[SECURITY] [DSA 518-1] New kdelibs packages fix URI handler vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 518-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 14th, 2004 http://www.debian.org/security/faq - -- Package: kdelibs Vulnerability : unsanitised input Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0411 iDEFENSE identified a vulnerability in the Opera web browser that could be used by remote attackers to create or truncate arbitrary files on the victims machine. The KDE team discovered that a similar vulnerability exists in KDE. A remote attacker could entice a user to open a carefully crafted telnet URI which may either create or truncate a file in the victims home directory. In KDE 3.2 and later versions the user is first explicitly asked to confirm the opening of the telnet URI. For the stable distribution (woody) this problem has been fixed in version 2.2.2-13.woody.10. We recommend that you upgrade your KDE libraries. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.10.dsc Size/MD5 checksum: 1355 87b8870b059562d84f714463817558df http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.10.diff.gz Size/MD5 checksum:58099 bb59b94d62d1bb27246963be8e136d57 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2.orig.tar.gz Size/MD5 checksum: 6396699 7a9277a2e727821338f751855c2ce5d3 Architecture independent components: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-doc_2.2.2-13.woody.10_all.deb Size/MD5 checksum: 2564260 0f1630714b822c193bfdf710c60274f6 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 757490 c9d07cba479a5bba3d6567eb1c54129d http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 7553390 abff91d8d50f756f788ba70d36ce2a02 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 137442 334acae5a3d0491511bfbae8e88bbf1f http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 202010 dea66d7e08d3fdeb2033b223a73871cb http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 1022340 50826efc1e71dd8c84c900bc5e458805 http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 1029254 bbfcf86398ecaf7751ef8ac20b4e8deb http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 198246 b8f5ba1e60bc9f201798c6f463b38973 http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 174696 b7d640daca300ea09645ac35e3a99d32 http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum: 178164 1a6527f89f38ccad33dee8402a026955 http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.10_alpha.deb Size/MD5 checksum:37266 5fb0f3bb093183f808debd11e77abfcf ARM architecture: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.10_arm.deb Size/MD5 checksum: 743780 9c1e0839cf5a603d5b6eacd8644165fe http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.10_arm.deb Size/MD5 checksum: 6604906 b2001cc89feafed549dac4d3fe74bb8d http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.10_arm.deb Size/MD5 checksum: 104600 00b7481a711d88bcdb2702562fceace1 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.10_arm.deb Size/MD5 checksum: 186592 5deadb59a4dce5b7d1d1e9f97b065a73 http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.10_arm.deb Size/MD5 checksum: 651780 bcd3e9e1b313c746ac213766144b282b
Re: rbl's status?
On Sunday 13 June 2004 18.01, Dale Amon wrote:
What are the recommended rbl's these days?
Just one opinion more:
(ok, this is postfix syntax. But let's not start this war here :-)
reject_rbl_client cbl.abuseat.org,
reject_rbl_client list.dsbl.org,
these are very good and catch most.
reject_rbl_client cn-kr.blackholes.us,
And 70% of what is not caught above hangs here. Obviously, if you have
regular emaul traffic with them, you shouldn't do this...
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl.spamhaus.org,
Catches not much these days, especially not much that is not already in
abuseat. But still 10-20 emails per week.
reject_rbl_client spews.blackholes.us,
SPEWS is very controversial. It blocks spammers and spam-supporters, the
latter may include big IP ranges from ISPs that do not react to
complaints. Also, SPEWS is not really transparent. They have 'case
files', but IMHO they are hard to read and not really clear. I've not
had false positives that I know of because of this, but still, I
wouldn't use it in a business server.
Additionally, I used to use {comcast,rr}.blackholes.us, but abuseat
contains most of the spamzombies already, so I dropped them. Similarly,
reject_rhsbl_client spamdomains.blackholes.easynet.nl,
reject_rhsbl_sender spamdomains.blackholes.easynet.nl,
reject_rhsbl_client porn.rhs.mailpolice.com,
reject_rhsbl_sender porn.rhs.mailpolice.com,
reject_rhsbl_client bulk.rhs.mailpolice.com,
reject_rhsbl_sender bulk.rhs.mailpolice.com,
and
warn_if_reject reject_rbl_client bogons.cymru.com,
warn_if_reject reject_rbl_client spam.dnsrbl.net,
warn_if_reject reject_rbl_client es.blackholes.easynet.nl,
were dropped after they found nothing the ones I *do* use still didn't
already find. I've stopped using the latter three quite some time ago,
so maybe they don't work anymore now.
Also you may want to look at the rfc-ignorant.org ones, but reading
nanae I got the impression that they are more trouble than they're
worth.
In any case, I recommend that you thoroughly read information about the
blacklists you use, and that you follow some news source about spam
fighting, so that important news like some blacklist going bellyup and
blacklisting the world will not creep up on you from behind. One source
is nanae, which is unfortunately quite high volume and consists 70% of
flamewars. But I've not found a better source for information - just
ignore the trolls. (Honestly, when you follow nanae, the little
arguments on the debian lists are really soothing to the mind in their
mind-boggingly rationality and calm and to the point style of
discussion.)
cheers
-- vbi
--
featured link: http://fortytwo.ch/gpg/intro
pgpIEVQHpeyHW.pgp
Description: signature
Re: rbl's status?
On Mon, 14 Jun 2004 16:39, Adrian 'Dagurashibanipal' von Bidder [EMAIL PROTECTED] wrote: Also you may want to look at the rfc-ignorant.org ones, but reading nanae I got the impression that they are more trouble than they're worth. This thread inspired me to fiddle with my anti-spam settings again. Below is my current Postfix configuration for those who are interested. My latest addition is RHSBL entries. So far rhsbl.sorbs.net has not caught anything (only been on for about 30 mins and it's late in the list). The rfc-ignorant.org entries have been catching a lot, one thing that they cught is yahoo.com because [EMAIL PROTECTED] allegedly doesn't work. I've just sent a test message to [EMAIL PROTECTED] and it hasn't bounced yet... Maybe the Yahoo abuse team are being butt-head's about clicking on the removal URL. smtpd_client_restrictions = permit_mynetworks, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client relays.ordb.org, reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_client dsn.rfc-ignorant.org, reject_rhsbl_client postmaster.rfc-ignorant.org -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
On Mon, Jun 14, 2004 at 04:57:42PM +1000, Russell Coker wrote: a test message to [EMAIL PROTECTED] and it hasn't bounced yet... Maybe the Yahoo abuse team are being butt-head's about clicking on the removal URL. Yeah, just I found I got listed by ignoramuses about RFC's due to a mail helper program crashing... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
On Mon, Jun 14, 2004 at 04:57:42PM +1000, Russell Coker wrote: relays.ordb.org, reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_client dsn.rfc-ignorant.org, reject_rhsbl_client postmaster.rfc-ignorant.org Just to publicly eat my previous words... I submitted the request, had a *person* respond within 5 minutes and removal is already in the queue. Amazing. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Mon, 14 Jun 2004 05:25:16 -0600
Here is a casino giving away $25 Free when you sign up an account. No credit card required http://secret.cls2.org/iwin.html Damian
May Glover-Gunn/UK/IBM is out of the office.
I will be out of the office starting 12/06/2004 and will not return until 22/06/2004. I am out of the office on education in Oxford this week and will not be checking my email. For any EXITE queries, please contact Kirstin E Brownlee/UK/IBM or Natalie Hogan/UK/IBM. For any other urgent matters please contact my manager Marilyn Rayner/UK/IBM. Otherwise I will respond to your message on my return (Tuesday 22nd June). NB - I am no longer in the JTC Build team, so for any build-related issues, please contact Lynne Butterfield/UK/IBM (246848). Thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Kernel Crash Bug????
Anyone have info on this one? http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html Peace __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Crash Bug????
it does crash 2.6.6-1-686 On Mon, Jun 14, 2004 at 09:57:54AM -0700, peace bwitchu wrote: Anyone have info on this one? http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html Peace __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: This sort of thing is why I would rather use any RBL within SpamAssassin, rather than at SMTP delivery time. Even if one of these services goes completely belly up and blacklists the world, I don't automatically lose mail from it. Please dont do this. You MUST reject mails (by spam scanners, malware scanners or blacklists) on the SMTP level, otherwise you become a pretty big annoyance to the internet (if you bounce) or will siletnly lose mails (if you drop them). Bouncing or silently dropping potential spam are both obnoxious net behavior, but neither has anyhing to do with whether or not one does their spam classification before accepting mail at the SMTP level. Rejecting false positives can be pretty annoying, too! I find rejecting potential spam at the SMTP level to be riskier than I'd prefer, but this is a judgment call that sysadmins need to make based on the needs of their users. Neither choice forces poor netiquette. Matthew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
Bernd Eckenfels [EMAIL PROTECTED] writes: In article [EMAIL PROTECTED] you wrote: This sort of thing is why I would rather use any RBL within SpamAssassin, rather than at SMTP delivery time. Even if one of these services goes completely belly up and blacklists the world, I don't automatically lose mail from it. Please dont do this. You MUST reject mails (by spam scanners, malware scanners or blacklists) on the SMTP level, otherwise you become a pretty big annoyance to the internet (if you bounce) or will siletnly lose mails (if you drop them). Well, yes, choosing one of the broken options is broken. Just giving a message 5 spamassassin points for tripping a blacklist seems pretty reasonable, though. -Brian -- Brian Sniffen [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
password managers
currently i've got an ever growing password list in a plain text file stored on an encrypted loopback fs, this is getting cumbersome... figaro's password manager (package fpm) looks nice and uses blowfish to encrypt data but i can't find anything showing any type of third party audit. what does everyone else use to keep track of all there passwords? thanks, andrew -- don't ask questions that lead to answers you don't want to hear pgpfrMCoHtiRv.pgp Description: PGP signature
Jari Heikkinen is out of the office.
I will be out of the office starting 12.06.2004 and will not return until 27.06.2004. I am on holiday unti 28.6.04 and will read my email next time at 28.06.04. If you have urgent support matters, please email to [EMAIL PROTECTED] For other matters, please contact to Pasi Lindholm +358407301926. You may also send sms or leave a telephone message to my mobile +358405550125 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password managers
We use PMS (http://passwordms.sourceforge.net), but I keep meaning to re-write parts of the code to make it multi-user freindly. On Mon, 14 Jun 2004, andrew lattis wrote: currently i've got an ever growing password list in a plain text file stored on an encrypted loopback fs, this is getting cumbersome... figaro's password manager (package fpm) looks nice and uses blowfish to encrypt data but i can't find anything showing any type of third party audit. what does everyone else use to keep track of all there passwords? thanks, andrew -- don't ask questions that lead to answers you don't want to hear -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password managers
Hello! andrew lattis [EMAIL PROTECTED] schrieb: what does everyone else use to keep track of all there passwords? Following an article of Martin Joey Schulze in a german magazine i send a mail with the password encryted for myself to me and use it via mutt. HTH, Ciao, Steve -- www.cargal.org GnuPG-key-ID: 0x051422A0 Be the change you want to see in the world-Mahatma Gandhi Jabber-ID: [EMAIL PROTECTED] pgpt8MvKhteEp.pgp Description: PGP signature
Re: rbl's status?
On 14 Jun 2004, Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: This sort of thing is why I would rather use any RBL within SpamAssassin, rather than at SMTP delivery time. Even if one of these services goes completely belly up and blacklists the world, I don't automatically lose mail from it. Please dont do this. Eh? You seem to have made an incorrect assumption about what I do to the mail with SpamAssassin. You MUST reject mails (by spam scanners, malware scanners or blacklists) on the SMTP level, otherwise you become a pretty big annoyance to the internet (if you bounce) or will siletnly lose mails (if you drop them). ...or, options 3, I deliver them to the end user tagged as likely spam when they look like spam. Then the end user can filter them out as they please. I certainly agree that bouncing SPAM messages, just like reporting virus infections, is an anti-social behaviour. If I chose to silently drop mail after accepting it, though, that is a legitimate and reasonable disposition of the content, as far as I can see. Claims that this is anti-social seem spurious to me; can you expand on your reasoning there? Anyway, as I said, I don't take either of the options you suggests. I use RBL tests at the SpamAssassin level because I *don't* trust them to be one hundred percent accurate. If I didn't care more about real mail getting through than the occasional missed spam, then sure, using RBL blocking at the initial SMTP stage would be ideal... Daniel -- ... Far down the vault a man was screaming. His fists were tightly clenched and he was screaming out imprecations against the humming computers. There was a hopeless rage in his eyes - rage and bitter, savage defiance. -- Frank Bellknap, _It Was The Day Of The Robot_ (1963) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password managers
On Tue, 15 Jun 2004 04:56, andrew lattis [EMAIL PROTECTED] wrote: currently i've got an ever growing password list in a plain text file stored on an encrypted loopback fs, this is getting cumbersome... figaro's password manager (package fpm) looks nice and uses blowfish to encrypt data but i can't find anything showing any type of third party audit. what does everyone else use to keep track of all there passwords? OS/X from Apple has a password manager program, it allows passwords to be made available to applications for certain time periods (not sure how this is supposed to work as the application could just write it to disk). I think that an ideal password management scheme would be mediated by a SGID application (SGID so that it can access storage unavailable to regular user processes and so that it can't be ptraced). Password storage would be either in a file owned by the user that is mode 0600 under a mode 1770 system directory with group ownership being the group that the management program is SGID to, or a regular file in the home directory that is encrypted (requiring a password authentication for the first login of the day or something similar). The password management system would need to have helpers for managing passwords that would be called by the application. For example there would be POP and IMAP helpers which would establish a connection to the mail server, authenticate, and then use a unix domain socket to pass the file handle for the TCP socket back to the calling application (so the MUA would never be able to recover the password). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Advice needed, trying to find the vulnerable code on Debian webserver.
Hi all, One of our webservers seems to get compromised on a daily basis. When I do a ps ax I see these processes all the time. 18687 ?S 0:00 shell 18701 ?Z 0:00 [sh defunct] 18704 ?T 0:00 ./3 200.177.162.185 1524 18705 ?Z 0:00 [3 defunct] And if I check the /tmp dir there are strange executable files in there that are owned by www-data. Such as ./3 and others like ./bdshell. Definitely some sort of Trojan that's being run by www-data user. When I did a virus check first time it showed that it was infected with the old Linux.RST virus, it basically stuffed the entire /bin directory. I did a rebuild, virus checked all client files on a different server, then copied them back. After a week, same thing. Infected. /tmp/sl# ls -al total 452 drwxr-xr-x2 www-data www-data 4096 Jun 1 09:32 . drwxrwxrwt3 root root 4096 Jun 1 09:37 .. -rwsrwsrwt1 www-data www-data 446714 May 29 05:12 ps.htm I'm pretty sure it's one of our clients who has some dodgy php-nuke sites or something like that. All our other webservers are fine running the same build. But this server is the major client one where we allow them to FTP, CGI and make MYSQL changes. I'd appreciate some help on how to stop this from happening. Running Debian Stable with all the security updates. P.S. Sorry for the Disclaimer, company policy, which I don't agree with, yet they pay me so I must comply :/ -- Ross. DISCLAIMER: This e-mail and any files transmitted with it may be privileged and confidential, and are intended only for the use of the intended recipient. If you are not the intended recipient or responsible for delivering this e-mail to the intended recipient, any use, dissemination, forwarding, printing or copying of this e-mail and any attachments is strictly prohibited. If you have received this e-mail in error, please REPLY TO the SENDER to advise the error AND then DELETE the e-mail from your system. Any views expressed in this e-mail and any files transmitted with it are those of the individual sender, except where the sender specifically states them to be the views of our organisation. Our organisation does not represent or warrant that the attached files are free from computer viruses or other defects. The user assumes all responsibility for any loss or damage resulting directly or indirectly from the use of the attached files. In any event, the liability to our organisation is limited to either the resupply of the attached files or the cost of having the attached files resupplied.
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Incoming from Ross Tsolakidis: One of our webservers seems to get compromised on a daily basis. When I do a ps ax I see these processes all the time. 18687 ?S 0:00 shell 18701 ?Z 0:00 [sh defunct] 18704 ?T 0:00 ./3 200.177.162.185 1524 I vaguely remember that 3 in /tmp is slapper. Wipe, install, set up chkrootkit and run it often. How does phpnuke compromise apache if apache is set up correctly? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
Also, for Vassilii - you use the SpamCop blacklists. That is something that I would be very nervous of. They have some pretty liberal policies about what they accept, and their automatic tools are not that great at filtering out innocent parties... This is why on the primary MX (which I share with some friends) I don't use it at the SMTP level. OTOH, I do use it for my account and I never had a positive hit with it yet. If you have a huge server with a lot of users of various profiles, you probably should only use it for advisory tagging so your users can decide if they want to accept it.
Re: rbl's status?
On Sunday 13 June 2004 18.01, Dale Amon wrote:
What are the recommended rbl's these days?
Just one opinion more:
(ok, this is postfix syntax. But let's not start this war here :-)
reject_rbl_client cbl.abuseat.org,
reject_rbl_client list.dsbl.org,
these are very good and catch most.
reject_rbl_client cn-kr.blackholes.us,
And 70% of what is not caught above hangs here. Obviously, if you have
regular emaul traffic with them, you shouldn't do this...
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl.spamhaus.org,
Catches not much these days, especially not much that is not already in
abuseat. But still 10-20 emails per week.
reject_rbl_client spews.blackholes.us,
SPEWS is very controversial. It blocks spammers and spam-supporters, the
latter may include big IP ranges from ISPs that do not react to
complaints. Also, SPEWS is not really transparent. They have 'case
files', but IMHO they are hard to read and not really clear. I've not
had false positives that I know of because of this, but still, I
wouldn't use it in a business server.
Additionally, I used to use {comcast,rr}.blackholes.us, but abuseat
contains most of the spamzombies already, so I dropped them. Similarly,
reject_rhsbl_client spamdomains.blackholes.easynet.nl,
reject_rhsbl_sender spamdomains.blackholes.easynet.nl,
reject_rhsbl_client porn.rhs.mailpolice.com,
reject_rhsbl_sender porn.rhs.mailpolice.com,
reject_rhsbl_client bulk.rhs.mailpolice.com,
reject_rhsbl_sender bulk.rhs.mailpolice.com,
and
warn_if_reject reject_rbl_client bogons.cymru.com,
warn_if_reject reject_rbl_client spam.dnsrbl.net,
warn_if_reject reject_rbl_client es.blackholes.easynet.nl,
were dropped after they found nothing the ones I *do* use still didn't
already find. I've stopped using the latter three quite some time ago,
so maybe they don't work anymore now.
Also you may want to look at the rfc-ignorant.org ones, but reading
nanae I got the impression that they are more trouble than they're
worth.
In any case, I recommend that you thoroughly read information about the
blacklists you use, and that you follow some news source about spam
fighting, so that important news like some blacklist going bellyup and
blacklisting the world will not creep up on you from behind. One source
is nanae, which is unfortunately quite high volume and consists 70% of
flamewars. But I've not found a better source for information - just
ignore the trolls. (Honestly, when you follow nanae, the little
arguments on the debian lists are really soothing to the mind in their
mind-boggingly rationality and calm and to the point style of
discussion.)
cheers
-- vbi
--
featured link: http://fortytwo.ch/gpg/intro
pgpADeU9SSqkC.pgp
Description: signature
Re: rbl's status?
On Mon, 14 Jun 2004 16:39, Adrian 'Dagurashibanipal' von Bidder [EMAIL PROTECTED] wrote: Also you may want to look at the rfc-ignorant.org ones, but reading nanae I got the impression that they are more trouble than they're worth. This thread inspired me to fiddle with my anti-spam settings again. Below is my current Postfix configuration for those who are interested. My latest addition is RHSBL entries. So far rhsbl.sorbs.net has not caught anything (only been on for about 30 mins and it's late in the list). The rfc-ignorant.org entries have been catching a lot, one thing that they cught is yahoo.com because [EMAIL PROTECTED] allegedly doesn't work. I've just sent a test message to [EMAIL PROTECTED] and it hasn't bounced yet... Maybe the Yahoo abuse team are being butt-head's about clicking on the removal URL. smtpd_client_restrictions = permit_mynetworks, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client relays.ordb.org, reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_client dsn.rfc-ignorant.org, reject_rhsbl_client postmaster.rfc-ignorant.org -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: rbl's status?
On Mon, Jun 14, 2004 at 04:57:42PM +1000, Russell Coker wrote: a test message to [EMAIL PROTECTED] and it hasn't bounced yet... Maybe the Yahoo abuse team are being butt-head's about clicking on the removal URL. Yeah, just I found I got listed by ignoramuses about RFC's due to a mail helper program crashing... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel --
Re: rbl's status?
On Mon, Jun 14, 2004 at 04:57:42PM +1000, Russell Coker wrote: relays.ordb.org, reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_client dsn.rfc-ignorant.org, reject_rhsbl_client postmaster.rfc-ignorant.org Just to publicly eat my previous words... I submitted the request, had a *person* respond within 5 minutes and removal is already in the queue. Amazing. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel --
Mon, 14 Jun 2004 05:25:16 -0600
Here is a casino giving away $25 Free when you sign up an account. No credit card required http://secret.cls2.org/iwin.html Damian
Re: rbl's status?
In article [EMAIL PROTECTED] you wrote: This sort of thing is why I would rather use any RBL within SpamAssassin, rather than at SMTP delivery time. Even if one of these services goes completely belly up and blacklists the world, I don't automatically lose mail from it. Please dont do this. You MUST reject mails (by spam scanners, malware scanners or blacklists) on the SMTP level, otherwise you become a pretty big annoyance to the internet (if you bounce) or will siletnly lose mails (if you drop them). Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/
Powerful weightloss now available where you are.
Hello, I have a special offer for you... WANT TO LOSE WEIGHT? The most powerful weightloss is now available without prescription. All natural Adipren720 100% Money Back Guarantée! - Lose up to 19% Total Body Weight. - Up to 300% more Weight Loss while dieting. - Loss of 20-35% abdominal Fat. - Reduction of 40-70% overall Fat under skin. - Increase metabolic rate by 76.9% without Exercise. - Boost your Confidence level and Self Esteem. - Burns calorized fat. - Suppresses appetite for sugar. Get the facts about all-natural Adipren720 http://diet50.com/ system information Application publication identified around technologies international with control Other creating languages linguistic host some procedure relevant request publish provide various navigational may implemented not ID directories could public parties formatting Services] contribution XML content regime Language writes An management One
May Glover-Gunn/UK/IBM is out of the office.
I will be out of the office starting 12/06/2004 and will not return until 22/06/2004. I am out of the office on education in Oxford this week and will not be checking my email. For any EXITE queries, please contact Kirstin E Brownlee/UK/IBM or Natalie Hogan/UK/IBM. For any other urgent matters please contact my manager Marilyn Rayner/UK/IBM. Otherwise I will respond to your message on my return (Tuesday 22nd June). NB - I am no longer in the JTC Build team, so for any build-related issues, please contact Lynne Butterfield/UK/IBM (246848). Thanks.
Kernel Crash Bug????
Anyone have info on this one? http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html Peace __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/
Re: Kernel Crash Bug????
peace bwitchu [EMAIL PROTECTED] writes: Anyone have info on this one? http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html Fixed by Linux here: http://linux.bkbits.net:8080/linux-2.5/diffs/include/asm-i386/[EMAIL PROTECTED]|src/.|src/include|src/include/asm-i386|hist/include/asm-i386/i387.h Phil.
Re: Kernel Crash Bug????
it does crash 2.6.6-1-686 On Mon, Jun 14, 2004 at 09:57:54AM -0700, peace bwitchu wrote: Anyone have info on this one? http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html Peace __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: This sort of thing is why I would rather use any RBL within SpamAssassin, rather than at SMTP delivery time. Even if one of these services goes completely belly up and blacklists the world, I don't automatically lose mail from it. Please dont do this. You MUST reject mails (by spam scanners, malware scanners or blacklists) on the SMTP level, otherwise you become a pretty big annoyance to the internet (if you bounce) or will siletnly lose mails (if you drop them). Bouncing or silently dropping potential spam are both obnoxious net behavior, but neither has anyhing to do with whether or not one does their spam classification before accepting mail at the SMTP level. Rejecting false positives can be pretty annoying, too! I find rejecting potential spam at the SMTP level to be riskier than I'd prefer, but this is a judgment call that sysadmins need to make based on the needs of their users. Neither choice forces poor netiquette. Matthew
Re: rbl's status?
Bernd Eckenfels [EMAIL PROTECTED] writes: In article [EMAIL PROTECTED] you wrote: This sort of thing is why I would rather use any RBL within SpamAssassin, rather than at SMTP delivery time. Even if one of these services goes completely belly up and blacklists the world, I don't automatically lose mail from it. Please dont do this. You MUST reject mails (by spam scanners, malware scanners or blacklists) on the SMTP level, otherwise you become a pretty big annoyance to the internet (if you bounce) or will siletnly lose mails (if you drop them). Well, yes, choosing one of the broken options is broken. Just giving a message 5 spamassassin points for tripping a blacklist seems pretty reasonable, though. -Brian -- Brian Sniffen [EMAIL PROTECTED]
Jari Heikkinen is out of the office.
I will be out of the office starting 12.06.2004 and will not return until 27.06.2004. I am on holiday unti 28.6.04 and will read my email next time at 28.06.04. If you have urgent support matters, please email to [EMAIL PROTECTED] For other matters, please contact to Pasi Lindholm +358407301926. You may also send sms or leave a telephone message to my mobile +358405550125
Re: password managers
We use PMS (http://passwordms.sourceforge.net), but I keep meaning to re-write parts of the code to make it multi-user freindly. On Mon, 14 Jun 2004, andrew lattis wrote: currently i've got an ever growing password list in a plain text file stored on an encrypted loopback fs, this is getting cumbersome... figaro's password manager (package fpm) looks nice and uses blowfish to encrypt data but i can't find anything showing any type of third party audit. what does everyone else use to keep track of all there passwords? thanks, andrew -- don't ask questions that lead to answers you don't want to hear
Re: password managers
On Mon, Jun 14, 2004 at 02:56:15PM -0400, andrew lattis wrote: what does everyone else use to keep track of all there passwords? Try gringotts. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel --
Re: password managers
Hello! andrew lattis [EMAIL PROTECTED] schrieb: what does everyone else use to keep track of all there passwords? Following an article of Martin Joey Schulze in a german magazine i send a mail with the password encryted for myself to me and use it via mutt. HTH, Ciao, Steve -- www.cargal.org GnuPG-key-ID: 0x051422A0 Be the change you want to see in the world-Mahatma Gandhi Jabber-ID: [EMAIL PROTECTED] pgphJXSyFal91.pgp Description: PGP signature
Re: rbl's status?
On 14 Jun 2004, Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: This sort of thing is why I would rather use any RBL within SpamAssassin, rather than at SMTP delivery time. Even if one of these services goes completely belly up and blacklists the world, I don't automatically lose mail from it. Please dont do this. Eh? You seem to have made an incorrect assumption about what I do to the mail with SpamAssassin. You MUST reject mails (by spam scanners, malware scanners or blacklists) on the SMTP level, otherwise you become a pretty big annoyance to the internet (if you bounce) or will siletnly lose mails (if you drop them). ...or, options 3, I deliver them to the end user tagged as likely spam when they look like spam. Then the end user can filter them out as they please. I certainly agree that bouncing SPAM messages, just like reporting virus infections, is an anti-social behaviour. If I chose to silently drop mail after accepting it, though, that is a legitimate and reasonable disposition of the content, as far as I can see. Claims that this is anti-social seem spurious to me; can you expand on your reasoning there? Anyway, as I said, I don't take either of the options you suggests. I use RBL tests at the SpamAssassin level because I *don't* trust them to be one hundred percent accurate. If I didn't care more about real mail getting through than the occasional missed spam, then sure, using RBL blocking at the initial SMTP stage would be ideal... Daniel -- ... Far down the vault a man was screaming. His fists were tightly clenched and he was screaming out imprecations against the humming computers. There was a hopeless rage in his eyes - rage and bitter, savage defiance. -- Frank Bellknap, _It Was The Day Of The Robot_ (1963)
Re: password managers
On Tue, 15 Jun 2004 04:56, andrew lattis [EMAIL PROTECTED] wrote: currently i've got an ever growing password list in a plain text file stored on an encrypted loopback fs, this is getting cumbersome... figaro's password manager (package fpm) looks nice and uses blowfish to encrypt data but i can't find anything showing any type of third party audit. what does everyone else use to keep track of all there passwords? OS/X from Apple has a password manager program, it allows passwords to be made available to applications for certain time periods (not sure how this is supposed to work as the application could just write it to disk). I think that an ideal password management scheme would be mediated by a SGID application (SGID so that it can access storage unavailable to regular user processes and so that it can't be ptraced). Password storage would be either in a file owned by the user that is mode 0600 under a mode 1770 system directory with group ownership being the group that the management program is SGID to, or a regular file in the home directory that is encrypted (requiring a password authentication for the first login of the day or something similar). The password management system would need to have helpers for managing passwords that would be called by the application. For example there would be POP and IMAP helpers which would establish a connection to the mail server, authenticate, and then use a unix domain socket to pass the file handle for the TCP socket back to the calling application (so the MUA would never be able to recover the password). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Advice needed, trying to find the vulnerable code on Debian webserver.
Hi all, One of our webservers seems to get compromised on a daily basis. When I do a ps ax I see these processes all the time. 18687 ?S 0:00 shell 18701 ?Z 0:00 [sh defunct] 18704 ?T 0:00 ./3 200.177.162.185 1524 18705 ?Z 0:00 [3 defunct] And if I check the /tmp dir there are strange executable files in there that are owned by www-data. Such as ./3 and others like ./bdshell. Definitely some sort of Trojan that's being run by www-data user. When I did a virus check first time it showed that it was infected with the old Linux.RST virus, it basically stuffed the entire /bin directory. I did a rebuild, virus checked all client files on a different server, then copied them back. After a week, same thing. Infected. /tmp/sl# ls -al total 452 drwxr-xr-x2 www-data www-data 4096 Jun 1 09:32 . drwxrwxrwt3 root root 4096 Jun 1 09:37 .. -rwsrwsrwt1 www-data www-data 446714 May 29 05:12 ps.htm I'm pretty sure it's one of our clients who has some dodgy php-nuke sites or something like that. All our other webservers are fine running the same build. But this server is the major client one where we allow them to FTP, CGI and make MYSQL changes. I'd appreciate some help on how to stop this from happening. Running Debian Stable with all the security updates. P.S. Sorry for the Disclaimer, company policy, which I don't agree with, yet they pay me so I must comply :/ -- Ross. DISCLAIMER: This e-mail and any files transmitted with it may be privileged and confidential, and are intended only for the use of the intended recipient. If you are not the intended recipient or responsible for delivering this e-mail to the intended recipient, any use, dissemination, forwarding, printing or copying of this e-mail and any attachments is strictly prohibited. If you have received this e-mail in error, please REPLY TO the SENDER to advise the error AND then DELETE the e-mail from your system. Any views expressed in this e-mail and any files transmitted with it are those of the individual sender, except where the sender specifically states them to be the views of our organisation. Our organisation does not represent or warrant that the attached files are free from computer viruses or other defects. The user assumes all responsibility for any loss or damage resulting directly or indirectly from the use of the attached files. In any event, the liability to our organisation is limited to either the resupply of the attached files or the cost of having the attached files resupplied.
