://fortytwo.ch/gpg/intro) pgpHC8MMNbMxy.pgp Description: signature
Re: Spam fights
On Thu, Jun 10, 2004 at 12:27:04PM +0300, Dmitry Golubev wrote: I second that. If I receive a confirmation message I never respond to it! Me three. I take a confirmation thingy as a sign that the person doesn't really need my email. Hint: if you require confirmations from people who are replying to a request for help, don't expect much help. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
challenge-response antispam systems in the BTS (was Re: Spam fights)
[this is offtopic here, but since the issue was raised on d-security, I thought I'd follow up there and move to d-devel if it's worth a discussion.] * Dmitry Golubev [Thu, 10 Jun 2004 12:27:04 +0300]: On Thursday 10 June 2004 11:58, Russell Coker [EMAIL PROTECTED] wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: For unknown sender, automated confirmation request is send. If My response to these scumbags who send me the confirmation messages is that if they are on a mailing list I'm on then I black-list their email address if it's known (or their mail server if their email address is not clear). If a confirmation message appears to be in response to a virus then I respond to it. Let the scumbag get another copy of the virus... I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. I second that. If I receive a confirmation message I never respond to it! (well, when I first received such a message, I wanted to try how it works - that was the only confirmation I responded to). Maybe that's impolite, but I do not want to waste my time answering to that spam. has it been discussed before the usage of such systems by bug submitters? I've come up with this situation twice or so, and I found myself thinking what the hell, they're putting extra work on *anybody* wanting to help with *their* problem! so, do you think an address with such system qualifies as non-valid for the BTS? for me, I guess, it's pretty as if they had posted with [EMAIL PROTECTED] in the From: line. OTOH, if all mail to the submitter was sent to [EMAIL PROTECTED], the user could whitelist [EMAIL PROTECTED], but this is not common practice ATM and would also prevent us from stating our dislike for such systems. any thoguths? -- Adeodato Simó EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621 As an adolescent I aspired to lasting fame, I craved factual certainty, and I thirsted for a meaningful vision of human life -- so I became a scientist. This is like becoming an archbishop so you can meet girls. -- Matt Cartmill -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Thu, Jun 10, 2004 at 12:27:04PM +0300, Dmitry Golubev wrote: I second that. If I receive a confirmation message I never respond to it! If *I* receive a confirmation message, I always respond to it! That's because all confirmation messages I get are in response to spam with my address in the From field. If I confirm, the person sending me the confirmation message will be delivered the spam. If more people did this, confirmation senders would notice that the system doesn't work. Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Security for woody after woody-sarge ?
Are there any plans to change the position stated at: http://www.debian.org/security/faq#lifespan Q: How long will security updates be provided? A: The security team tries to support a stable distribution for about one year after the next stable distribution has been released, except when another stable distribution is released within this year. It is not possible to support three distributions; supporting two simultaneously is already difficult enough. I ask as I'm commisioning a woody system and cannot upgrade to sarge till July/August 2005 so I'll probably need a year of woody security updates. If Debian does not commit to supporting woody with security fixes after sarge is released does anyone have any ideas of where we could buy such support? Thanks Alex Owen Dr Richard Alexander Owen Unix System Administrator The Computer CentreE-mail: [EMAIL PROTECTED] University of Leicester Tel: (0116) 2525133 University Road Fax: (0116) 2525027 Leicester LE1 7RH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security for woody after woody-sarge ?
On Thu, Jun 10, 2004 at 02:28:49PM +0100, Alex Owen wrote: I ask as I'm commisioning a woody system and cannot upgrade to sarge till July/August 2005 so I'll probably need a year of woody security updates. I don't think you have much to worry about. The infrastructure is in place and was used to support potato for the year following woody's release. noah pgpZ3xQnO5OgA.pgp Description: PGP signature
Re: Spam fights
On Thu, 2004-06-10 at 04:58, Russell Coker wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null Whomever came up with those things (like TMDA and brethren), must have been pulling them out of /dev/ass -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
On Thu, 10 Jun 2004 18:58:33 +1000 Russell Coker [EMAIL PROTECTED] wrote: For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. Alain -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. 3 days ago I got blacklisted by outblaze when I got framed by some virus that triggered my majordomo to respond to a forged subscription request with an outblaze's spamtrap original address. Luckily, the outblaze postmaster was very quick to respond and whitelist me back. I don't actually know how to prevent this happening in the future. A bit unexpected mode of spamtrap operation, isn't it? V. P.S. maybe we should move the thread to NANAE? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Florian Schmitz [tecorange] ist außer Haus.
Ich werde ab 10.06.2004 nicht im Büro sein. Ich kehre zurück am 28.06.2004. Guten Tag, leider können Sie mich zur Zeit nicht persönlich erreichen. In dringenden Fällen wenden Sie sich bitte an Frau Natalie Kamac (2736-857 / [EMAIL PROTECTED]) oder Herrn Matthias Platz (Tel. 2736-827 / [EMAIL PROTECTED]). Vielen Dank! Mit freundlichen Grüßen! Florian Schmitz tecorange GmbH
Re: Security for woody after woody-sarge ?
On 11/06/04 01:28, Alex Owen wrote: Are there any plans to change the position stated at: http://www.debian.org/security/faq#lifespan Q: How long will security updates be provided? A: The security team tries to support a stable distribution for about one year after the next stable distribution has been released, except when another stable distribution is released within this year. It is not possible to support three distributions; supporting two simultaneously is already difficult enough. I ask as I'm commisioning a woody system and cannot upgrade to sarge till July/August 2005 so I'll probably need a year of woody security updates. If Debian does not commit to supporting woody with security fixes after sarge is released does anyone have any ideas of where we could buy such support? If you are concerned that there might be another release within a year of Sarge then you can lay your fears to rest. It seems extremely unlikely. -- Tim Nicholas || Cilix Email: [EMAIL PROTECTED]||Wellington, New Zealand http://tim.nicholas.net.nz/ || Cell/SMS: +64 21 337 204 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Robert Jakowenko/KONSTANTYNOW/SWEDWOOD is out of the office.
I will be out of the office starting 2004-06-10 and will not return until 2004-06-17. I will respond to your message when I return. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Fri, 11 Jun 2004 06:03, Alain Tesio [EMAIL PROTECTED] wrote: On Thu, 10 Jun 2004 18:58:33 +1000 Russell Coker [EMAIL PROTECTED] wrote: For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. It is not anti-social for a mailing list of (potentially) thousands of people to require a subscription before posting. It is anti-social for every idiot on the net to think that they are important enough to require a subscription from everyone who wants to send them email. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [bulletproof.net.au #27507] [Comment] [SECURITY] [DSA 515-1] New lha packages fix several vulnerabilities
The Gateway seems not have security.debian in its sources list. wanted to download the package manually with wget, however a dpkg shows that is needs other libs I am stalling this for now until I know what I want to do. Intel IA-32 architecture: http://security.debian.org/pool/updates/non-free/l/lha/lha_1.14i -2woody1_i386.deb Size/MD5 checksum: 50090 7548e83cb7049fe43243f804eb456ed7 that's because the gatweays are potato we need to manually backport the package, put it in our repository, then we can update from there
Spam fights
Hi all! As I see, there ia a lot of issues regarding spam, so I'd like to add something from me:) Because my email was used on many discussion lists, I was receiving sometimes over 100 spam emails per day. A long time ago I've started fighting with them using many different methods. Currently I'm using two methods which are reducing spam to 1-2 per day: spamassassin and sender verification. From my expirience, most of spam was send from non-existing, or ISP-blocked emails, so sender verification has decreased spam radically. In mean time, I've found additional way for spam filtering, but it requires some development. The basic idea is simple and already in use: We are allowing all emails from whitelits. For unknown sender, automated confirmation request is send. If confirmation comes, receiver can decide to put new sender on white or black list (by reply with prepared subject and token). This method has one hole: spamer can use any address from whitelist. To avoid this, the white list should contain list of allowed SMTP servers (source IP addresses) for every email. I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. best regards JT
Re: Spam fights
I second that. If I receive a confirmation message I never respond to it! (well, when I first received such a message, I wanted to try how it works - that was the only confirmation I responded to). Maybe that's impolite, but I do not want to waste my time answering to that spam. Dmitry On Thursday 10 June 2004 11:58, Russell Coker [EMAIL PROTECTED] wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: We are allowing all emails from whitelits. Who is we in this context? Individual users or mailing list administrators? For unknown sender, automated confirmation request is send. If For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. This means that even though my anti-virus software is updated regularly I still get hit by viruses through those stupid confirmation messages! My response to these scumbags who send me the confirmation messages is that if they are on a mailing list I'm on then I black-list their email address if it's known (or their mail server if their email address is not clear). If a confirmation message appears to be in response to a virus then I respond to it. Let the scumbag get another copy of the virus... I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
cvs exploits - when triggerable?
Hi all! http://security.e-matters.de/advisories/092004.html In most cases, this is a bit vague on when an attacker can trigger the bugs. pserver without authentication? pserver anonymous access? pserver readonly access? pserver commit access? ssh/local access? In a few cases, it is mentioned that CVSROOT commit access is needed, so these are no problem. But the others? greetings -- vbi [please don't cc: me] -- Could this mail be a fake? (Answer: No! - http://fortytwo.ch/gpg/intro) pgp5hczNYziKz.pgp Description: signature
Re: Spam fights
On Thu, Jun 10, 2004 at 12:27:04PM +0300, Dmitry Golubev wrote: I second that. If I receive a confirmation message I never respond to it! Me three. I take a confirmation thingy as a sign that the person doesn't really need my email. Hint: if you require confirmations from people who are replying to a request for help, don't expect much help. Mike Stone
challenge-response antispam systems in the BTS (was Re: Spam fights)
[this is offtopic here, but since the issue was raised on d-security, I thought I'd follow up there and move to d-devel if it's worth a discussion.] * Dmitry Golubev [Thu, 10 Jun 2004 12:27:04 +0300]: On Thursday 10 June 2004 11:58, Russell Coker [EMAIL PROTECTED] wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: For unknown sender, automated confirmation request is send. If My response to these scumbags who send me the confirmation messages is that if they are on a mailing list I'm on then I black-list their email address if it's known (or their mail server if their email address is not clear). If a confirmation message appears to be in response to a virus then I respond to it. Let the scumbag get another copy of the virus... I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. I second that. If I receive a confirmation message I never respond to it! (well, when I first received such a message, I wanted to try how it works - that was the only confirmation I responded to). Maybe that's impolite, but I do not want to waste my time answering to that spam. has it been discussed before the usage of such systems by bug submitters? I've come up with this situation twice or so, and I found myself thinking what the hell, they're putting extra work on *anybody* wanting to help with *their* problem! so, do you think an address with such system qualifies as non-valid for the BTS? for me, I guess, it's pretty as if they had posted with [EMAIL PROTECTED] in the From: line. OTOH, if all mail to the submitter was sent to [EMAIL PROTECTED], the user could whitelist [EMAIL PROTECTED], but this is not common practice ATM and would also prevent us from stating our dislike for such systems. any thoguths? -- Adeodato Simó EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621 As an adolescent I aspired to lasting fame, I craved factual certainty, and I thirsted for a meaningful vision of human life -- so I became a scientist. This is like becoming an archbishop so you can meet girls. -- Matt Cartmill
Re: Spam fights
On Thu, Jun 10, 2004 at 12:27:04PM +0300, Dmitry Golubev wrote: I second that. If I receive a confirmation message I never respond to it! If *I* receive a confirmation message, I always respond to it! That's because all confirmation messages I get are in response to spam with my address in the From field. If I confirm, the person sending me the confirmation message will be delivered the spam. If more people did this, confirmation senders would notice that the system doesn't work. Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Security for woody after woody-sarge ?
Are there any plans to change the position stated at: http://www.debian.org/security/faq#lifespan Q: How long will security updates be provided? A: The security team tries to support a stable distribution for about one year after the next stable distribution has been released, except when another stable distribution is released within this year. It is not possible to support three distributions; supporting two simultaneously is already difficult enough. I ask as I'm commisioning a woody system and cannot upgrade to sarge till July/August 2005 so I'll probably need a year of woody security updates. If Debian does not commit to supporting woody with security fixes after sarge is released does anyone have any ideas of where we could buy such support? Thanks Alex Owen Dr Richard Alexander Owen Unix System Administrator The Computer CentreE-mail: [EMAIL PROTECTED] University of Leicester Tel: (0116) 2525133 University Road Fax: (0116) 2525027 Leicester LE1 7RH
Re: Security for woody after woody-sarge ?
On Thu, Jun 10, 2004 at 02:28:49PM +0100, Alex Owen wrote: I ask as I'm commisioning a woody system and cannot upgrade to sarge till July/August 2005 so I'll probably need a year of woody security updates. I don't think you have much to worry about. The infrastructure is in place and was used to support potato for the year following woody's release. noah pgpT5EZtypl0z.pgp Description: PGP signature
Chris Luton/CBR/IPAustralia is out of the office.
I will be out of the office starting 09/06/2004 and will not return until 27/06/2004. I will respond to your message when I return.
Re: Spam fights
On Thu, 2004-06-10 at 04:58, Russell Coker wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null Whomever came up with those things (like TMDA and brethren), must have been pulling them out of /dev/ass -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
hi ya jaroslaw On Thu, 10 Jun 2004, Jaroslaw Tabor wrote: In mean time, I've found additional way for spam filtering, but it requires some development. The basic idea is simple and already in use: We are allowing all emails from whitelits. already done ... most MTA support a whitelist and blacklists For unknown sender, automated confirmation request is send. If confirmation comes, receiver can decide to put new sender on white or black list (by reply with prepared subject and token). I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. if you're developing a challenge thingie ... don't bother ... (i'll be the 6th to discourage your efforts on that front ) if you're writing a whitelist/blacklist stuff ... why ??? but if you're writting code to take incoming spam, and add it to the blacklist automatically... that'd be tricky ... - what is the definition of spam ? (i say anyting that is left, after i finished reading the emails) - hundred dozens other definitions of what is spam - than i run my silly script and it all goes to the 'blacklist' - if you make your rbl ( blacklist ) available for others to use .. that has some merit .. as long as one can also prove that they spammed ya ( since spammers are sometimes sue happy ) - i hate and never reply to challenge systems and i go do business elsewhere - even those silly whois database queries at the domain registrars are starting to get super annoying c ya alvin
Re: Spam fights
On Thu, 10 Jun 2004 18:58:33 +1000 Russell Coker [EMAIL PROTECTED] wrote: For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. Alain
Re: Spam fights
For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. 3 days ago I got blacklisted by outblaze when I got framed by some virus that triggered my majordomo to respond to a forged subscription request with an outblaze's spamtrap original address. Luckily, the outblaze postmaster was very quick to respond and whitelist me back. I don't actually know how to prevent this happening in the future. A bit unexpected mode of spamtrap operation, isn't it? V. P.S. maybe we should move the thread to NANAE?
Florian Schmitz [tecorange] ist außer Haus.
Ich werde ab 10.06.2004 nicht im Büro sein. Ich kehre zurück am 28.06.2004. Guten Tag, leider können Sie mich zur Zeit nicht persönlich erreichen. In dringenden Fällen wenden Sie sich bitte an Frau Natalie Kamac (2736-857 / [EMAIL PROTECTED]) oder Herrn Matthias Platz (Tel. 2736-827 / [EMAIL PROTECTED]). Vielen Dank! Mit freundlichen Grüßen! Florian Schmitz tecorange GmbH
Re: Security for woody after woody-sarge ?
On 11/06/04 01:28, Alex Owen wrote: Are there any plans to change the position stated at: http://www.debian.org/security/faq#lifespan Q: How long will security updates be provided? A: The security team tries to support a stable distribution for about one year after the next stable distribution has been released, except when another stable distribution is released within this year. It is not possible to support three distributions; supporting two simultaneously is already difficult enough. I ask as I'm commisioning a woody system and cannot upgrade to sarge till July/August 2005 so I'll probably need a year of woody security updates. If Debian does not commit to supporting woody with security fixes after sarge is released does anyone have any ideas of where we could buy such support? If you are concerned that there might be another release within a year of Sarge then you can lay your fears to rest. It seems extremely unlikely. -- Tim Nicholas || Cilix Email: [EMAIL PROTECTED]||Wellington, New Zealand http://tim.nicholas.net.nz/ || Cell/SMS: +64 21 337 204
Robert Jakowenko/KONSTANTYNOW/SWEDWOOD is out of the office.
I will be out of the office starting 2004-06-10 and will not return until 2004-06-17. I will respond to your message when I return.
Re: Spam fights
On Fri, 11 Jun 2004 06:03, Alain Tesio [EMAIL PROTECTED] wrote: On Thu, 10 Jun 2004 18:58:33 +1000 Russell Coker [EMAIL PROTECTED] wrote: For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. It is not anti-social for a mailing list of (potentially) thousands of people to require a subscription before posting. It is anti-social for every idiot on the net to think that they are important enough to require a subscription from everyone who wants to send them email. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page