From owner-freebsd-security Sun Feb 20 1:59:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from tricord.system.pl (tricord.system.pl [195.205.185.10]) by hub.freebsd.org (Postfix) with ESMTP id 35D7B37BC7B for ; Sun, 20 Feb 2000 01:59:44 -0800 (PST) (envelope-from sopel@tricord.system.pl) Received: (from sopel@localhost) by tricord.system.pl (SYSTEM Internet) id KAA15474; Sun, 20 Feb 2000 10:59:31 +0100 (MET) Date: Sun, 20 Feb 2000 10:59:31 +0100 From: Wojtek Sobczuk To: Tom Marchand Cc: freebsd-security@freebsd.org Subject: Re: Controlled Network Access Message-ID: <20000220105931.A15380@tricord.system.pl> References: <200002200009.TAA24866@duval.se.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <200002200009.TAA24866@duval.se.mediaone.net>; from Tom Marchand on Sat, Feb 19, 2000 at 07:04:46PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Feb 19, 2000 at 07:04:46PM -0500, Tom Marchand wrote: > I would like to control which users can access tcpip utilities(ftp,telnet, > etc) by using groups. I realize that this can be accomplished via the > proper file permissions on each utility. This works but it will not prevent > somebody from compiling their own ftp, telnet etc. My thought was to > perform the authorization at the socket level. This would entail > modifaction of the kernel to only allow root or a member of the tcpip group > to open a socket. Does anybody know if this has been done or if it would > even work? I originally had this requirement at work to lock down external > vendors. Since we are an AIX shop it was quite easy. On AIX you must be a > member of the system group to access network utilities. below i include a little patch i've written a long time ago (i'm not even sure if it works on the newest releases, but worked when i've done it (3.0 it was i think)). it limits socket execution to root and a chosen uid/gid. on my machine it worked perfectly. i hope it helps, Wojtek ------ cut ------------------------------------------------------------------- --- uipc_syscalls.c.orig Sun Aug 23 03:06:59 1998 +++ uipc_syscalls.c Tue Jan 5 22:16:01 1999 @@ -88,6 +88,24 @@ socket(p, uap) struct file *fp; int fd, error; +/***** socket user/group ******/ +#define ALLOW_GROUP 155 +#define ALLOW_USER 122 + + if (uap->domain != AF_LOCAL) { + error = 1; + for (fd = 0; fd < p->p_ucred->cr_ngroups; fd++) { + if (p->p_ucred->cr_groups[fd] == ALLOW_GROUP) { + error = 0; + break; + } + } + /*** we allow GROUP and USER and root to make sockets ***/ + if (error && p->p_ucred->cr_uid && + p->p_ucred->cr_uid != ALLOW_USER) + return (1); + } +/*** end patch ****/ error = falloc(p, &fp, &fd); if (error) return (error); ------ cut ------------------------------------------------------------------- -- Wojciech Sobczuk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 7:48:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from bg.sics.se (bg.sics.se [193.10.66.124]) by hub.freebsd.org (Postfix) with ESMTP id A7D3C37BD54; Sun, 20 Feb 2000 07:48:28 -0800 (PST) (envelope-from bg@bg.sics.se) Received: (from bg@localhost) by bg.sics.se (8.9.3/8.9.3) id QAA09029; Sun, 20 Feb 2000 16:48:34 +0100 (CET) (envelope-from bg) To: Dan Moschuk Cc: Omachonu Ogali , "smb@RESEARCH.ATT.COM Bill Fumerola" , freebsd-security@FreeBSD.ORG Subject: Re: Random Sequence Numbers References: <20000211114905.E74001@jade.chc-chimes.com> <20000211135026.C9856@spirit.jaded.net> From: Bjoern Groenvall Date: 20 Feb 2000 16:48:34 +0100 In-Reply-To: Dan Moschuk's message of Fri, 11 Feb 2000 13:50:26 -0500 Message-ID: Lines: 32 X-Mailer: Red Gnus v0.52/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dan Moschuk writes: > This has been done, by me, using the arc4random() implementation I put into > the kernel a few months ago. I'll be committing it after the code freeze. Before you go ahead and do this you might want to consider this comment. (The message never made it way back to freebsd-security). From: "Steven M. Bellovin" Subject: Re: Random Sequence Numbers To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 10 Feb 2000 17:35:03 -0500 Reply-To: smb@RESEARCH.ATT.COM Return-Path: owner-bugtraq@SECURITYFOCUS.COM In message <00Feb10.090608est.115219@border.alcanet.com.au>, Peter Jeremy write s: > On 2000-Feb-09 20:27:08 +1100, Omachonu Ogali wrote: > >I don't know if anyone else attempted, but I whipped up a little patch for > >FreeBSD that randomizes the sequence/acknowledgment numbers sent by TCP > >instead of incrementing it by one each time. Apply using 'patch'. > > Note that the patch is using libkern/random(). This function is a > simple, multiplicative PNRG with 32-bits of state (all of which is > `leaked' via its return value. Whilst the change might be better than > a simple increment/decrement, I don't believe it provides any real > security (especially in view of the %=2 operations). I never saw the original posting to this; let me suggest that folks read RFC 1948 before doing sequence number randomization. --Steve Bellovin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 7:57:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from prioris.mini.pw.edu.pl (prioris.mini.pw.edu.pl [148.81.80.7]) by hub.freebsd.org (Postfix) with ESMTP id 0689137BEA9 for ; Sun, 20 Feb 2000 07:57:25 -0800 (PST) (envelope-from zaks@prioris.im.pw.edu.pl) Received: from pe44.warszawa.ppp.tpnet.pl ([212.160.56.44]:3588 "EHLO pe44.warszawa.ppp.tpnet.pl") by prioris.mini.pw.edu.pl with ESMTP id ; Sun, 20 Feb 2000 16:56:46 +0100 Received: (from localhost user: 'zaks', uid#1000) by localhost.localnet id ; Sun, 20 Feb 2000 12:16:21 +0100 From: Slawek Zak To: freebsd-security@FreeBSD.ORG Subject: Re: Why should I upgrade from 2.2.8 to 3.4 References: <200002171403.GAA81839@cwsys.cwsent.com> Mail-Copies-To: never Reply-To: zaks@prioris.im.pw.edu.pl Date: 20 Feb 2000 12:16:20 +0100 In-Reply-To: Cy Schubert - ITSD Open Systems Group's message of "Thu, 17 Feb 2000 06:02:53 -0800" Message-ID: <87g0uo5dkr-cos-mos@localhost.localnet> Lines: 26 Organization: Ministerstwo smierci na wojnie User-Agent: Gnus/5.0803 (Gnus v5.8.3) XEmacs/21.1 (Bryce Canyon) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org actually more secure than > > later versions. When the ADMROCKS exploit got out, I discovered that the > > BIND that shipped with 2.2.8 wasn't susceptible. Systems with newer versions > > of BIND were. > > Yes but BIND 4 has even more security holes than BIND 8. If I had to > run 2.2.8 and BIND, I'd install BIND 8 and run it in a jail under a > non-privileged account. Noone did serious security audit of BIND 8, so where do you get this "news" from ?? BIND 4 was audited by the OpenBSD team and is shipped with OpenBSD. I believe it does proper bound checking at least. BTW: You can run BIND 4.9.7 as another user in chrooted environment. -- "To save energy the light at the end of the tunnel will temporarily be switched off." Suavek Zak / PGP: finger://zaks@prioris.mini.pw.edu.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 7:58:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from hydrant.intranova.net (hydrant.intranova.net [209.201.95.10]) by hub.freebsd.org (Postfix) with SMTP id 6491437BE8F for ; Sun, 20 Feb 2000 07:58:19 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 87110 invoked from network); 20 Feb 2000 15:58:22 -0000 Received: from localhost (user46549@127.0.0.1) by hydrant.intranova.net with SMTP; 20 Feb 2000 15:58:22 -0000 Date: Sun, 20 Feb 2000 10:58:22 -0500 (EST) From: Omachonu Ogali To: Bjoern Groenvall Cc: Dan Moschuk , "smb@RESEARCH.ATT.COM Bill Fumerola" , freebsd-security@FreeBSD.ORG Subject: Re: Random Sequence Numbers In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That was dropped a while ago and I saw that post Steven did, and secondly Dan told me he's done it already so there was no need to go on as it was only about 4-5 lines of code. On 20 Feb 2000, Bjoern Groenvall wrote: > Dan Moschuk writes: > > > This has been done, by me, using the arc4random() implementation I put into > > the kernel a few months ago. I'll be committing it after the code freeze. > > Before you go ahead and do this you might want to consider this > comment. (The message never made it way back to freebsd-security). > > From: "Steven M. Bellovin" > Subject: Re: Random Sequence Numbers > To: BUGTRAQ@SECURITYFOCUS.COM > Date: Thu, 10 Feb 2000 17:35:03 -0500 > Reply-To: smb@RESEARCH.ATT.COM > Return-Path: owner-bugtraq@SECURITYFOCUS.COM > > In message <00Feb10.090608est.115219@border.alcanet.com.au>, Peter Jeremy write > s: > > On 2000-Feb-09 20:27:08 +1100, Omachonu Ogali wrote: > > >I don't know if anyone else attempted, but I whipped up a little patch for > > >FreeBSD that randomizes the sequence/acknowledgment numbers sent by TCP > > >instead of incrementing it by one each time. Apply using 'patch'. > > > > Note that the patch is using libkern/random(). This function is a > > simple, multiplicative PNRG with 32-bits of state (all of which is > > `leaked' via its return value. Whilst the change might be better than > > a simple increment/decrement, I don't believe it provides any real > > security (especially in view of the %=2 operations). > > I never saw the original posting to this; let me suggest that folks read RFC > 1948 before doing sequence number randomization. > > --Steve Bellovin > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 8:19: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 3239037BCAD for ; Sun, 20 Feb 2000 08:19:02 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 42903 invoked by uid 1001); 20 Feb 2000 16:18:56 +0000 (GMT) To: zaks@prioris.im.pw.edu.pl, S.Zak@altkom.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Why should I upgrade from 2.2.8 to 3.4 From: sthaug@nethelp.no In-Reply-To: Your message of "20 Feb 2000 12:16:20 +0100" References: <87g0uo5dkr-cos-mos@localhost.localnet> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 20 Feb 2000 17:18:56 +0100 Message-ID: <42901.951063536@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Yes but BIND 4 has even more security holes than BIND 8. If I had to > > run 2.2.8 and BIND, I'd install BIND 8 and run it in a jail under a > > non-privileged account. > > Noone did serious security audit of BIND 8, so where do you get this > "news" from ?? BIND 4 was audited by the OpenBSD team and is shipped > with OpenBSD. I believe it does proper bound checking at least. There are enough *other* known errors in BIND 4.9.x (functional, may or may not be security related) that I certainly wouldn't want to return to using 4.9.x. Also, proper bounds checking alone (even if it certainly helps!) isn't enough for good security. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 8:43:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from hydrant.intranova.net (hydrant.intranova.net [209.201.95.10]) by hub.freebsd.org (Postfix) with SMTP id 69DC137BED0 for ; Sun, 20 Feb 2000 08:43:38 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 87489 invoked from network); 20 Feb 2000 16:43:41 -0000 Received: from localhost (user7453@127.0.0.1) by hydrant.intranova.net with SMTP; 20 Feb 2000 16:43:41 -0000 Date: Sun, 20 Feb 2000 11:43:41 -0500 (EST) From: Omachonu Ogali To: netdude@bc.sympatico.ca Cc: freebsd-gnats-submit@FreeBSD.org, freebsd-security@freebsd.org Subject: Re: kern/16828: High Speed Pinging Over 8184 bytes Kills Server Instantly In-Reply-To: <200002200401.UAA02923@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1774392370-951065021=:49727" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1774392370-951065021=:49727 Content-Type: TEXT/PLAIN; charset=US-ASCII Attached unofficial patch to drop ICMP packets larger than 8184 bytes. E-Mail/Flame me if not liked... I wanted to be able to set the maximum value via sysctl but I'm not sure if I'll break anything, feel free to pick up from there. On Sat, 19 Feb 2000 netdude@bc.sympatico.ca wrote: > > >Number: 16828 > >Category: kern > >Synopsis: High Speed Pinging Over 8184 bytes Kills Server Instantly > >Confidential: no > >Severity: critical > >Priority: high > >Responsible: freebsd-bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Sat Feb 19 20:10:01 PST 2000 > >Closed-Date: > >Last-Modified: > >Originator: Ahsanul Shajan Alam > >Release: 3.3-RELEASE > >Organization: > TheCoolHost.com, Inc. > >Environment: > FreeBSD big_server1.webdevstudio.com 3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999 jkh@highwing.cdrom.com:/usr/src/sys/compile/GENERIC i386 > >Description: > High speed pinging to anyone or from anyone on a local ethernet network with packet sizes over 8184 bytes will bring down the server, regardless of whether packets were being directed to it or another target which is online OR offline. Once pinging starts from any other machine, if local the BSD server will go down immediately, if from a remote source, it will go down in a few seconds. > > What makes this problem really bad is the fact that the target of the pings does not even have to be the server, it can be any on the ethernet segment... > >How-To-Repeat: > pick any LINUX box and do a: > > ping -fs 10000 > > But note: if the ping packets are exactly 8184 bytes, the server will just respond back at them and "laugh", if larger (ideally 10000 bytes) the server will die immediately... > >Fix: > get upstream provider to disable ping packets from coming in, BUT that will NOT protect you if the source of the pings is on the same ethernet segment. Desparate to find a "cure" to this problem. Please email: netdude@bc.sympatico.ca or president@thecoolhost.com if you know of any solutions, or if anybody can send me exactly what I need to type in to disable pings via IPFW... hmm... Thanks for you time. > > >Release-Note: > >Audit-Trail: > >Unformatted: > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-bugs" in the body of the message > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ --0-1774392370-951065021=:49727 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="icmp.large.drop" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="icmp.large.drop" LS0tIGlwX2lucHV0LmMub3JpZwlTdW4gRmViIDIwIDExOjMxOjQ0IDIwMDAN CisrKyBpcF9pbnB1dC5jCVN1biBGZWIgMjAgMTE6Mzc6MzEgMjAwMA0KQEAg LTM0OCw2ICszNDgsMTYgQEANCiAJTlRPSFMoaXAtPmlwX29mZik7DQogDQog CS8qDQorCSAqIERyb3AgZXhjZXNzaXZlbHkgbGFyZ2UgSUNNUCBwYWNrZXRz ICg+IDgxODQgYnl0ZXMpDQorCSAqIC0gb29nYWxpQGludHJhbm92YS5uZXQN CisJICovDQorDQorCWlmICgoaXAtPmlwX2xlbiA+IDgxODQpICYmIChpcC0+ aXBfcCA9PSBJUFBST1RPX0lDTVApKSB7DQorCQlpcHN0YXQuaXBzX3Rvb2xv bmcrKzsNCisJCWdvdG8gYmFkOw0KKwl9DQorDQorCS8qDQogCSAqIENoZWNr IHRoYXQgdGhlIGFtb3VudCBvZiBkYXRhIGluIHRoZSBidWZmZXJzDQogCSAq IGlzIGFzIGF0IGxlYXN0IG11Y2ggYXMgdGhlIElQIGhlYWRlciB3b3VsZCBo YXZlIHVzIGV4cGVjdC4NCiAJICogVHJpbSBtYnVmcyBpZiBsb25nZXIgdGhh biB3ZSBleHBlY3QuDQo= --0-1774392370-951065021=:49727-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 9:13:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from europe.std.com (europe.std.com [199.172.62.20]) by hub.freebsd.org (Postfix) with ESMTP id 997F837BE8D for ; Sun, 20 Feb 2000 09:13:13 -0800 (PST) (envelope-from lowell@world.std.com) Received: from world.std.com (lowell@world-f.std.com [199.172.62.5]) by europe.std.com (8.9.3/8.9.3) with ESMTP id MAA21265; Sun, 20 Feb 2000 12:12:40 -0500 (EST) Received: (from lowell@localhost) by world.std.com (8.9.3/8.9.3) id MAA19527; Sun, 20 Feb 2000 12:12:40 -0500 (EST) To: Omachonu Ogali , freebsd-security@freebsd.org Subject: Re: Random Sequence Numbers References: From: Lowell Gilbert Date: 20 Feb 2000 12:12:40 -0500 In-Reply-To: Omachonu Ogali's message of Sun, 20 Feb 2000 10:58:22 -0500 (EST) Message-ID: Lines: 13 X-Mailer: Gnus v5.5/Emacs 20.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Omachonu Ogali writes: > That was dropped a while ago and I saw that post Steven did, and secondly > Dan told me he's done it already so there was no need to go on as it was > only about 4-5 lines of code. Actually, what Dan had done was randomizing the *initial* sequence numbers in a TCP session, as (in fact) Bellovin described in RFC 1948. What *your* code did was randomize *every* packet's sequence number. I still insist on believing that you had to be kidding, because the idea and the execution both qualify among the best spoofs I've seen in weeks. - Lowell Gilbert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 17:24: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f163.law4.hotmail.com [216.33.149.163]) by hub.freebsd.org (Postfix) with SMTP id 95FC937BA85 for ; Sun, 20 Feb 2000 17:24:05 -0800 (PST) (envelope-from jasonschwab@hotmail.com) Received: (qmail 72940 invoked by uid 0); 21 Feb 2000 01:19:05 -0000 Message-ID: <20000221011905.72939.qmail@hotmail.com> Received: from 207.224.147.82 by www.hotmail.com with HTTP; Sun, 20 Feb 2000 17:19:05 PST X-Originating-IP: [207.224.147.82] From: "jason schwab" To: freebsd-security@freebsd.org, jasonschwab@hotmail.com, ghandi@mindless.com Subject: open ports (tcp) and lsof... Date: Sun, 20 Feb 2000 20:19:05 EST Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I am running FreeBSD 2.2.8-STABLE system, I decided to run a portscanner on my machine, so did and I had it search all ports (1-65534)...I ran "lsof | grep port#" and it would show me what username and process id and all that stuff just like I wanted it to... Except! Three of those ports that showed up "1420, 1986, 1999" Did NOT show up in lsof, and I telneted to them locally and got a connection but no responses from anything I would type in. I am wondering why LSOF is not showing these open ports.. any ideaS? Thanks, Jason L. Schwab Unix System(s) Admin ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 19:44:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id D250D37BF8D for ; Sun, 20 Feb 2000 19:44:15 -0800 (PST) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id VAA43535 for ; Sun, 20 Feb 2000 21:44:13 -0600 (CST) (envelope-from dmartin@origen.com) Message-ID: <38B0B487.CB71D7E1@origen.com> Date: Sun, 20 Feb 2000 21:44:07 -0600 From: Richard Martin X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Strange Spam Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone been seeing spam like this lately? It consists of an unintelligible sequence of English words. Seems to be just strings of randomly generated words, but I am wondering if there is something more sinister going on here. Someone accidentally send us an encoded message? *************** Hi. This is the qmail-send program at mail.origen.com. I tried to deliver a bounce message to this address, but the bounce bounced! : Sorry, no mailbox here by that name. (#5.1.1) - --- Below this line is the original bounce. Return-Path: <> Received: (qmail 1747 invoked from network); 20 Feb 2000 18:24:44 -0000 Received: from www.cause.org (HELO www.educause.edu) (198.59.61.80) by mail.origen.com with SMTP; 20 Feb 2000 18:24:44 -0000 From: postmaster@www.cause.org To: zubenanalgenube@origen.com Date: 20 Feb 2000 18:39:16 -0600 Message-ID: <036cc2029181488RKWEB@www.educause.edu> Subject: Nondeliverable mail MIME-Version: 1.0 Content-Type: Multipart/mixed; boundary = "NTWEBgGK:EVF+?cBGmzmVxN" - --NTWEBgGK:EVF+?cBGmzmVxN - ------Transcript of session follows ------- ww@cci.lg.ua 550 ... User unknown - --NTWEBgGK:EVF+?cBGmzmVxN Content-Type: message/rfc822; charset=us-ascii Received: from BEAVISNBUTTHEAD ([63.225.147.56]) by www.educause.edu with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 20 Feb 2000 18:41:03 -0600 To: ww@cci.lg.ua From: zubenanalgenube@origen.com Subject: RE: from WW Return-Path: zubenanalgenube@origen.com Message-ID: <036f23327181488RKWEB@www.educause.edu> Date: 20 Feb 2000 18:41:06 -0600 StriderCaracas, Falsetto colonel flak devilish Miami experience Raymond polymerase emulate donkey summand Harold paint Daly hill acclimatize evince component seethe sarah1 Jewish Quixote Dowling corwin bye formant prince collusion, society agrimony lithography waybill Mathematik Zealand Shockley diluent Braun retaliate Cortez emphasis hooves we're molt franklin. Ravine graphic., auric moat. Mynah, ogle circumpolar nameplate tablespoon octopus curiosity posthumous optometrist stressful crossbill bitnet ablution abstract javelin, continuum Bentham conflagration Lissajous choose Thomas matriculate cancel reprise. gratuity broad cramp, southernmost jilt, reverberate Joshua malice homework hydrometer ladyfern Fourier biophysic fanfold Alcmena adamant phenolic snowstorm deacon swingable. imputation impel bedding hello washout, hopple spate doltish erupt thrips Farley, swat twiddle pipsissewa boastful ambrosia, oatcake haunch porterhouse DARPA anhydrite cerebral inexhaustible feast impede bombard annie cynthia contractual Nebuchadnezzar. UHF crepe Galloway bleach function psyllium cap, calico porridge tempestuous nature consul regretting Antioch customary halfback distribution canced Salish redound sepulchral kangaroo atonal begrudge factor swine climactic local Skeeter youth Montevideo flash chilblain, spyglass sire Wahl loquacity Rastus waistcoat, kid reclamation greet wipe child. kingdom busywork stake sideshow gauzy hank indiscernible groupoid baud repetition majesty faint. Aubrey Galatea halfhearted inlay Awesome inappeasable NY uprise helmsman lakers scout feeble Whatley, ontology Cochran libretto diablo chatting labia scion tarpaulin. Melee sang counterweight resident boogie bulldoze Eveready, Wilmington tong whitish rockabye duchess continuant clannish Annale nutate entrepreneur jade boatman, stellar, adjoin churchgo scream Clive briefcase Waco wildfire colonist neck concord firework expletive expel gunflint port glob lookup boyhood propionate biometry inability comparison arousal differ skeletal holography pandemonium Laplacian riverbank ringmaster euglena dulse Cassandra Rockland competitor softball handgun successful, gush Cabot congener tripartite ghetto. Grin strabismus Krueger Caesarian., tightwad, Ankara Peru bib coattail galaxy ingrown obsolescent triangular, pinniped amateurish adequacy. theoretician, mentor hyperbolic, sniff chip satisfactory divalent physiotherapist rocky dip, superman, buttonhole, ford, guitar lactose rapprochement steradian Copperfield Ernst class nominee Wakefield wad Czerniak Caracas Clarence island pyrolysis stratosphere eggshell pulley belch blab amnesty uterus poi offensive sciatica electric perspicacious. voice, whereupon foxglove drunk retina radiology Penh limestone. mozzarella titanate guillotine, detractor Interpol propensity aphelion comport arc Tutenkhamon exculpatory filial, eradicable chumming Clarence Calgary Mollie unify babyhood quanta indium. Batchelder Francisco survive marshmallow fumigate bloodshot receive tiger readout academe chatting player, Armonk selenate millstone bartend provision system, exegete botch cytosine Indonesian design chicago tailor wagoneer potent aforethought pacific alway loin benzene moose sympathetic dodecahedron suntanned schist entreaty Comanche anvil yucca. Arch, Ensnare -- Richard Martin dmartin@origen.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 19:50:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail1.uunet.ca (mail1.uunet.ca [209.167.141.3]) by hub.freebsd.org (Postfix) with ESMTP id D158737BFCD for ; Sun, 20 Feb 2000 19:50:28 -0800 (PST) (envelope-from matt@ARPA.MAIL.NET) Received: from epsilon.lucida.qc.ca ([216.95.146.6]) by mail1.uunet.ca with ESMTP id <216519-23710>; Sun, 20 Feb 2000 22:49:15 -0500 Date: Sun, 20 Feb 2000 22:49:13 -0500 From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Richard Martin Cc: freebsd-security@freebsd.org Subject: Re: Strange Spam In-Reply-To: <38B0B487.CB71D7E1@origen.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wow, how strange. I always sucked at finding patterns though, maybe some of the english majors could figure this out, lol =) Matt -- Matt Heckaman [matt@arpa.mail.net|matt@relic.net] [Please do not send me] !Powered by FreeBSD/x86! [http://www.freebsd.org] [any SPAM (UCE) e-mail] On Sun, 20 Feb 2000, Richard Martin wrote: : Date: Sun, 20 Feb 2000 22:44:07 -0500 : From: Richard Martin : To: freebsd-security@freebsd.org : Subject: Strange Spam : : Has anyone been seeing spam like this lately? It consists of an : unintelligible sequence of English words. Seems to be just strings of : randomly generated words, but I am wondering if there is something more : sinister going on here. Someone accidentally send us an encoded message? : : *************** : : Hi. This is the qmail-send program at mail.origen.com. : I tried to deliver a bounce message to this address, but the bounce bounced! : : : : Sorry, no mailbox here by that name. (#5.1.1) : : - --- Below this line is the original bounce. : : Return-Path: <> : Received: (qmail 1747 invoked from network); 20 Feb 2000 18:24:44 -0000 : Received: from www.cause.org (HELO www.educause.edu) (198.59.61.80) : by mail.origen.com with SMTP; 20 Feb 2000 18:24:44 -0000 : From: postmaster@www.cause.org : To: zubenanalgenube@origen.com : Date: 20 Feb 2000 18:39:16 -0600 : Message-ID: <036cc2029181488RKWEB@www.educause.edu> : Subject: Nondeliverable mail : MIME-Version: 1.0 : Content-Type: Multipart/mixed; : boundary = "NTWEBgGK:EVF+?cBGmzmVxN" : : - --NTWEBgGK:EVF+?cBGmzmVxN : : - ------Transcript of session follows ------- : ww@cci.lg.ua : 550 ... User unknown : : - --NTWEBgGK:EVF+?cBGmzmVxN : Content-Type: message/rfc822; charset=us-ascii : : Received: from BEAVISNBUTTHEAD ([63.225.147.56]) by www.educause.edu with : Microsoft SMTPSVC(5.5.1877.197.19); : Sun, 20 Feb 2000 18:41:03 -0600 : To: ww@cci.lg.ua : From: zubenanalgenube@origen.com : Subject: RE: from WW : Return-Path: zubenanalgenube@origen.com : Message-ID: <036f23327181488RKWEB@www.educause.edu> : Date: 20 Feb 2000 18:41:06 -0600 : : : StriderCaracas, : : Falsetto colonel flak devilish Miami experience Raymond polymerase emulate : donkey summand Harold paint Daly hill acclimatize evince component seethe : sarah1 Jewish Quixote Dowling corwin bye formant prince collusion, society : agrimony lithography waybill Mathematik Zealand Shockley diluent Braun : retaliate Cortez emphasis hooves we're molt franklin. : : Ravine graphic., auric moat. : : Mynah, ogle circumpolar nameplate tablespoon octopus curiosity posthumous : optometrist stressful crossbill bitnet ablution abstract javelin, continuum : Bentham conflagration Lissajous choose Thomas matriculate cancel reprise. : gratuity broad cramp, southernmost jilt, reverberate Joshua malice homework : hydrometer ladyfern Fourier biophysic fanfold Alcmena adamant phenolic : snowstorm deacon swingable. imputation impel bedding hello washout, hopple : spate doltish erupt thrips Farley, swat twiddle pipsissewa boastful ambrosia, : oatcake haunch porterhouse DARPA anhydrite cerebral inexhaustible feast impede : bombard annie cynthia contractual Nebuchadnezzar. UHF crepe Galloway bleach : function psyllium cap, calico porridge tempestuous nature consul regretting : Antioch customary halfback distribution canced Salish redound sepulchral : kangaroo atonal begrudge factor swine climactic local Skeeter youth Montevideo : flash chilblain, spyglass sire Wahl loquacity Rastus waistcoat, kid : reclamation greet wipe child. kingdom busywork stake sideshow gauzy hank : indiscernible groupoid baud repetition majesty faint. Aubrey Galatea : halfhearted inlay Awesome inappeasable NY uprise helmsman lakers scout feeble : Whatley, ontology Cochran libretto diablo chatting labia scion tarpaulin. : : Melee sang counterweight resident boogie bulldoze Eveready, Wilmington tong : whitish rockabye duchess continuant clannish Annale nutate entrepreneur jade : boatman, stellar, adjoin churchgo scream Clive briefcase Waco wildfire : colonist neck concord firework expletive expel gunflint port glob lookup : boyhood propionate biometry inability comparison arousal differ skeletal : holography pandemonium Laplacian riverbank ringmaster euglena dulse Cassandra : Rockland competitor softball handgun successful, gush Cabot congener : tripartite ghetto. Grin strabismus Krueger Caesarian., tightwad, Ankara Peru : bib coattail galaxy ingrown obsolescent triangular, pinniped amateurish : adequacy. theoretician, mentor hyperbolic, sniff chip satisfactory divalent : physiotherapist rocky dip, superman, buttonhole, ford, guitar lactose : rapprochement steradian Copperfield Ernst class nominee Wakefield wad Czerniak : Caracas Clarence island pyrolysis stratosphere eggshell pulley belch blab : amnesty uterus poi offensive sciatica electric perspicacious. voice, whereupon : foxglove drunk retina radiology Penh limestone. mozzarella titanate : guillotine, detractor Interpol propensity aphelion comport arc Tutenkhamon : exculpatory filial, eradicable chumming Clarence Calgary Mollie unify babyhood : quanta indium. Batchelder Francisco survive marshmallow fumigate bloodshot : receive tiger readout academe chatting player, Armonk selenate millstone : bartend provision system, exegete botch cytosine Indonesian design chicago : tailor wagoneer potent aforethought pacific alway loin benzene moose : sympathetic dodecahedron suntanned schist entreaty Comanche anvil yucca. : : Arch, : Ensnare : : : -- : Richard Martin dmartin@origen.com : : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 21:37:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from zerlargal.humbug.org.au (zerlargal.humbug.org.au [203.18.94.161]) by hub.freebsd.org (Postfix) with ESMTP id D9D5837C11E for ; Sun, 20 Feb 2000 21:37:17 -0800 (PST) (envelope-from bc@thehub.com.au) Received: from localhost ([127.0.0.1] helo=zerlargal.humbug.org.au) by zerlargal.humbug.org.au with smtp (Exim 2.12 #2) id 12MlTF-000IOe-00; Mon, 21 Feb 2000 15:33:21 +1000 Date: Mon, 21 Feb 2000 15:33:21 +1000 (EST) From: Bruce Campbell X-Sender: bc@zerlargal.humbug.org.au To: Richard Martin Cc: freebsd-security@FreeBSD.ORG Subject: Re: Strange Spam In-Reply-To: <38B0B487.CB71D7E1@origen.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Feb 2000, Richard Martin wrote: > Has anyone been seeing spam like this lately? It consists of an > unintelligible sequence of English words. Seems to be just strings of > randomly generated words, but I am wondering if there is something more > sinister going on here. Someone accidentally send us an encoded message? First thing that I thought of was 'Snow Crash' by.. Neal Stephenson (?) in which someone discovers a sequencing pattern which seems to reset your brain.language setting. Maybe there should be an advisory asking people not to read nonsense emails for fear of really 'losing it' ;) (go read the book) --==-- Bruce. > StriderCaracas, > > Falsetto colonel flak devilish Miami experience Raymond polymerase emulate > donkey summand Harold paint Daly hill acclimatize evince component seethe > sarah1 Jewish Quixote Dowling corwin bye formant prince collusion, society > agrimony lithography waybill Mathematik Zealand Shockley diluent Braun > retaliate Cortez emphasis hooves we're molt franklin. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 21:48: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from groovy.je.yale.edu (groovy.je.yale.edu [130.132.72.105]) by hub.freebsd.org (Postfix) with ESMTP id 8634F37BE70 for ; Sun, 20 Feb 2000 21:47:56 -0800 (PST) (envelope-from dfolkins@groovy.je.yale.edu) Received: (from dfolkins@localhost) by groovy.je.yale.edu (8.8.8/8.8.8) id AAA22426; Mon, 21 Feb 2000 00:47:13 -0500 (EST) (envelope-from dfolkins) From: Daniel Folkinshteyn To: Matt Heckaman , freebsd-security@FreeBSD.ORG Subject: Re: Strange Spam Date: Mon, 21 Feb 2000 00:33:01 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain References: In-Reply-To: MIME-Version: 1.0 Message-Id: <0002210047120Z.00540@groovy.je.yale.edu> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org well, i am no english major, but i do notice an abnormally high occurrence of mathematical terms. (e.g. Lissajous,Fourier,Laplacian,dodecahedron, exegete, maybe more , i did not look that hard), and an unusually high occurrence of scientific (mostly biological/biochemical) terms (e.g. polymerase,anhydrite,pinniped,benzene,cytosine,yucca...etc), and other relatively specialized terms from various branches of science.... so it definitely is not a RANDOM selection of words in here. random word selection would not result in so many non-common-usage words. so if this helps anyone, i am glad, as i sure as hell want to see what this means, it has me intrigued. :) On Sun, 20 Feb 2000, you wrote: > Wow, how strange. I always sucked at finding patterns though, maybe some > of the english majors could figure this out, lol =) > > Matt > -- > Matt Heckaman [matt@arpa.mail.net|matt@relic.net] [Please do not send me] > !Powered by FreeBSD/x86! [http://www.freebsd.org] [any SPAM (UCE) e-mail] > > On Sun, 20 Feb 2000, Richard Martin wrote: > > : Date: Sun, 20 Feb 2000 22:44:07 -0500 > : From: Richard Martin > : To: freebsd-security@freebsd.org > : Subject: Strange Spam > : > : Has anyone been seeing spam like this lately? It consists of an > : unintelligible sequence of English words. Seems to be just strings of > : randomly generated words, but I am wondering if there is something more > : sinister going on here. Someone accidentally send us an encoded message? > : > : *************** > : > : Hi. This is the qmail-send program at mail.origen.com. > : I tried to deliver a bounce message to this address, but the bounce bounced! > : > : : > : Sorry, no mailbox here by that name. (#5.1.1) > : > : - --- Below this line is the original bounce. > : > : Return-Path: <> > : Received: (qmail 1747 invoked from network); 20 Feb 2000 18:24:44 -0000 > : Received: from www.cause.org (HELO www.educause.edu) (198.59.61.80) > : by mail.origen.com with SMTP; 20 Feb 2000 18:24:44 -0000 > : From: postmaster@www.cause.org > : To: zubenanalgenube@origen.com > : Date: 20 Feb 2000 18:39:16 -0600 > : Message-ID: <036cc2029181488RKWEB@www.educause.edu> > : Subject: Nondeliverable mail > : MIME-Version: 1.0 > : Content-Type: Multipart/mixed; > : boundary = "NTWEBgGK:EVF+?cBGmzmVxN" > : > : - --NTWEBgGK:EVF+?cBGmzmVxN > : > : - ------Transcript of session follows ------- > : ww@cci.lg.ua > : 550 ... User unknown > : > : - --NTWEBgGK:EVF+?cBGmzmVxN > : Content-Type: message/rfc822; charset=us-ascii > : > : Received: from BEAVISNBUTTHEAD ([63.225.147.56]) by www.educause.edu with > : Microsoft SMTPSVC(5.5.1877.197.19); > : Sun, 20 Feb 2000 18:41:03 -0600 > : To: ww@cci.lg.ua > : From: zubenanalgenube@origen.com > : Subject: RE: from WW > : Return-Path: zubenanalgenube@origen.com > : Message-ID: <036f23327181488RKWEB@www.educause.edu> > : Date: 20 Feb 2000 18:41:06 -0600 > : > : > : StriderCaracas, > : > : Falsetto colonel flak devilish Miami experience Raymond polymerase emulate > : donkey summand Harold paint Daly hill acclimatize evince component seethe > : sarah1 Jewish Quixote Dowling corwin bye formant prince collusion, society > : agrimony lithography waybill Mathematik Zealand Shockley diluent Braun > : retaliate Cortez emphasis hooves we're molt franklin. > : > : Ravine graphic., auric moat. > : > : Mynah, ogle circumpolar nameplate tablespoon octopus curiosity posthumous > : optometrist stressful crossbill bitnet ablution abstract javelin, continuum > : Bentham conflagration Lissajous choose Thomas matriculate cancel reprise. > : gratuity broad cramp, southernmost jilt, reverberate Joshua malice homework > : hydrometer ladyfern Fourier biophysic fanfold Alcmena adamant phenolic > : snowstorm deacon swingable. imputation impel bedding hello washout, hopple > : spate doltish erupt thrips Farley, swat twiddle pipsissewa boastful ambrosia, > : oatcake haunch porterhouse DARPA anhydrite cerebral inexhaustible feast impede > : bombard annie cynthia contractual Nebuchadnezzar. UHF crepe Galloway bleach > : function psyllium cap, calico porridge tempestuous nature consul regretting > : Antioch customary halfback distribution canced Salish redound sepulchral > : kangaroo atonal begrudge factor swine climactic local Skeeter youth Montevideo > : flash chilblain, spyglass sire Wahl loquacity Rastus waistcoat, kid > : reclamation greet wipe child. kingdom busywork stake sideshow gauzy hank > : indiscernible groupoid baud repetition majesty faint. Aubrey Galatea > : halfhearted inlay Awesome inappeasable NY uprise helmsman lakers scout feeble > : Whatley, ontology Cochran libretto diablo chatting labia scion tarpaulin. > : > : Melee sang counterweight resident boogie bulldoze Eveready, Wilmington tong > : whitish rockabye duchess continuant clannish Annale nutate entrepreneur jade > : boatman, stellar, adjoin churchgo scream Clive briefcase Waco wildfire > : colonist neck concord firework expletive expel gunflint port glob lookup > : boyhood propionate biometry inability comparison arousal differ skeletal > : holography pandemonium Laplacian riverbank ringmaster euglena dulse Cassandra > : Rockland competitor softball handgun successful, gush Cabot congener > : tripartite ghetto. Grin strabismus Krueger Caesarian., tightwad, Ankara Peru > : bib coattail galaxy ingrown obsolescent triangular, pinniped amateurish > : adequacy. theoretician, mentor hyperbolic, sniff chip satisfactory divalent > : physiotherapist rocky dip, superman, buttonhole, ford, guitar lactose > : rapprochement steradian Copperfield Ernst class nominee Wakefield wad Czerniak > : Caracas Clarence island pyrolysis stratosphere eggshell pulley belch blab > : amnesty uterus poi offensive sciatica electric perspicacious. voice, whereupon > : foxglove drunk retina radiology Penh limestone. mozzarella titanate > : guillotine, detractor Interpol propensity aphelion comport arc Tutenkhamon > : exculpatory filial, eradicable chumming Clarence Calgary Mollie unify babyhood > : quanta indium. Batchelder Francisco survive marshmallow fumigate bloodshot > : receive tiger readout academe chatting player, Armonk selenate millstone > : bartend provision system, exegete botch cytosine Indonesian design chicago > : tailor wagoneer potent aforethought pacific alway loin benzene moose > : sympathetic dodecahedron suntanned schist entreaty Comanche anvil yucca. > : > : Arch, > : Ensnare > : > : > : -- > : Richard Martin dmartin@origen.com > : > : > : To Unsubscribe: send mail to majordomo@FreeBSD.org > : with "unsubscribe freebsd-security" in the body of the message > : > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Daniel Folkinshteyn groovy.je.yale.edu sysadmin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 21:52: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from groovy.je.yale.edu (groovy.je.yale.edu [130.132.72.105]) by hub.freebsd.org (Postfix) with ESMTP id C8FCD37C0FD for ; Sun, 20 Feb 2000 21:51:59 -0800 (PST) (envelope-from dfolkins@groovy.je.yale.edu) Received: (from dfolkins@localhost) by groovy.je.yale.edu (8.8.8/8.8.8) id AAA22436; Mon, 21 Feb 2000 00:51:06 -0500 (EST) (envelope-from dfolkins) From: Daniel Folkinshteyn To: Bruce Campbell Subject: Re: Strange Spam Date: Mon, 21 Feb 2000 00:47:51 -0500 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain References: In-Reply-To: Cc: Richard Martin , freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Message-Id: <00022100510610.00540@groovy.je.yale.edu> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hey dude!! that was what i thought too. although, even if it is designed to screw someones mind when he reads it, its not gonna work - very few people have enough patience to actually read through the whole thing. hehe. :) ps. for those of you who have not read snow crash, its a must-read. On Mon, 21 Feb 2000, you wrote: > On Sun, 20 Feb 2000, Richard Martin wrote: > > > Has anyone been seeing spam like this lately? It consists of an > > unintelligible sequence of English words. Seems to be just strings of > > randomly generated words, but I am wondering if there is something more > > sinister going on here. Someone accidentally send us an encoded message? > > First thing that I thought of was 'Snow Crash' by.. Neal Stephenson (?) in > which someone discovers a sequencing pattern which seems to reset your > brain.language setting. > > Maybe there should be an advisory asking people not to read nonsense > emails for fear of really 'losing it' ;) (go read the book) > > --==-- > Bruce. > > > StriderCaracas, > > > > Falsetto colonel flak devilish Miami experience Raymond polymerase emulate > > donkey summand Harold paint Daly hill acclimatize evince component seethe > > sarah1 Jewish Quixote Dowling corwin bye formant prince collusion, society > > agrimony lithography waybill Mathematik Zealand Shockley diluent Braun > > retaliate Cortez emphasis hooves we're molt franklin. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Daniel Folkinshteyn groovy.je.yale.edu sysadmin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 21:56:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta2.rcsntx.swbell.net (mta2.rcsntx.swbell.net [151.164.30.26]) by hub.freebsd.org (Postfix) with ESMTP id DB7E837BA8C for ; Sun, 20 Feb 2000 21:56:15 -0800 (PST) (envelope-from jbryant@ppp-208-188-200-9.dialup.kscymo.swbell.net) Received: from ppp-208-188-200-9.dialup.kscymo.swbell.net ([208.188.200.9]) by mta2.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with ESMTP id <0FQ900309N5H8B@mta2.rcsntx.swbell.net> for freebsd-security@freebsd.org; Sun, 20 Feb 2000 23:56:08 -0600 (CST) Received: (from jbryant@localhost) by ppp-208-188-200-9.dialup.kscymo.swbell.net (8.9.3/8.8.5) id XAA70351; Sun, 20 Feb 2000 23:56:03 -0600 (CST) Date: Sun, 20 Feb 2000 23:55:54 -0600 (CST) From: Jim Bryant Subject: Re: Strange Spam In-reply-to: To: matt@ARPA.MAIL.NET (Matt Heckaman) Cc: dmartin@origen.com, freebsd-security@freebsd.org Reply-To: kc5vdj@swbell.net Message-id: <200002210556.XAA70351@ppp-208-188-200-9.dialup.kscymo.swbell.net> MIME-version: 1.0 X-Mailer: ELM [version 2.4ME+ PL32 (25)] Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Windows: R00LZ!@# MS-Winbl0wz DR00LZ!@# X-files: The truth is that the X-Files is fiction X-Republican: The best kind!!! X-Operating-System: FreeBSD 4.0-CURRENT #8: Sat Oct 30 00:56:56 CDT 1999 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In reply: > Wow, how strange. I always sucked at finding patterns though, maybe some > of the english majors could figure this out, lol =) > > Matt > -- > Matt Heckaman [matt@arpa.mail.net|matt@relic.net] [Please do not send me] > !Powered by FreeBSD/x86! [http://www.freebsd.org] [any SPAM (UCE) e-mail] could be a substitution code, or a template code. looks too formatted to be spam, but then it could just be spam. look at the address in the From and Received headers. Could be some right wing anti-education militia schizo trying to make cause.org look bad by spoofing their address. who knows. jim -- All opinions expressed are mine, if you | "I will not be pushed, stamped, think otherwise, then go jump into turbid | briefed, debriefed, indexed, or radioactive waters and yell WAHOO !!! | numbered!" - #1, "The Prisoner" ------------------------------------------------------------------------------ KC5VDJ - HF to 23cm KC5VDJ@NW0I.#NEKS.KS.USA.NOAM kc5vdj@swbell.net ------------------------------------------------------------------------------ IC-706MkII - IC-T81A - HTX-202 - HTX-212 - HTX-404 - KPC3+ - PK-232MBX/DSP To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 22: 0:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from max.millenniumworks.com (millenniumworks.com [209.35.190.118]) by hub.freebsd.org (Postfix) with SMTP id 6A70337C0AD for ; Sun, 20 Feb 2000 22:00:18 -0800 (PST) (envelope-from robertw@wojo.com) Received: (qmail 52768 invoked from network); 21 Feb 2000 06:00:12 -0000 Received: from localhost.millenniumworks.com (HELO moe.wojo.net) (127.0.0.1) by localhost.millenniumworks.com with SMTP; 21 Feb 2000 06:00:12 -0000 Received: by moe.wojo.net with Internet Mail Service (5.5.2650.21) id ; Mon, 21 Feb 2000 00:59:44 -0500 Message-ID: From: "Robert Wojciechowski Jr." To: freebsd-security@freebsd.org Subject: Re: Strange Spam Date: Mon, 21 Feb 2000 00:59:43 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Richard, Looks like some sort of steganography. Look at http://ip-service.com/cgi-bin/stego.pl, which contains a web interface to Texto, a steganography program. I tried decoding it with Texto, but it didn't work. If it is a form of steganography, it could be a custom type or encrypted with a key which would make it impossible to read it without knowing the shared secret. Another thing about it is that it follows a letter structure. If it's more than just random words, maybe both parties have a dictionary file with a special lookup table to map say, "the" to "dodecahedron". But I don't see many repeating words, so maybe not. It colud also be a stenography program that creates the correct structure of a letter on purpose for some reason, even though it's not intelligible text (Texto is at least contains correct sentence structure). The best steganography of course, is the one you never spot as containing hidden data! Ugh, there are a million things it *could* be... I give up already. It's going to be a chore finding out exactly what. Still very intriguing, and if you find out what it is... please do share! ;) Best Regards, --- Robert S. Wojciechowski Jr. robertw@wojo.com ----------------------------------------------------------------- > On 20-Feb-2000 22:44:07, Richard Martin writes: > Has anyone been seeing spam like this lately? It consists of an > unintelligible sequence of English words. Seems to be just strings of > randomly generated words, but I am wondering if there is something more > sinister going on here. Someone accidentally send us an encoded message? > > *************** > > Hi. This is the qmail-send program at mail.origen.com. > I tried to deliver a bounce message to this address, but the bounce bounced! > > : > Sorry, no mailbox here by that name. (#5.1.1) > > - --- Below this line is the original bounce. > > Return-Path: <> > Received: (qmail 1747 invoked from network); 20 Feb 2000 18:24:44 -0000 > Received: from www.cause.org (HELO www.educause.edu) (198.59.61.80) > by mail.origen.com with SMTP; 20 Feb 2000 18:24:44 -0000 > From: postmaster@www.cause.org > To: zubenanalgenube@origen.com > Date: 20 Feb 2000 18:39:16 -0600 > Message-ID: <036cc2029181488RKWEB@www.educause.edu> > Subject: Nondeliverable mail > MIME-Version: 1.0 > Content-Type: Multipart/mixed; > boundary = "NTWEBgGK:EVF+?cBGmzmVxN" > > - --NTWEBgGK:EVF+?cBGmzmVxN > > - ------Transcript of session follows ------- > ww@cci.lg.ua > 550 ... User unknown > > - --NTWEBgGK:EVF+?cBGmzmVxN > Content-Type: message/rfc822; charset=us-ascii > > Received: from BEAVISNBUTTHEAD ([63.225.147.56]) by www.educause.edu with > Microsoft SMTPSVC(5.5.1877.197.19); > Sun, 20 Feb 2000 18:41:03 -0600 > To: ww@cci.lg.ua > From: zubenanalgenube@origen.com > Subject: RE: from WW > Return-Path: zubenanalgenube@origen.com > Message-ID: <036f23327181488RKWEB@www.educause.edu> > Date: 20 Feb 2000 18:41:06 -0600 > > > StriderCaracas, > > Falsetto colonel flak devilish Miami experience Raymond polymerase emulate > donkey summand Harold paint Daly hill acclimatize evince component seethe > sarah1 Jewish Quixote Dowling corwin bye formant prince collusion, society > agrimony lithography waybill Mathematik Zealand Shockley diluent Braun > retaliate Cortez emphasis hooves we're molt franklin. > > Ravine graphic., auric moat. > > Mynah, ogle circumpolar nameplate tablespoon octopus curiosity posthumous > optometrist stressful crossbill bitnet ablution abstract javelin, continuum > Bentham conflagration Lissajous choose Thomas matriculate cancel reprise. > gratuity broad cramp, southernmost jilt, reverberate Joshua malice homework > hydrometer ladyfern Fourier biophysic fanfold Alcmena adamant phenolic > snowstorm deacon swingable. imputation impel bedding hello washout, hopple > spate doltish erupt thrips Farley, swat twiddle pipsissewa boastful ambrosia, > oatcake haunch porterhouse DARPA anhydrite cerebral inexhaustible feast impede > bombard annie cynthia contractual Nebuchadnezzar. UHF crepe Galloway bleach > function psyllium cap, calico porridge tempestuous nature consul regretting > Antioch customary halfback distribution canced Salish redound sepulchral > kangaroo atonal begrudge factor swine climactic local Skeeter youth Montevideo > flash chilblain, spyglass sire Wahl loquacity Rastus waistcoat, kid > reclamation greet wipe child. kingdom busywork stake sideshow gauzy hank > indiscernible groupoid baud repetition majesty faint. Aubrey Galatea > halfhearted inlay Awesome inappeasable NY uprise helmsman lakers scout feeble > Whatley, ontology Cochran libretto diablo chatting labia scion tarpaulin. > > Melee sang counterweight resident boogie bulldoze Eveready, Wilmington tong > whitish rockabye duchess continuant clannish Annale nutate entrepreneur jade > boatman, stellar, adjoin churchgo scream Clive briefcase Waco wildfire > colonist neck concord firework expletive expel gunflint port glob lookup > boyhood propionate biometry inability comparison arousal differ skeletal > holography pandemonium Laplacian riverbank ringmaster euglena dulse Cassandra > Rockland competitor softball handgun successful, gush Cabot congener > tripartite ghetto. Grin strabismus Krueger Caesarian., tightwad, Ankara Peru > bib coattail galaxy ingrown obsolescent triangular, pinniped amateurish > adequacy. theoretician, mentor hyperbolic, sniff chip satisfactory divalent > physiotherapist rocky dip, superman, buttonhole, ford, guitar lactose > rapprochement steradian Copperfield Ernst class nominee Wakefield wad Czerniak > Caracas Clarence island pyrolysis stratosphere eggshell pulley belch blab > amnesty uterus poi offensive sciatica electric perspicacious. voice, whereupon > foxglove drunk retina radiology Penh limestone. mozzarella titanate > guillotine, detractor Interpol propensity aphelion comport arc Tutenkhamon > exculpatory filial, eradicable chumming Clarence Calgary Mollie unify babyhood > quanta indium. Batchelder Francisco survive marshmallow fumigate bloodshot > receive tiger readout academe chatting player, Armonk selenate millstone > bartend provision system, exegete botch cytosine Indonesian design chicago > tailor wagoneer potent aforethought pacific alway loin benzene moose > sympathetic dodecahedron suntanned schist entreaty Comanche anvil yucca. > > Arch, > Ensnare > > > -- > Richard Martin dmartin@origen.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 22:20:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta2.rcsntx.swbell.net (mta2.rcsntx.swbell.net [151.164.30.26]) by hub.freebsd.org (Postfix) with ESMTP id 6F9CF37C1A4 for ; Sun, 20 Feb 2000 22:20:19 -0800 (PST) (envelope-from jbryant@ppp-208-188-200-9.dialup.kscymo.swbell.net) Received: from ppp-208-188-200-9.dialup.kscymo.swbell.net ([208.188.200.9]) by mta2.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with ESMTP id <0FQ9003P7O998B@mta2.rcsntx.swbell.net> for freebsd-security@FreeBSD.ORG; Mon, 21 Feb 2000 00:20:00 -0600 (CST) Received: (from jbryant@localhost) by ppp-208-188-200-9.dialup.kscymo.swbell.net (8.9.3/8.8.5) id AAA70414; Mon, 21 Feb 2000 00:19:55 -0600 (CST) Date: Mon, 21 Feb 2000 00:19:46 -0600 (CST) From: Jim Bryant Subject: Re: Strange Spam In-reply-to: <0002210047120Z.00540@groovy.je.yale.edu> To: dfolkins@groovy.je.yale.edu (Daniel Folkinshteyn) Cc: matt@ARPA.MAIL.NET, freebsd-security@FreeBSD.ORG Reply-To: kc5vdj@swbell.net Message-id: <200002210619.AAA70414@ppp-208-188-200-9.dialup.kscymo.swbell.net> MIME-version: 1.0 X-Mailer: ELM [version 2.4ME+ PL32 (25)] Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Windows: R00LZ!@# MS-Winbl0wz DR00LZ!@# X-files: The truth is that the X-Files is fiction X-Republican: The best kind!!! X-Operating-System: FreeBSD 4.0-CURRENT #8: Sat Oct 30 00:56:56 CDT 1999 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In reply: > well, i am no english major, but i do notice an abnormally high occurrence of > mathematical terms. (e.g. Lissajous,Fourier,Laplacian,dodecahedron, exegete, > maybe more , i did not look that hard), and an unusually high occurrence of > scientific (mostly biological/biochemical) terms (e.g. > polymerase,anhydrite,pinniped,benzene,cytosine,yucca...etc), and other > relatively specialized terms from various branches of science.... so it > definitely is not a RANDOM selection of words in here. random word selection > would not result in so many non-common-usage words. > > so if this helps anyone, i am glad, as i sure as hell want to see what this > means, it has me intrigued. :) a lot of words in there relating to ultra-right wing rhetoric, as well as words of violence. i find a lot of words in there, in some kind of order that make me think it came from some militia schizo. could this have been the ultimate recipient? person: Speransky Max address: CCI Ukraine Ltd. address: 3, Karl Marx street, Lugansk phone: +380 642-501398 fax-no: +380 642-501398 e-mail: mx@cci.lg.ua nic-hdl: MS5800-RIPE changed: mx@cci.lg.ua 19991112 source: RIPE well, i may be right or i may be wrong on the right-wing appearence, but keep in mind that the kgb vault-keeper who defected with the files did have proof the kgb was funding far-right paramilitary groups in the usa, they both believe in the same ends and means. jim -- All opinions expressed are mine, if you | "I will not be pushed, stamped, think otherwise, then go jump into turbid | briefed, debriefed, indexed, or radioactive waters and yell WAHOO !!! | numbered!" - #1, "The Prisoner" ------------------------------------------------------------------------------ KC5VDJ - HF to 23cm KC5VDJ@NW0I.#NEKS.KS.USA.NOAM kc5vdj@swbell.net ------------------------------------------------------------------------------ IC-706MkII - IC-T81A - HTX-202 - HTX-212 - HTX-404 - KPC3+ - PK-232MBX/DSP To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 22:25:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail5.uunet.ca (mail5.uunet.ca [142.77.1.28]) by hub.freebsd.org (Postfix) with ESMTP id 2EA1737BAE5 for ; Sun, 20 Feb 2000 22:25:22 -0800 (PST) (envelope-from matt@ARPA.MAIL.NET) Received: from epsilon.lucida.qc.ca ([216.95.146.6]) by mail5.uunet.ca with ESMTP id <232865-8511>; Mon, 21 Feb 2000 01:26:35 -0500 Date: Mon, 21 Feb 2000 01:25:10 -0500 From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: kc5vdj@swbell.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Strange Spam In-Reply-To: <200002210619.AAA70414@ppp-208-188-200-9.dialup.kscymo.swbell.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 21 Feb 2000, Jim Bryant wrote: [...] : a lot of words in there relating to ultra-right wing rhetoric, as well : as words of violence. i find a lot of words in there, in some kind of : order that make me think it came from some militia schizo. Why would anyone use some kind of text code like this as opposed to something like high-grade PGP encryption, or better yet - a combination of text code and PGP? It sure does make one sit back and say "hmm". The format of the letter is quite proper, if you take out the fact that the words make no sense in the form that they are in.. There's a greeting, main body, closing, etc. I'd love to figure this one out. [...] : jim -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 22:32:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 656C537C148 for ; Sun, 20 Feb 2000 22:32:33 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id XAA15811; Sun, 20 Feb 2000 23:32:20 -0700 (MST) Message-Id: <4.2.2.20000220233109.04691ba0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sun, 20 Feb 2000 23:32:10 -0700 To: "Robert Wojciechowski Jr." , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Strange Spam In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:59 PM 2/20/2000 , Robert Wojciechowski Jr. wrote: >Richard, > >Looks like some sort of steganography. Yep. I'll bet that the real message is in the header, and that the rest of the spam is just foolishness intended to distract the reader. ;-) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 22:55:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from sprout.cgf.net (adsl-207-215-8-122.dsl.snfc21.pacbell.net [207.215.8.122]) by hub.freebsd.org (Postfix) with ESMTP id 19F4B37C13E for ; Sun, 20 Feb 2000 22:55:01 -0800 (PST) (envelope-from tomb@cgf.net) Received: from cgf.net (localhost.cgf.net [127.0.0.1]) by sprout.cgf.net (8.9.3/8.9.3) with ESMTP id UAA01381 for ; Sun, 20 Feb 2000 20:57:13 -0800 (PST) (envelope-from tomb@cgf.net) Message-ID: <38B0C5A9.F0776BD2@cgf.net> Date: Sun, 20 Feb 2000 20:57:13 -0800 From: tom brown Organization: Badger Baisters (We do it with Lard) X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Strange Spam References: Content-Type: multipart/mixed; boundary="------------F81BACE454FDFAB580CDE9CF" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------F81BACE454FDFAB580CDE9CF Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Robert I agree. It looks like some of the example work I've seen that is designed to avoid the content detection mechanisum's triggered by strong math techniques. Like you say it has a slight theme, suggesting a key based upon a manuscript? Beats reading about IPFW. Tom "Robert Wojciechowski Jr." wrote: > Richard, > > Looks like some sort of steganography. Look at > http://ip-service.com/cgi-bin/stego.pl, which contains a web interface to > Texto, a steganography program. I tried decoding it with Texto, but it > didn't work. If it is a form of steganography, it could be a custom type > or encrypted with a key which would make it impossible to read it without > knowing the shared secret. > > Another thing about it is that it follows a letter structure. If it's more > than just random words, maybe both parties have a dictionary file with a > special lookup table to map say, "the" to "dodecahedron". But I don't see > many repeating words, so maybe not. It colud also be a stenography program > that creates the correct structure of a letter on purpose for some reason, > even though it's not intelligible text (Texto is at least contains correct > sentence structure). > > The best steganography of course, is the one you never spot as containing > hidden data! > > Ugh, there are a million things it *could* be... I give up already. It's > going to be a chore finding out exactly what. Still very intriguing, and if > you find out what it is... please do share! ;) > > Best Regards, > > --- > Robert S. Wojciechowski Jr. > robertw@wojo.com > > ----------------------------------------------------------------- > > On 20-Feb-2000 22:44:07, Richard Martin writes: > > Has anyone been seeing spam like this lately? It consists of an > > unintelligible sequence of English words. Seems to be just strings of > > randomly generated words, but I am wondering if there is something more > > sinister going on here. Someone accidentally send us an encoded message? > > > > *************** > > > > Hi. This is the qmail-send program at mail.origen.com. > > I tried to deliver a bounce message to this address, but the bounce > bounced! > > > > : > > Sorry, no mailbox here by that name. (#5.1.1) > > > > - --- Below this line is the original bounce. > > > > Return-Path: <> > > Received: (qmail 1747 invoked from network); 20 Feb 2000 18:24:44 -0000 > > Received: from www.cause.org (HELO www.educause.edu) (198.59.61.80) > > by mail.origen.com with SMTP; 20 Feb 2000 18:24:44 -0000 > > From: postmaster@www.cause.org > > To: zubenanalgenube@origen.com > > Date: 20 Feb 2000 18:39:16 -0600 > > Message-ID: <036cc2029181488RKWEB@www.educause.edu> > > Subject: Nondeliverable mail > > MIME-Version: 1.0 > > Content-Type: Multipart/mixed; > > boundary = "NTWEBgGK:EVF+?cBGmzmVxN" > > > > - --NTWEBgGK:EVF+?cBGmzmVxN > > > > - ------Transcript of session follows ------- > > ww@cci.lg.ua > > 550 ... User unknown > > > > - --NTWEBgGK:EVF+?cBGmzmVxN > > Content-Type: message/rfc822; charset=us-ascii > > > > Received: from BEAVISNBUTTHEAD ([63.225.147.56]) by www.educause.edu with > > Microsoft SMTPSVC(5.5.1877.197.19); > > Sun, 20 Feb 2000 18:41:03 -0600 > > To: ww@cci.lg.ua > > From: zubenanalgenube@origen.com > > Subject: RE: from WW > > Return-Path: zubenanalgenube@origen.com > > Message-ID: <036f23327181488RKWEB@www.educause.edu> > > Date: 20 Feb 2000 18:41:06 -0600 > > > > > > StriderCaracas, > > > > Falsetto colonel flak devilish Miami experience Raymond polymerase emulate > > donkey summand Harold paint Daly hill acclimatize evince component seethe > > sarah1 Jewish Quixote Dowling corwin bye formant prince collusion, society > > agrimony lithography waybill Mathematik Zealand Shockley diluent Braun > > retaliate Cortez emphasis hooves we're molt franklin. > > > > Ravine graphic., auric moat. > > > > Mynah, ogle circumpolar nameplate tablespoon octopus curiosity posthumous > > optometrist stressful crossbill bitnet ablution abstract javelin, > continuum > > Bentham conflagration Lissajous choose Thomas matriculate cancel reprise. > > gratuity broad cramp, southernmost jilt, reverberate Joshua malice > homework > > hydrometer ladyfern Fourier biophysic fanfold Alcmena adamant phenolic > > snowstorm deacon swingable. imputation impel bedding hello washout, hopple > > spate doltish erupt thrips Farley, swat twiddle pipsissewa boastful > ambrosia, > > oatcake haunch porterhouse DARPA anhydrite cerebral inexhaustible feast > impede > > bombard annie cynthia contractual Nebuchadnezzar. UHF crepe Galloway > bleach > > function psyllium cap, calico porridge tempestuous nature consul > regretting > > Antioch customary halfback distribution canced Salish redound sepulchral > > kangaroo atonal begrudge factor swine climactic local Skeeter youth > Montevideo > > flash chilblain, spyglass sire Wahl loquacity Rastus waistcoat, kid > > reclamation greet wipe child. kingdom busywork stake sideshow gauzy hank > > indiscernible groupoid baud repetition majesty faint. Aubrey Galatea > > halfhearted inlay Awesome inappeasable NY uprise helmsman lakers scout > feeble > > Whatley, ontology Cochran libretto diablo chatting labia scion tarpaulin. > > > > Melee sang counterweight resident boogie bulldoze Eveready, Wilmington > tong > > whitish rockabye duchess continuant clannish Annale nutate entrepreneur > jade > > boatman, stellar, adjoin churchgo scream Clive briefcase Waco wildfire > > colonist neck concord firework expletive expel gunflint port glob lookup > > boyhood propionate biometry inability comparison arousal differ skeletal > > holography pandemonium Laplacian riverbank ringmaster euglena dulse > Cassandra > > Rockland competitor softball handgun successful, gush Cabot congener > > tripartite ghetto. Grin strabismus Krueger Caesarian., tightwad, Ankara > Peru > > bib coattail galaxy ingrown obsolescent triangular, pinniped amateurish > > adequacy. theoretician, mentor hyperbolic, sniff chip satisfactory > divalent > > physiotherapist rocky dip, superman, buttonhole, ford, guitar lactose > > rapprochement steradian Copperfield Ernst class nominee Wakefield wad > Czerniak > > Caracas Clarence island pyrolysis stratosphere eggshell pulley belch blab > > amnesty uterus poi offensive sciatica electric perspicacious. voice, > whereupon > > foxglove drunk retina radiology Penh limestone. mozzarella titanate > > guillotine, detractor Interpol propensity aphelion comport arc Tutenkhamon > > exculpatory filial, eradicable chumming Clarence Calgary Mollie unify > babyhood > > quanta indium. Batchelder Francisco survive marshmallow fumigate bloodshot > > receive tiger readout academe chatting player, Armonk selenate millstone > > bartend provision system, exegete botch cytosine Indonesian design chicago > > tailor wagoneer potent aforethought pacific alway loin benzene moose > > sympathetic dodecahedron suntanned schist entreaty Comanche anvil yucca. > > > > Arch, > > Ensnare > > > > > > -- > > Richard Martin dmartin@origen.com > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --------------F81BACE454FDFAB580CDE9CF Content-Type: text/x-vcard; charset=us-ascii; name="tomb.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for tom brown Content-Disposition: attachment; filename="tomb.vcf" begin:vcard n:Brown;Tom tel;cell:+1 650 814 5949 tel;home:+1 650 566 8715 tel;work:+1 650 812 9400 x-mozilla-html:FALSE url:http://www.cgf.net/ org:Ministry of Information;Information Adjustment adr:;;;Menlo Park;California;;USA version:2.1 email;internet:tomb@cgf.net title:Historical Adjustments Officer note:This isn't my real job! x-mozilla-cpt:;-4864 fn:Tom Brown end:vcard --------------F81BACE454FDFAB580CDE9CF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 22:56: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail6.uunet.ca (mail6.uunet.ca [142.77.1.27]) by hub.freebsd.org (Postfix) with ESMTP id 971F137BFE7 for ; Sun, 20 Feb 2000 22:56:01 -0800 (PST) (envelope-from matt@ARPA.MAIL.NET) Received: from epsilon.lucida.qc.ca ([216.95.146.6]) by mail6.uunet.ca with ESMTP id <231124-12077>; Mon, 21 Feb 2000 01:55:48 -0500 Date: Mon, 21 Feb 2000 01:55:44 -0500 From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: FreeBSD-SECURITY Subject: Re: Strange Spam Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is funny, reading it more carefully - there are also references to DARPA (Defense Advanced Research Projects Agency), UHF (Ultra High Frequency), and Interpol. Also, Mathematic is mispelled to "Mathematik" which strikes me as odd, giving the caliber of words used throughout the message. Another thing to note, is the capitalization scheme; It appears that proper nouns and places are for the most part capitalized, with some exceptions such as "cynthia", "sarah1", and a few others. All and all, this is nothing but pure conjecture, but it does almost totally rule out the possibility of it being some random misplaced SPAM email. It definately has the form of being intended for someone. Unfortunately, without figuring the key sequence that this is based on, it's probably impossible for us to decypher it. My original question still stands. If this is some kind of code, why would someone do something like this as opposed to PGP encryption or similar? -- Or both combined for the very paranoid. Matt -- Matt Heckaman [matt@arpa.mail.net|matt@relic.net] [Please do not send me] !Powered by FreeBSD/x86! [http://www.freebsd.org] [any SPAM (UCE) e-mail] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 23: 0:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from max.millenniumworks.com (millenniumworks.com [209.35.190.118]) by hub.freebsd.org (Postfix) with SMTP id 2D23537B6BC for ; Sun, 20 Feb 2000 23:00:12 -0800 (PST) (envelope-from robertw@wojo.com) Received: (qmail 55541 invoked from network); 21 Feb 2000 07:00:10 -0000 Received: from localhost.millenniumworks.com (HELO moe.wojo.net) (127.0.0.1) by localhost.millenniumworks.com with SMTP; 21 Feb 2000 07:00:10 -0000 Received: by moe.wojo.net with Internet Mail Service (5.5.2650.21) id ; Mon, 21 Feb 2000 02:00:07 -0500 Message-ID: From: "Robert Wojciechowski Jr." To: 'Brett Glass' Cc: "Robert Wojciechowski Jr." , "'freebsd-security@FreeBSD.ORG'" Subject: RE: Strange Spam Date: Mon, 21 Feb 2000 02:00:06 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > ----- Original Message ----- > From: Brett Glass [SMTP:brett@lariat.org] > Sent: Monday, February 21, 2000, 1:32:10 > To: Robert Wojciechowski Jr.; freebsd-security@FreeBSD.ORG > Subject: Re: Strange Spam > > > Yep. I'll bet that the real message is in the header, and that the > rest of the spam is just foolishness intended to distract the reader. ;-) > > ----- End Of Original Message ----- Now that's a cool idea ;) Robert S. Wojciechowski Jr. robertw@wojo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 23: 5: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id F00DF37BAE5 for ; Sun, 20 Feb 2000 23:04:58 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost.freebsd.dk [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id IAA16877; Mon, 21 Feb 2000 08:04:50 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Matt Heckaman Cc: FreeBSD-SECURITY Subject: Re: Strange Spam In-reply-to: Your message of "Mon, 21 Feb 2000 01:55:44 EST." Date: Mon, 21 Feb 2000 08:04:50 +0100 Message-ID: <16875.951116690@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Mat t Heckaman writes: >My original question still >stands. If this is some kind of code, why would someone do something like >this as opposed to PGP encryption or similar? -- Or both combined for the >very paranoid. Because it can be sent and received over phone, HF, telex etc etc. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 23:13:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 213B437BBD1 for ; Sun, 20 Feb 2000 23:13:00 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.13 #1) id 12Mn1a-0000we-00 for freebsd-security@FreeBSD.ORG; Mon, 21 Feb 2000 09:12:54 +0200 From: Sheldon Hearn To: freebsd-security@FreeBSD.ORG Reply-To: freebsd-chat@FreeBSD.org Subject: Re: Strange Spam In-reply-to: Your message of "Sun, 20 Feb 2000 21:44:07 CST." <38B0B487.CB71D7E1@origen.com> Date: Mon, 21 Feb 2000 09:12:54 +0200 Message-ID: <3635.951117174@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is OFF TOPIC. The originaly poster sent this to the list because of the kind of person he expects to read it, not because it fits in with the list charter. Please, people, if this is really worth discussing, it belongs in freebsd-chat. *grumble* Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 23:37:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id C1B1737C17E for ; Sun, 20 Feb 2000 23:37:23 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id XAA58181; Sun, 20 Feb 2000 23:37:19 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200002210737.XAA58181@gndrsh.dnsmgr.net> Subject: Re: Strange Spam In-Reply-To: from Matt Heckaman at "Feb 21, 2000 01:55:44 am" To: matt@ARPA.MAIL.NET (Matt Heckaman) Date: Sun, 20 Feb 2000 23:37:19 -0800 (PST) Cc: security@FreeBSD.ORG (FreeBSD-SECURITY) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > This is funny, reading it more carefully - there are also references to > DARPA (Defense Advanced Research Projects Agency), UHF (Ultra High > Frequency), and Interpol. > > Also, Mathematic is mispelled to "Mathematik" which strikes me as odd, German/Danish dictionary? > giving the caliber of words used throughout the message. Another thing > to note, is the capitalization scheme; It appears that proper nouns and > places are for the most part capitalized, with some exceptions such as > "cynthia", "sarah1", and a few others. > > All and all, this is nothing but pure conjecture, but it does almost > totally rule out the possibility of it being some random misplaced SPAM > email. It definately has the form of being intended for someone. I agree with that. And would further conjecture the person is at an unknown location and/or hiding. And has possibly limited access to resources. Another think to yourself for a long hard time about _why_ someone might try to use this form (bulk email) of communications and cryptography of a weak form to get a message to someone. They probably don't care that the NSA could crack this in a day, but they do care that every other person could just read it. It could say ``Nuclear launch in 6 hours from this transmission'' and it wouldn't matter that the NSA could crack it in 12 hours, just so long as all the ``agents'' knew that in 6 hours all hell was going to break loose around the globe and they need to take care of the last minute details. You don't need a sledge hammer to break a piece of tempered glass, a tap with a 1 ounce hammer works fine if the glass is stricken at the right angle (usually the edge of the sheet of glass). > > Unfortunately, without figuring the key sequence that this is based on, > it's probably impossible for us to decypher it. My original question still > stands. If this is some kind of code, why would someone do something like > this as opposed to PGP encryption or similar? -- Or both combined for the > very paranoid. Your assuming the sender of the message has/had a way to get the receipents public key. If the receipent is at an unknown location (also explaining why this is going out as mass email/spam) how would you get his/her key to encrypt with? -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 20 23:41:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from cage.tse-online.de (cage.tse-online.de [194.97.69.170]) by hub.freebsd.org (Postfix) with SMTP id 7C82837C1A1 for ; Sun, 20 Feb 2000 23:41:36 -0800 (PST) (envelope-from ab@cage.tse-online.de) Received: (qmail 76993 invoked by uid 1000); 21 Feb 2000 07:44:53 -0000 Date: Mon, 21 Feb 2000 08:44:53 +0100 From: Andreas Braukmann To: FreeBSD-SECURITY Subject: Re: Strange Spam Message-ID: <20000221084453.V31931@cage.tse-online.de> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from matt@ARPA.MAIL.NET on Mon, Feb 21, 2000 at 01:55:44AM -0500 Organization: TSE GmbH - Neue Medien Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Mon, Feb 21, 2000 at 01:55:44AM -0500, Matt Heckaman wrote: > Also, Mathematic is mispelled to "Mathematik" which strikes me as odd, "Mathematik" is the correct german spelling at least. -Andreas -- : Anti-Spam Petition: http://www.politik-digital.de/spam/ : : PGP-Key: http://www.tse-online.de/~ab/public-key : : Key fingerprint: 12 13 EF BC 22 DD F4 B6 3C 25 C9 06 DC D3 45 9B : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 0:33:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 846E137BD0F for ; Mon, 21 Feb 2000 00:33:14 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost.freebsd.dk [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id JAA17217; Mon, 21 Feb 2000 09:32:47 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: "Rodney W. Grimes" Cc: matt@ARPA.MAIL.NET (Matt Heckaman), security@FreeBSD.ORG (FreeBSD-SECURITY) Subject: Re: Strange Spam In-reply-to: Your message of "Sun, 20 Feb 2000 23:37:19 PST." <200002210737.XAA58181@gndrsh.dnsmgr.net> Date: Mon, 21 Feb 2000 09:32:46 +0100 Message-ID: <17215.951121966@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200002210737.XAA58181@gndrsh.dnsmgr.net>, "Rodney W. Grimes" writes : >> This is funny, reading it more carefully - there are also references to >> DARPA (Defense Advanced Research Projects Agency), UHF (Ultra High >> Frequency), and Interpol. >> >> Also, Mathematic is mispelled to "Mathematik" which strikes me as odd, >German/Danish dictionary? We don't have the 'h' in there in Danish. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 0:53:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta1.rcsntx.swbell.net (mta1.rcsntx.swbell.net [151.164.30.25]) by hub.freebsd.org (Postfix) with ESMTP id B110937BEE8 for ; Mon, 21 Feb 2000 00:53:48 -0800 (PST) (envelope-from jbryant@ppp-208-188-200-9.dialup.kscymo.swbell.net) Received: from ppp-208-188-200-9.dialup.kscymo.swbell.net ([208.188.200.9]) by mta1.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with ESMTP id <0FQ9001EDVDGK1@mta1.rcsntx.swbell.net> for security@FreeBSD.ORG; Mon, 21 Feb 2000 02:53:43 -0600 (CST) Received: (from jbryant@localhost) by ppp-208-188-200-9.dialup.kscymo.swbell.net (8.9.3/8.8.5) id CAA77579; Mon, 21 Feb 2000 02:53:37 -0600 (CST) Date: Mon, 21 Feb 2000 02:53:27 -0600 (CST) From: Jim Bryant Subject: Re: Strange Spam In-reply-to: To: matt@ARPA.MAIL.NET (Matt Heckaman) Cc: security@FreeBSD.ORG Reply-To: kc5vdj@swbell.net Message-id: <200002210853.CAA77579@ppp-208-188-200-9.dialup.kscymo.swbell.net> MIME-version: 1.0 X-Mailer: ELM [version 2.4ME+ PL32 (25)] Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Windows: R00LZ!@# MS-Winbl0wz DR00LZ!@# X-files: The truth is that the X-Files is fiction X-Republican: The best kind!!! X-Operating-System: FreeBSD 4.0-CURRENT #8: Sat Oct 30 00:56:56 CDT 1999 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In reply: > This is funny, reading it more carefully - there are also references to > DARPA (Defense Advanced Research Projects Agency), UHF (Ultra High > Frequency), and Interpol. > > Also, Mathematic is mispelled to "Mathematik" which strikes me as odd, > giving the caliber of words used throughout the message. Another thing > to note, is the capitalization scheme; It appears that proper nouns and > places are for the most part capitalized, with some exceptions such as > "cynthia", "sarah1", and a few others. > > All and all, this is nothing but pure conjecture, but it does almost > totally rule out the possibility of it being some random misplaced SPAM > email. It definately has the form of being intended for someone. > > Unfortunately, without figuring the key sequence that this is based on, > it's probably impossible for us to decypher it. My original question still > stands. If this is some kind of code, why would someone do something like > this as opposed to PGP encryption or similar? -- Or both combined for the > very paranoid. > > Matt > -- > Matt Heckaman [matt@arpa.mail.net|matt@relic.net] [Please do not send me] > !Powered by FreeBSD/x86! [http://www.freebsd.org] [any SPAM (UCE) e-mail] matt, i'm not saying it is or isn't some right wing extremist, but... to add to your conjecture, i must say that the nsa is at the core of a lot of their conspiracy theories, and it is widely believed amongst such groups that the nsa invented every form of encryption, and that such programs are unsafe for their use. thus, the ultra-paranoid will use one-time-pad and substitution codes instead of computer encryption techniques. i've researched such groups for many years, and you have got to understand the concept i'm conveying. jim -- All opinions expressed are mine, if you | "I will not be pushed, stamped, think otherwise, then go jump into turbid | briefed, debriefed, indexed, or radioactive waters and yell WAHOO !!! | numbered!" - #1, "The Prisoner" ------------------------------------------------------------------------------ KC5VDJ - HF to 23cm KC5VDJ@NW0I.#NEKS.KS.USA.NOAM kc5vdj@swbell.net ------------------------------------------------------------------------------ IC-706MkII - IC-T81A - HTX-202 - HTX-212 - HTX-404 - KPC3+ - PK-232MBX/DSP To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 1:10:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta2.rcsntx.swbell.net (mta2.rcsntx.swbell.net [151.164.30.26]) by hub.freebsd.org (Postfix) with ESMTP id E32F137B6BA for ; Mon, 21 Feb 2000 01:10:34 -0800 (PST) (envelope-from jbryant@ppp-208-188-200-9.dialup.kscymo.swbell.net) Received: from ppp-208-188-200-9.dialup.kscymo.swbell.net ([207.193.0.31]) by mta2.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with ESMTP id <0FQ900C52W5EMM@mta2.rcsntx.swbell.net> for security@FreeBSD.ORG; Mon, 21 Feb 2000 03:10:29 -0600 (CST) Received: (from jbryant@localhost) by ppp-208-188-200-9.dialup.kscymo.swbell.net (8.9.3/8.8.5) id DAA77643; Mon, 21 Feb 2000 03:10:21 -0600 (CST) Date: Mon, 21 Feb 2000 03:10:12 -0600 (CST) From: Jim Bryant Subject: Re: Strange Spam In-reply-to: <200002210737.XAA58181@gndrsh.dnsmgr.net> To: freebsd@gndrsh.dnsmgr.net (Rodney W. Grimes) Cc: matt@ARPA.MAIL.NET, security@FreeBSD.ORG Reply-To: kc5vdj@swbell.net Message-id: <200002210910.DAA77643@ppp-208-188-200-9.dialup.kscymo.swbell.net> MIME-version: 1.0 X-Mailer: ELM [version 2.4ME+ PL32 (25)] Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Windows: R00LZ!@# MS-Winbl0wz DR00LZ!@# X-files: The truth is that the X-Files is fiction X-Republican: The best kind!!! X-Operating-System: FreeBSD 4.0-CURRENT #8: Sat Oct 30 00:56:56 CDT 1999 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In reply: > > This is funny, reading it more carefully - there are also references to > > DARPA (Defense Advanced Research Projects Agency), UHF (Ultra High > > Frequency), and Interpol. > > > > Also, Mathematic is mispelled to "Mathematik" which strikes me as odd, > German/Danish dictionary? fits with the From: username... zuber-something. i'm not a linguist, but i can recognize a lot of languages by their sound. > Another think to yourself for a long hard time about _why_ someone might > try to use this form (bulk email) of communications and cryptography of > a weak form to get a message to someone. They probably don't care that > the NSA could crack this in a day, but they do care that every other > person could just read it. and we all know that all attempts to legislate tracability in spam have been blocked by spammers. worldwide. if you wanted to coordinate a terrorist op, or something covert and get a message to the operatives or the coordinator, spam is one way to do it without being caught. i'm not condoning this by stating this, my personal belief is that absolute untamperable tracability should be mandated as part of the protocols themselves. > It could say ``Nuclear launch in 6 hours from this transmission'' and > it wouldn't matter that the NSA could crack it in 12 hours, just so long > as all the ``agents'' knew that in 6 hours all hell was going to break > loose around the globe and they need to take care of the last minute > details. exactly. the usable lifespan of the plaintext is a serious consideration. > Your assuming the sender of the message has/had a way to get the receipents > public key. If the receipent is at an unknown location (also explaining > why this is going out as mass email/spam) how would you get his/her key to > encrypt with? do cuba and other countries mail militia schizos the pad after the numbers are sent? no. the pad is already in the recipients possession. it becomes a matter of finding the individual. even though the destination was the ukraine, and i am speaking from an american point of view, in the reverse situation, my arguments for tracability still apply. jim -- All opinions expressed are mine, if you | "I will not be pushed, stamped, think otherwise, then go jump into turbid | briefed, debriefed, indexed, or radioactive waters and yell WAHOO !!! | numbered!" - #1, "The Prisoner" ------------------------------------------------------------------------------ KC5VDJ - HF to 23cm KC5VDJ@NW0I.#NEKS.KS.USA.NOAM kc5vdj@swbell.net ------------------------------------------------------------------------------ IC-706MkII - IC-T81A - HTX-202 - HTX-212 - HTX-404 - KPC3+ - PK-232MBX/DSP To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 1:14:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5940437BE17; Mon, 21 Feb 2000 01:14:42 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id BAA97488; Mon, 21 Feb 2000 01:14:42 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 21 Feb 2000 01:14:42 -0800 (PST) From: Kris Kennaway To: Richard Martin Cc: freebsd-security@freebsd.org Subject: Re: Strange Spam In-Reply-To: <38B0B487.CB71D7E1@origen.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Feb 2000, Richard Martin wrote: > Has anyone been seeing spam like this lately? It consists of an > unintelligible sequence of English words. Seems to be just strings of > randomly generated words, but I am wondering if there is something more > sinister going on here. Someone accidentally send us an encoded message? I'm wondering if this was an attempt to saturate Echelon by spamming messages which are likely to trip its detection criteria (someone else noted the right-wing and technical jargon). The (lack of) sentence structure would probably flag it as a false positive (the NSA seem to have some fairly sophisticated language analysis systems working for them from what's available in the open literature), but the originator might not have known how to create plausible english garbage messages. It's certainly very strange. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 1:18:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta4.rcsntx.swbell.net (mta4.rcsntx.swbell.net [151.164.30.28]) by hub.freebsd.org (Postfix) with ESMTP id 5B84737BF42 for ; Mon, 21 Feb 2000 01:17:01 -0800 (PST) (envelope-from jbryant@ppp-207-193-0-31.kscymo.swbell.net) Received: from ppp-207-193-0-31.kscymo.swbell.net ([207.193.0.31]) by mta4.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with ESMTP id <0FQ90032WWG81G@mta4.rcsntx.swbell.net> for security@FreeBSD.ORG; Mon, 21 Feb 2000 03:16:59 -0600 (CST) Received: (from jbryant@localhost) by ppp-207-193-0-31.kscymo.swbell.net (8.9.3/8.8.5) id DAA77674; Mon, 21 Feb 2000 03:16:53 -0600 (CST) Date: Mon, 21 Feb 2000 03:16:44 -0600 (CST) From: Jim Bryant Subject: Re: Strange Spam In-reply-to: <200002210737.XAA58181@gndrsh.dnsmgr.net> To: freebsd@gndrsh.dnsmgr.net (Rodney W. Grimes) Cc: matt@ARPA.MAIL.NET, security@FreeBSD.ORG Reply-To: kc5vdj@swbell.net Message-id: <200002210916.DAA77674@ppp-207-193-0-31.kscymo.swbell.net> MIME-version: 1.0 X-Mailer: ELM [version 2.4ME+ PL32 (25)] Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Windows: R00LZ!@# MS-Winbl0wz DR00LZ!@# X-files: The truth is that the X-Files is fiction X-Republican: The best kind!!! X-Operating-System: FreeBSD 4.0-CURRENT #8: Sat Oct 30 00:56:56 CDT 1999 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In reply: > > Also, Mathematic is mispelled to "Mathematik" which strikes me as odd, > German/Danish dictionary? > > It could say ``Nuclear launch in 6 hours from this transmission'' and > it wouldn't matter that the NSA could crack it in 12 hours, just so long > as all the ``agents'' knew that in 6 hours all hell was going to break > loose around the globe and they need to take care of the last minute > details. hmmm.. interesting thought. Wasn't Mathematik the name of Newton's book where he published his laws that are so well known, especially in the field of astrodynamics? At least I think it was Newton. It was the title of one of the "classics", in the original. jim -- All opinions expressed are mine, if you | "I will not be pushed, stamped, think otherwise, then go jump into turbid | briefed, debriefed, indexed, or radioactive waters and yell WAHOO !!! | numbered!" - #1, "The Prisoner" ------------------------------------------------------------------------------ KC5VDJ - HF to 23cm KC5VDJ@NW0I.#NEKS.KS.USA.NOAM kc5vdj@swbell.net ------------------------------------------------------------------------------ IC-706MkII - IC-T81A - HTX-202 - HTX-212 - HTX-404 - KPC3+ - PK-232MBX/DSP To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 1:55:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3]) by hub.freebsd.org (Postfix) with ESMTP id 512F837BC0B for ; Mon, 21 Feb 2000 01:55:47 -0800 (PST) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.9.3/8.9.3) id UAA46086; Mon, 21 Feb 2000 20:25:26 +1030 (CST) (envelope-from newton) Date: Mon, 21 Feb 2000 20:25:26 +1030 From: Mark Newton To: kc5vdj@swbell.net Cc: Matt Heckaman , security@FreeBSD.ORG Subject: Re: Strange Spam Message-ID: <20000221202526.A46067@atdot.dotat.org> References: <200002210853.CAA77579@ppp-208-188-200-9.dialup.kscymo.swbell.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200002210853.CAA77579@ppp-208-188-200-9.dialup.kscymo.swbell.net>; from jbryant@ppp-208-188-200-9.dialup.kscymo.swbell.net on Mon, Feb 21, 2000 at 02:53:27AM -0600 X-PGP-Key: http://slash.dotat.org/~newton/pgpkey.txt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Feb 21, 2000 at 02:53:27AM -0600, Jim Bryant wrote: > In reply: > > This is funny, reading it more carefully - there are also references to > > DARPA (Defense Advanced Research Projects Agency), UHF (Ultra High > > Frequency), and Interpol. [ ... ] > > Unfortunately, without figuring the key sequence that this is based on, > > it's probably impossible for us to decypher it. My original question still > > stands. If this is some kind of code, why would someone do something like > > this as opposed to PGP encryption or similar? -- Or both combined for the > > very paranoid. > > matt, i'm not saying it is or isn't some right wing extremist, but... > to add to your conjecture, i must say that the nsa is at the core of a > lot of their conspiracy theories, and it is widely believed amongst > such groups that the nsa invented every form of encryption, and that > such programs are unsafe for their use. Are you all quite certain that it wasn't just some random luser who accidentally typed "ESC-100-ESC-x-spook" in emacs? - mark [ occam's razor can be a dangerous thing... ] -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 2:27:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta2.rcsntx.swbell.net (mta2.rcsntx.swbell.net [151.164.30.26]) by hub.freebsd.org (Postfix) with ESMTP id A4B9C37BBFC; Mon, 21 Feb 2000 02:27:23 -0800 (PST) (envelope-from jbryant@ppp-207-193-0-31.kscymo.swbell.net) Received: from ppp-207-193-0-31.kscymo.swbell.net ([207.193.0.2]) by mta2.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with ESMTP id <0FQ900M3TZPFUV@mta2.rcsntx.swbell.net>; Mon, 21 Feb 2000 04:27:19 -0600 (CST) Received: (from jbryant@localhost) by ppp-207-193-0-31.kscymo.swbell.net (8.9.3/8.8.5) id EAA77853; Mon, 21 Feb 2000 04:27:14 -0600 (CST) Date: Mon, 21 Feb 2000 04:27:05 -0600 (CST) From: Jim Bryant Subject: Re: Strange Spam In-reply-to: To: kris@FreeBSD.org (Kris Kennaway) Cc: dmartin@origen.com, freebsd-security@FreeBSD.org Reply-To: kc5vdj@swbell.net Message-id: <200002211027.EAA77853@ppp-207-193-0-31.kscymo.swbell.net> MIME-version: 1.0 X-Mailer: ELM [version 2.4ME+ PL32 (25)] Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Windows: R00LZ!@# MS-Winbl0wz DR00LZ!@# X-files: The truth is that the X-Files is fiction X-Republican: The best kind!!! X-Operating-System: FreeBSD 4.0-CURRENT #8: Sat Oct 30 00:56:56 CDT 1999 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In reply: > On Sun, 20 Feb 2000, Richard Martin wrote: > > > Has anyone been seeing spam like this lately? It consists of an > > unintelligible sequence of English words. Seems to be just strings of > > randomly generated words, but I am wondering if there is something more > > sinister going on here. Someone accidentally send us an encoded message? > > I'm wondering if this was an attempt to saturate Echelon by spamming > messages which are likely to trip its detection criteria (someone else > noted the right-wing and technical jargon). The (lack of) sentence > structure would probably flag it as a false positive (the NSA seem to have > some fairly sophisticated language analysis systems working for them from > what's available in the open literature), but the originator might not > have known how to create plausible english garbage messages. > > It's certainly very strange. > > Kris honestly. how much experience do you have in the computer field? echelon is a great idea, but i honestly don't think the computing power exists to filter ALL internet traffic through a centralized location. i have worked in the telecom industry, and i can say that none of the systems at any place i've ever worked at were involved in any such activity. occam's razor dictates that the entire echelon thing is just another commie-style recruitment tactic that right-wing extremist groups use. mail me privately and i'll give irrefutable commie sources for at least 90% of current right wing conspiracy theories. irrefutable because the right wing itself established the source. jim -- All opinions expressed are mine, if you | "I will not be pushed, stamped, think otherwise, then go jump into turbid | briefed, debriefed, indexed, or radioactive waters and yell WAHOO !!! | numbered!" - #1, "The Prisoner" ------------------------------------------------------------------------------ KC5VDJ - HF to 23cm KC5VDJ@NW0I.#NEKS.KS.USA.NOAM kc5vdj@swbell.net ------------------------------------------------------------------------------ IC-706MkII - IC-T81A - HTX-202 - HTX-212 - HTX-404 - KPC3+ - PK-232MBX/DSP To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 5:28:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from hydrant.intranova.net (hydrant.intranova.net [209.201.95.10]) by hub.freebsd.org (Postfix) with SMTP id 45B3637BC1E for ; Mon, 21 Feb 2000 05:28:54 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 2218 invoked from network); 21 Feb 2000 04:28:59 -0000 Received: from localhost (oogali@127.0.0.1) by hydrant.intranova.net with SMTP; 21 Feb 2000 04:28:59 -0000 Date: Sun, 20 Feb 2000 23:28:59 -0500 (EST) From: Omachonu Ogali To: Lowell Gilbert Cc: freebsd-security@freebsd.org Subject: Re: Random Sequence Numbers In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Har, Har, Har. On 20 Feb 2000, Lowell Gilbert wrote: > Omachonu Ogali writes: > > > That was dropped a while ago and I saw that post Steven did, and secondly > > Dan told me he's done it already so there was no need to go on as it was > > only about 4-5 lines of code. > > Actually, what Dan had done was randomizing the *initial* sequence > numbers in a TCP session, as (in fact) Bellovin described in RFC 1948. > What *your* code did was randomize *every* packet's sequence number. > I still insist on believing that you had to be kidding, because the idea > and the execution both qualify among the best spoofs I've seen in weeks. > > - Lowell Gilbert > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 5:43:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id E1CE337BD4F for ; Mon, 21 Feb 2000 05:43:14 -0800 (PST) (envelope-from mencl@nenya.ms.mff.cuni.cz) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id OAA07413; Mon, 21 Feb 2000 14:43:10 +0100 (MET) Date: Mon, 21 Feb 2000 14:43:10 +0100 (MET) From: "Vladimir Mencl, MK, susSED" To: Tom Marchand Cc: freebsd-security@FreeBSD.ORG Subject: Re: Controlled Network Access In-Reply-To: <200002200009.TAA24866@duval.se.mediaone.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Feb 2000, Tom Marchand wrote: > I would like to control which users can access tcpip utilities(ftp,telnet, > etc) by using groups. I realize that this can be accomplished via the > proper file permissions on each utility. This works but it will not prevent > somebody from compiling their own ftp, telnet etc. My thought was to > perform the authorization at the socket level. This would entail > modifaction of the kernel to only allow root or a member of the tcpip group > to open a socket. Does anybody know if this has been done or if it would > even work? I originally had this requirement at work to lock down external > vendors. Since we are an AIX shop it was quite easy. On AIX you must be a > member of the system group to access network utilities. In Jun 99, a discussion was here proposing a new securelevel 4, at which priviledged ports would be blocked even for root. A result of the disceussion was, that a complete mechanism for maintaining security policies regarding generic port-ranges would be strongly welcome, however, I suppose nobody developed it yet. If anybody did, that would be a solution for you. You may search that thread by Subject: proposed secure-level 4 patch Best regards Vlada Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 9: 7:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 00C2A37BF0D for ; Mon, 21 Feb 2000 09:07:10 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id MAA84596; Mon, 21 Feb 2000 12:07:46 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Mon, 21 Feb 2000 12:07:46 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Chris D. Faulhaber" Cc: Tom Marchand , freebsd-security@freebsd.org Subject: jail, ipfw, Re: Controlled Network Access In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Feb 2000, Chris D. Faulhaber wrote: > On Sat, 19 Feb 2000, Tom Marchand wrote: > > > I would like to control which users can access tcpip utilities(ftp,telnet, > > etc) by using groups. I realize that this can be accomplished via the > > proper file permissions on each utility. This works but it will not prevent > > somebody from compiling their own ftp, telnet etc. My thought was to > > perform the authorization at the socket level. This would entail > > modifaction of the kernel to only allow root or a member of the tcpip group > > to open a socket. Does anybody know if this has been done or if it would > > even work? I originally had this requirement at work to lock down external > > vendors. Since we are an AIX shop it was quite easy. On AIX you must be a > > member of the system group to access network utilities. > > > > Although not at the socket() level, you may want to look into uid/gid > filtering via ipfw. As you point out, the ipfw uid-based limiting can do some of what was described. I use ipfw uid-based limitations on a jail/NAT box to limit which jail users can access my internal network from within the jail. Note that with jails in place, you can have strange uid-mapping problems, as different sections of the machine will map different uids to different ``users''. And since ipfw is not jail-aware, this can cause confusion. As I seem to be picking up some stewardship of the jail code, I'm considering a few changes for some future version of FreeBSD: - Allocate each jail a unique jailid, replacing jailname as the management identifier (as it can be changed within the jail unless jail.set_hostname_allowed is set, which is a desirable feature, but bad if you use that proc field to manage jails!) - Allow signal delivery to a jailid, resulting in the signal going to all process in the jail--good for shutdown/management stuff. - Access to jailid via ps(1) - jailinit(8), a ``first process in the jail'' with functionality similar to init(8), allowing for clean startup, shutdown of jails, binding vtys to jails in a sane way, etc. In particular, this would mean you could deliver an appropriate signal to the right jailinit to start an orderly shutdown of the jail from outside the jail, resorting to jailkill(jailid, SIGKILL) only when something refuses to die. - Nifty management utility for creating, destroying, starting, and stopping jails, possibly also at boot time. I'd also like to look at, but have not evaluated the technical feasibility of, adding a ``jail [jailid]'' behavior to ipfw. However, this would suggest putting jailid in ucred, and there are issues with doing this :-). I have extended ucred a number of times in the past for various projects--you get warnings from nfs due to union expansion, etc. Any thoughts on related improvements are welcome--most of my current round of improvements (security cleanups, documentation, etc) have gone into 4.0-CURRENT, with only a few things left (chflags fix is in progress). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 9: 8:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 3A87B37BE1C for ; Mon, 21 Feb 2000 09:08:39 -0800 (PST) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Mon, 21 Feb 2000 10:08:23 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma026182; Mon, 21 Feb 00 10:08:08 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id KAA84156; Mon, 21 Feb 2000 10:07:09 -0700 (MST) Date: Mon, 21 Feb 2000 10:07:09 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: kc5vdj@swbell.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Strange Spam In-Reply-To: <200002211027.EAA77853@ppp-207-193-0-31.kscymo.swbell.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 21 Feb 2000, Jim Bryant wrote: > echelon is a great idea, but i honestly don't think the computing > power exists to filter ALL internet traffic through a centralized > location. It doesn't have to be ALL Internet traffic, just SELECTED Internet traffic. Perhaps it's in the NSA's best interest for you to THINK it can't be done. > i have worked in the telecom industry, and i can say that none of the > systems at any place i've ever worked at were involved in any such > activity. You don't actually think they'd let you know about it, do you? ;-) Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 10: 3: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta4.rcsntx.swbell.net (mta4.rcsntx.swbell.net [151.164.30.28]) by hub.freebsd.org (Postfix) with ESMTP id E914A37B51D for ; Mon, 21 Feb 2000 10:02:56 -0800 (PST) (envelope-from jbryant@ppp-207-193-2-169.kscymo.swbell.net) Received: from ppp-207-193-2-169.kscymo.swbell.net ([207.193.2.169]) by mta4.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with ESMTP id <0FQA007EUKSN1E@mta4.rcsntx.swbell.net> for freebsd-security@FreeBSD.ORG; Mon, 21 Feb 2000 12:02:51 -0600 (CST) Received: (from jbryant@localhost) by ppp-207-193-2-169.kscymo.swbell.net (8.9.3/8.8.5) id MAA78734; Mon, 21 Feb 2000 12:02:45 -0600 (CST) Date: Mon, 21 Feb 2000 12:02:35 -0600 (CST) From: Jim Bryant Subject: Re: Strange Spam In-reply-to: To: hart@iserver.com (Paul Hart) Cc: kc5vdj@swbell.net, freebsd-security@FreeBSD.ORG Reply-To: kc5vdj@swbell.net Message-id: <200002211802.MAA78734@ppp-207-193-2-169.kscymo.swbell.net> MIME-version: 1.0 X-Mailer: ELM [version 2.4ME+ PL32 (25)] Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Windows: R00LZ!@# MS-Winbl0wz DR00LZ!@# X-files: The truth is that the X-Files is fiction X-Republican: The best kind!!! X-Operating-System: FreeBSD 4.0-CURRENT #8: Sat Oct 30 00:56:56 CDT 1999 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In reply: > On Mon, 21 Feb 2000, Jim Bryant wrote: > > > echelon is a great idea, but i honestly don't think the computing > > power exists to filter ALL internet traffic through a centralized > > location. > > It doesn't have to be ALL Internet traffic, just SELECTED Internet > traffic. Perhaps it's in the NSA's best interest for you to THINK it > can't be done. then you are admitting that the right-wing conspiracy theories are false. their conspiracy theories even go far as to say the system monitors every phone call made by anyone from anywhere... i said that i doubt if the computing power exists to filter at the scale of the conspiracy theories concerning echelon, much less the audio. and i stand by that. now targeted monitoring is legal, moral, and possible. there is a difference. > > i have worked in the telecom industry, and i can say that none of the > > systems at any place i've ever worked at were involved in any such > > activity. > > You don't actually think they'd let you know about it, do you? ;-) if the nsa had such systems colocated, you would know. ask anyone who has ever worked in a military CO how the keys are changed on secure lines. and we are talking several magnitudes of order above that. the right wing con-speerisay theories are adamant that ALL traffic is being filtered, as a recruitment tactic. keep in mind that such groups have spouted such paranoid crap since the 70's [possibly before] about indiscriminant mass-filtering of all telecom. also such right wing groups seem to get anal-probed by ET every other night, if you listen to everything they say. anyhow, this is a moot point. the NSA has a job to do, and targeted interception is within the bounds of their job, and it's a job that has to be done. there are domestic right-wing terrorist acts every day of the week these days [the majority don't make the news, but they do make the court records], and international terrorist incidents every day of the week elsewhere. this is america. you can say what you want, so long as the concepts being discussed are divorced from illegal action. once they cross the line, screw them. jim -- All opinions expressed are mine, if you | "I will not be pushed, stamped, think otherwise, then go jump into turbid | briefed, debriefed, indexed, or radioactive waters and yell WAHOO !!! | numbered!" - #1, "The Prisoner" ------------------------------------------------------------------------------ KC5VDJ - HF to 23cm KC5VDJ@NW0I.#NEKS.KS.USA.NOAM kc5vdj@swbell.net ------------------------------------------------------------------------------ IC-706MkII - IC-T81A - HTX-202 - HTX-212 - HTX-404 - KPC3+ - PK-232MBX/DSP To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 10:20:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.scls.lib.wi.us (mail.scls.lib.wi.us [198.150.40.25]) by hub.freebsd.org (Postfix) with ESMTP id 499C337B516 for ; Mon, 21 Feb 2000 10:20:29 -0800 (PST) (envelope-from gregb@scls.lib.wi.us) Received: from netadmin (natgate.scls.lib.wi.us [198.150.40.60]) by mail.scls.lib.wi.us (8.7.5/8.7.3) with ESMTP id MAA17724 for ; Mon, 21 Feb 2000 12:20:57 -0600 (CST) Message-Id: <4.2.2.20000221121139.05b25ce0@mail.scls.lib.wi.us> X-Sender: gregb@mail.scls.lib.wi.us X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 21 Feb 2000 12:18:05 -0600 To: freebsd-security@freebsd.org From: Greg Barniskis Subject: Re: Strange Spam In-Reply-To: <200002211802.MAA78734@ppp-207-193-2-169.kscymo.swbell.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:02 PM 2/21/00, they wrote: >then you are admitting that the right-wing conspiracy theories are >false. their conspiracy theories even go far as to say the system >monitors every phone call made by anyone from anywhere... please kill this thread, it never had anything to do with FreeBSD! I (and many others) think it imperative that this list stay focused on FreeBSD and only delve into general security topics insofar as necessary to make FreeBSD more secure. Thank you! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 11:49:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.xnet.com (quake.xnet.com [198.147.221.67]) by hub.freebsd.org (Postfix) with ESMTP id 6020237B55B for ; Mon, 21 Feb 2000 11:49:19 -0800 (PST) (envelope-from drwho@xnet.com) Received: from hurricane.xnet.com (typhoon.xnet.com [198.147.221.66]) by mail.xnet.com (8.9.3+Sun/XNet-3.0R) with ESMTP id NAA05669 for ; Mon, 21 Feb 2000 13:49:13 -0600 (CST) Received: by hurricane.xnet.com (Postfix, from userid 5500) id A93FB5ED69; Mon, 21 Feb 2000 13:49:12 -0600 (CST) Date: Mon, 21 Feb 2000 13:49:12 -0600 From: Michael Maxwell To: freebsd-security@freebsd.org Subject: Re: Strange Spam Message-ID: <20000221134912.A17777@typhoon.xnet.com> References: <200002211802.MAA78734@ppp-207-193-2-169.kscymo.swbell.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200002211802.MAA78734@ppp-207-193-2-169.kscymo.swbell.net>; from jbryant@ppp-207-193-2-169.kscymo.swbell.net on Mon, Feb 21, 2000 at 12:02:35PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Feb 21, 2000 at 12:02:35PM -0600, Jim Bryant wrote: > the right wing con-speerisay theories are adamant that ALL traffic is Why all the unfounded attacks on right-wing political ideology? Especially in those cases where the ideology being described is distinctly either left- wing or non-partisan? More propaganda? -- Fight email spam: http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 12: 6:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from make.yi.org (vp033.dmp01.sea.blarg.net [206.124.142.33]) by hub.freebsd.org (Postfix) with ESMTP id 7FBAA37B60A for ; Mon, 21 Feb 2000 12:06:21 -0800 (PST) (envelope-from kosmos@blarg.net) Received: from localhost (kosmos@localhost) by make.yi.org (8.9.3/8.9.3) with ESMTP id MAA90678 for ; Mon, 21 Feb 2000 12:07:59 -0800 (PST) (envelope-from kosmos@blarg.net) X-Authentication-Warning: make.yi.org: kosmos owned process doing -bs Date: Mon, 21 Feb 2000 12:07:58 -0800 (PST) From: kosmos X-Sender: kosmos@make.yi.org To: freebsd-security@freebsd.org Subject: re: strange spam Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Looks like some of the stuff on die.net to throw off web spiders. The word: Czerniak appears at: http://www.die.net/random/y/k/b/index.htm but not in FreeBSD dictionaries. Are our dictionaries the same as what appear on other platforms, like Solaris? --Allan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 12:57: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta3.rcsntx.swbell.net (mta3.rcsntx.swbell.net [151.164.30.27]) by hub.freebsd.org (Postfix) with ESMTP id 65F8D37BDA1 for ; Mon, 21 Feb 2000 12:56:57 -0800 (PST) (envelope-from jbryant@ppp-207-193-2-169.kscymo.swbell.net) Received: from ppp-207-193-2-169.kscymo.swbell.net ([207.193.2.169]) by mta3.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with ESMTP id <0FQA00DJISTFCQ@mta3.rcsntx.swbell.net> for freebsd-security@freebsd.org; Mon, 21 Feb 2000 14:56:46 -0600 (CST) Received: (from jbryant@localhost) by ppp-207-193-2-169.kscymo.swbell.net (8.9.3/8.8.5) id OAA79083; Mon, 21 Feb 2000 14:56:01 -0600 (CST) Date: Mon, 21 Feb 2000 14:55:51 -0600 (CST) From: Jim Bryant Subject: Re: Strange Spam In-reply-to: <20000221134912.A17777@typhoon.xnet.com> To: drwho@xnet.com (Michael Maxwell) Cc: freebsd-security@freebsd.org Reply-To: kc5vdj@swbell.net Message-id: <200002212056.OAA79083@ppp-207-193-2-169.kscymo.swbell.net> MIME-version: 1.0 X-Mailer: ELM [version 2.4ME+ PL32 (25)] Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Windows: R00LZ!@# MS-Winbl0wz DR00LZ!@# X-files: The truth is that the X-Files is fiction X-Republican: The best kind!!! X-Operating-System: FreeBSD 4.0-CURRENT #8: Sat Oct 30 00:56:56 CDT 1999 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In reply: > On Mon, Feb 21, 2000 at 12:02:35PM -0600, Jim Bryant wrote: > > the right wing con-speerisay theories are adamant that ALL traffic is > > Why all the unfounded attacks on right-wing political ideology? Especially just the facts. how is PROPERLY attributing the sources of wild conspiracy theories considered an attack? want sources? get ready for a very long list... my source info comes straight from the right-wing pages and radio shows, they clearly demonstrate every symptom of paranoid schizophrenia on their own, there is no need for me to embellish the story. when i relate statements like i have, i can back it up with source info directly from the people i speak of. jim -- All opinions expressed are mine, if you | "I will not be pushed, stamped, think otherwise, then go jump into turbid | briefed, debriefed, indexed, or radioactive waters and yell WAHOO !!! | numbered!" - #1, "The Prisoner" ------------------------------------------------------------------------------ KC5VDJ - HF to 23cm KC5VDJ@NW0I.#NEKS.KS.USA.NOAM kc5vdj@swbell.net ------------------------------------------------------------------------------ IC-706MkII - IC-T81A - HTX-202 - HTX-212 - HTX-404 - KPC3+ - PK-232MBX/DSP To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 14: 5: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt051n0b.san.rr.com (dt051n0b.san.rr.com [204.210.32.11]) by hub.freebsd.org (Postfix) with ESMTP id E39C037B517 for ; Mon, 21 Feb 2000 14:04:58 -0800 (PST) (envelope-from Doug@gorean.org) Received: from gorean.org (master [10.0.0.2]) by dt051n0b.san.rr.com (8.9.3/8.9.3) with ESMTP id OAA15139; Mon, 21 Feb 2000 14:04:46 -0800 (PST) (envelope-from Doug@gorean.org) Message-ID: <38B1B612.B8D45E8F@gorean.org> Date: Mon, 21 Feb 2000 14:02:58 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.7 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: kc5vdj@swbell.net Cc: Michael Maxwell , freebsd-security@freebsd.org Subject: Re: Strange Spam References: <200002212056.OAA79083@ppp-207-193-2-169.kscymo.swbell.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jim Bryant wrote: > > In reply: > > On Mon, Feb 21, 2000 at 12:02:35PM -0600, Jim Bryant wrote: > > > the right wing con-speerisay theories are adamant that ALL traffic is > > > > Why all the unfounded attacks on right-wing political ideology? Especially > > just the facts. > > how is PROPERLY attributing the sources of wild conspiracy theories > considered an attack? Even if this topic had any relevance to this list previously y'all have just pole vaulted over the line. Either discontinue this thread altogether or move it to -chat. Thanks, Doug -- "Welcome to the desert of the real." - Laurence Fishburne as Morpheus, "The Matrix" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 14:35:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.xnet.com (quake.xnet.com [198.147.221.67]) by hub.freebsd.org (Postfix) with ESMTP id 62FFF37B5C0 for ; Mon, 21 Feb 2000 14:35:51 -0800 (PST) (envelope-from drwho@xnet.com) Received: from hurricane.xnet.com (typhoon.xnet.com [198.147.221.66]) by mail.xnet.com (8.9.3+Sun/XNet-3.0R) with ESMTP id QAA29532 for ; Mon, 21 Feb 2000 16:35:45 -0600 (CST) Received: by hurricane.xnet.com (Postfix, from userid 5500) id B80FF5ED69; Mon, 21 Feb 2000 16:35:44 -0600 (CST) Date: Mon, 21 Feb 2000 16:35:44 -0600 From: Michael Maxwell To: freebsd-security@freebsd.org Subject: Re: Strange Spam Message-ID: <20000221163544.B313@typhoon.xnet.com> References: <200002212056.OAA79083@ppp-207-193-2-169.kscymo.swbell.net> <38B1B612.B8D45E8F@gorean.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38B1B612.B8D45E8F@gorean.org>; from Doug@gorean.org on Mon, Feb 21, 2000 at 02:02:58PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Feb 21, 2000 at 02:02:58PM -0800, Doug Barton wrote: > Even if this topic had any relevance to this list previously y'all have > just pole vaulted over the line. Either discontinue this thread altogether > or move it to -chat. I agree completely. I'm done with it, and I only added one post to it. And I only bothered to add *that*, since I was tired of an otherwise "interesting" thread (though not topic-relevant) being soiled with someone's unfounded, paranoid, and conspiratorial attacks on right-wing political ideology. EOT -- Fight email spam: http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 16:14:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta2.snfc21.pbi.net (mta2.snfc21.pbi.net [206.13.28.123]) by hub.freebsd.org (Postfix) with ESMTP id A7F7D37B576 for ; Mon, 21 Feb 2000 16:14:06 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta2.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with SMTP id <0FQB005UX1R1DN@mta2.snfc21.pbi.net> for freebsd-security@freebsd.org; Mon, 21 Feb 2000 16:09:04 -0800 (PST) Date: Mon, 21 Feb 2000 16:11:29 -0800 From: The Mad Scientist Subject: Re: Strange Spam X-Sender: i289861@mail.thegrid.net To: freebsd-security@freebsd.org Message-id: <4.1.20000221153114.00981950@mail.thegrid.net> Message-id: <4.1.20000221153114.00981950@mail.thegrid.net> Message-id: <4.1.20000221153114.00981950@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All, I did some quick frequency analysis of the spam. I don't think it's a substitution cipher at the word level. Each word occurs only once except for 'Clarence' and 'chatting' which appears twice each. At the character level, the text conforms more or less to frequencies of English text. I don't have a German or Danish frequency table handy, and the spelling of Mathematik seems to suggest that one should look at those comparisons. It could be some form of stenography if it is even anything cryptographic. My guess would be a content fooler. I can't begin to guess why someone would send such a document. I pasted the first five or so words into www.dogpile.com and got mostly wordlists, porn sites and seemingly non-related sites. (AltaVista produced it's usual overkill of 1,102,396 documents.) Here's the results of my little perl counter. Letter frequency analysis: watchtower:/home/king/bin-> ./freqanal.pl -c < /var/tmp/sampletext Word Count Percentage 1 1 0.0349 A 10 0.3488 B 3 0.1046 C 14 0.4883 D 3 0.1046 E 3 0.1046 F 5 0.1744 G 3 0.1046 H 2 0.0698 I 2 0.0698 J 2 0.0698 K 1 0.0349 L 2 0.0698 M 6 0.2093 N 2 0.0698 P 3 0.1046 Q 1 0.0349 R 5 0.1744 S 4 0.1395 T 2 0.0698 U 1 0.0349 W 5 0.1744 Y 1 0.0349 Z 1 0.0349 a 270 9.4175 b 61 2.1277 c 135 4.7088 d 82 2.8601 e 293 10.2197 f 39 1.3603 g 58 2.0230 h 97 3.3833 i 212 7.3945 j 6 0.2093 k 30 1.0464 l 169 5.8947 m 78 2.7206 n 187 6.5225 o 213 7.4294 p 86 2.9997 q 3 0.1046 r 182 6.3481 s 154 5.3715 t 202 7.0457 u 98 3.4182 v 20 0.6976 w 30 1.0464 x 9 0.3139 y 61 2.1277 z 10 0.3488 Word frequency analys: watchtower:/home/king/bin-> ./freqanal.pl -w < /var/tmp/sampletext Word Count Percentage Alcmena 1 0.2551 Ankara 1 0.2551 Annale 1 0.2551 Antioch 1 0.2551 Arch 1 0.2551 Armonk 1 0.2551 Aubrey 1 0.2551 Awesome 1 0.2551 Batchelder 1 0.2551 Bentham 1 0.2551 Braun 1 0.2551 Cabot 1 0.2551 Caesarian 1 0.2551 Calgary 1 0.2551 Caracas 1 0.2551 Cassandra 1 0.2551 Clarence 2 0.5102 Clive 1 0.2551 Cochran 1 0.2551 Comanche 1 0.2551 Copperfield 1 0.2551 Cortez 1 0.2551 Czerniak 1 0.2551 DARPA 1 0.2551 Daly 1 0.2551 Dowling 1 0.2551 Ensnare 1 0.2551 Ernst 1 0.2551 Eveready 1 0.2551 Falsetto 1 0.2551 Farley 1 0.2551 Fourier 1 0.2551 Francisco 1 0.2551 Galatea 1 0.2551 Galloway 1 0.2551 Grin 1 0.2551 Harold 1 0.2551 Indonesian 1 0.2551 Interpol 1 0.2551 Jewish 1 0.2551 Joshua 1 0.2551 Krueger 1 0.2551 Laplacian 1 0.2551 Lissajous 1 0.2551 Mathematik 1 0.2551 Melee 1 0.2551 Miami 1 0.2551 Mollie 1 0.2551 Montevideo 1 0.2551 Mynah 1 0.2551 NY 1 0.2551 Nebuchadnezzar 1 0.2551 Penh 1 0.2551 Peru 1 0.2551 Quixote 1 0.2551 Rastus 1 0.2551 Ravine 1 0.2551 Raymond 1 0.2551 Rockland 1 0.2551 Salish 1 0.2551 Shockley 1 0.2551 Skeeter 1 0.2551 StriderCaracas 1 0.2551 Thomas 1 0.2551 Tutenkhamon 1 0.2551 UHF 1 0.2551 Waco 1 0.2551 Wahl 1 0.2551 Wakefield 1 0.2551 Whatley 1 0.2551 Wilmington 1 0.2551 Zealand 1 0.2551 ablution 1 0.2551 abstract 1 0.2551 academe 1 0.2551 acclimatize 1 0.2551 adamant 1 0.2551 adequacy 1 0.2551 adjoin 1 0.2551 aforethought 1 0.2551 agrimony 1 0.2551 alway 1 0.2551 amateurish 1 0.2551 ambrosia 1 0.2551 amnesty 1 0.2551 anhydrite 1 0.2551 annie 1 0.2551 anvil 1 0.2551 aphelion 1 0.2551 arc 1 0.2551 arousal 1 0.2551 atonal 1 0.2551 auric 1 0.2551 babyhood 1 0.2551 bartend 1 0.2551 baud 1 0.2551 bedding 1 0.2551 begrudge 1 0.2551 belch 1 0.2551 benzene 1 0.2551 bib 1 0.2551 biometry 1 0.2551 biophysic 1 0.2551 bitnet 1 0.2551 blab 1 0.2551 bleach 1 0.2551 bloodshot 1 0.2551 boastful 1 0.2551 boatman 1 0.2551 bombard 1 0.2551 boogie 1 0.2551 botch 1 0.2551 boyhood 1 0.2551 briefcase 1 0.2551 broad 1 0.2551 bulldoze 1 0.2551 busywork 1 0.2551 buttonhole 1 0.2551 bye 1 0.2551 calico 1 0.2551 canced 1 0.2551 cancel 1 0.2551 cap 1 0.2551 cerebral 1 0.2551 chatting 2 0.5102 chicago 1 0.2551 chilblain 1 0.2551 child 1 0.2551 chip 1 0.2551 choose 1 0.2551 chumming 1 0.2551 churchgo 1 0.2551 circumpolar 1 0.2551 clannish 1 0.2551 class 1 0.2551 climactic 1 0.2551 coattail 1 0.2551 collusion 1 0.2551 colonel 1 0.2551 colonist 1 0.2551 comparison 1 0.2551 competitor 1 0.2551 component 1 0.2551 comport 1 0.2551 concord 1 0.2551 conflagration 1 0.2551 congener 1 0.2551 consul 1 0.2551 continuant 1 0.2551 continuum 1 0.2551 contractual 1 0.2551 corwin 1 0.2551 counterweight 1 0.2551 cramp 1 0.2551 crepe 1 0.2551 crossbill 1 0.2551 curiosity 1 0.2551 customary 1 0.2551 cynthia 1 0.2551 cytosine 1 0.2551 deacon 1 0.2551 design 1 0.2551 detractor 1 0.2551 devilish 1 0.2551 diablo 1 0.2551 differ 1 0.2551 diluent 1 0.2551 dip 1 0.2551 distribution 1 0.2551 divalent 1 0.2551 dodecahedron 1 0.2551 doltish 1 0.2551 donkey 1 0.2551 drunk 1 0.2551 duchess 1 0.2551 dulse 1 0.2551 eggshell 1 0.2551 electric 1 0.2551 emphasis 1 0.2551 emulate 1 0.2551 entreaty 1 0.2551 entrepreneur 1 0.2551 eradicable 1 0.2551 erupt 1 0.2551 euglena 1 0.2551 evince 1 0.2551 exculpatory 1 0.2551 exegete 1 0.2551 expel 1 0.2551 experience 1 0.2551 expletive 1 0.2551 factor 1 0.2551 faint 1 0.2551 fanfold 1 0.2551 feast 1 0.2551 feeble 1 0.2551 filial 1 0.2551 firework 1 0.2551 flak 1 0.2551 flash 1 0.2551 ford 1 0.2551 formant 1 0.2551 foxglove 1 0.2551 franklin 1 0.2551 fumigate 1 0.2551 function 1 0.2551 galaxy 1 0.2551 gauzy 1 0.2551 ghetto 1 0.2551 glob 1 0.2551 graphic 1 0.2551 gratuity 1 0.2551 greet 1 0.2551 groupoid 1 0.2551 guillotine 1 0.2551 guitar 1 0.2551 gunflint 1 0.2551 gush 1 0.2551 halfback 1 0.2551 halfhearted 1 0.2551 handgun 1 0.2551 hank 1 0.2551 haunch 1 0.2551 hello 1 0.2551 helmsman 1 0.2551 hill 1 0.2551 holography 1 0.2551 homework 1 0.2551 hooves 1 0.2551 hopple 1 0.2551 hydrometer 1 0.2551 hyperbolic 1 0.2551 impede 1 0.2551 impel 1 0.2551 imputation 1 0.2551 inability 1 0.2551 inappeasable 1 0.2551 indiscernible 1 0.2551 indium 1 0.2551 inexhaustible 1 0.2551 ingrown 1 0.2551 inlay 1 0.2551 island 1 0.2551 jade 1 0.2551 javelin 1 0.2551 jilt 1 0.2551 kangaroo 1 0.2551 kid 1 0.2551 kingdom 1 0.2551 labia 1 0.2551 lactose 1 0.2551 ladyfern 1 0.2551 lakers 1 0.2551 libretto 1 0.2551 limestone 1 0.2551 lithography 1 0.2551 local 1 0.2551 loin 1 0.2551 lookup 1 0.2551 loquacity 1 0.2551 majesty 1 0.2551 malice 1 0.2551 marshmallow 1 0.2551 matriculate 1 0.2551 mentor 1 0.2551 millstone 1 0.2551 moat 1 0.2551 molt 1 0.2551 moose 1 0.2551 mozzarella 1 0.2551 nameplate 1 0.2551 nature 1 0.2551 neck 1 0.2551 nominee 1 0.2551 nutate 1 0.2551 oatcake 1 0.2551 obsolescent 1 0.2551 octopus 1 0.2551 offensive 1 0.2551 ogle 1 0.2551 ontology 1 0.2551 optometrist 1 0.2551 pacific 1 0.2551 paint 1 0.2551 pandemonium 1 0.2551 perspicacious 1 0.2551 phenolic 1 0.2551 physiotherapist 1 0.2551 pinniped 1 0.2551 pipsissewa 1 0.2551 player 1 0.2551 poi 1 0.2551 polymerase 1 0.2551 porridge 1 0.2551 port 1 0.2551 porterhouse 1 0.2551 posthumous 1 0.2551 potent 1 0.2551 prince 1 0.2551 propensity 1 0.2551 propionate 1 0.2551 provision 1 0.2551 psyllium 1 0.2551 pulley 1 0.2551 pyrolysis 1 0.2551 quanta 1 0.2551 radiology 1 0.2551 rapprochement 1 0.2551 re 1 0.2551 readout 1 0.2551 receive 1 0.2551 reclamation 1 0.2551 redound 1 0.2551 regretting 1 0.2551 repetition 1 0.2551 reprise 1 0.2551 resident 1 0.2551 retaliate 1 0.2551 retina 1 0.2551 reverberate 1 0.2551 ringmaster 1 0.2551 riverbank 1 0.2551 rockabye 1 0.2551 rocky 1 0.2551 sang 1 0.2551 sarah1 1 0.2551 satisfactory 1 0.2551 schist 1 0.2551 sciatica 1 0.2551 scion 1 0.2551 scout 1 0.2551 scream 1 0.2551 seethe 1 0.2551 selenate 1 0.2551 sepulchral 1 0.2551 sideshow 1 0.2551 sire 1 0.2551 skeletal 1 0.2551 sniff 1 0.2551 snowstorm 1 0.2551 society 1 0.2551 softball 1 0.2551 southernmost 1 0.2551 spate 1 0.2551 spyglass 1 0.2551 stake 1 0.2551 stellar 1 0.2551 steradian 1 0.2551 strabismus 1 0.2551 stratosphere 1 0.2551 stressful 1 0.2551 successful 1 0.2551 summand 1 0.2551 suntanned 1 0.2551 superman 1 0.2551 survive 1 0.2551 swat 1 0.2551 swine 1 0.2551 swingable 1 0.2551 sympathetic 1 0.2551 system 1 0.2551 tablespoon 1 0.2551 tailor 1 0.2551 tarpaulin 1 0.2551 tempestuous 1 0.2551 theoretician 1 0.2551 thrips 1 0.2551 tiger 1 0.2551 tightwad 1 0.2551 titanate 1 0.2551 tong 1 0.2551 triangular 1 0.2551 tripartite 1 0.2551 twiddle 1 0.2551 unify 1 0.2551 uprise 1 0.2551 uterus 1 0.2551 voice 1 0.2551 wad 1 0.2551 wagoneer 1 0.2551 waistcoat 1 0.2551 washout 1 0.2551 waybill 1 0.2551 we 1 0.2551 whereupon 1 0.2551 whitish 1 0.2551 wildfire 1 0.2551 wipe 1 0.2551 youth 1 0.2551 yucca 1 0.2551 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 17: 5:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (mail.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id F129337B589 for ; Mon, 21 Feb 2000 17:05:36 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <115229>; Tue, 22 Feb 2000 12:00:02 +1100 Content-return: prohibited From: Peter Jeremy Subject: Re: Strange Spam In-reply-to: <4.1.20000221153114.00981950@mail.thegrid.net>; from madscientist@thegrid.net on Tue, Feb 22, 2000 at 11:15:47AM +1100 To: The Mad Scientist Cc: freebsd-security@FreeBSD.ORG Message-Id: <00Feb22.120002est.115229@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0i Content-type: text/plain; charset=us-ascii References: <4.1.20000221153114.00981950@mail.thegrid.net> Date: Tue, 22 Feb 2000 12:00:01 +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2000-Feb-22 11:15:47 +1100, The Mad Scientist wrote: > I don't think it's a substitution cipher at the word level. There's no reason why a word-level substitution cipher has to be one-to-one. Providing a number of choices for common words would make frequency analysis more time consuming (at the expense of a larger dictionary). > At the character >level, the text conforms more or less to frequencies of English text. Given a random list of English words, I would expect this. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 19:34:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 3FA1E37B966; Mon, 21 Feb 2000 19:34:39 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id TAA02976; Mon, 21 Feb 2000 19:34:05 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda02974; Mon Feb 21 19:33:54 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id TAA62598; Mon, 21 Feb 2000 19:33:54 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdh62596; Mon Feb 21 19:33:09 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id TAA56292; Mon, 21 Feb 2000 19:33:08 -0800 (PST) Message-Id: <200002220333.TAA56292@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdj56281; Mon Feb 21 19:32:53 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: Juergen Lock Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: `higer level' packet filter rules language/editor to ease maintainance? In-reply-to: Your message of "Sat, 19 Feb 2000 00:33:34 +0100." <20000219003334.A1117@saturn.kn-bremen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 21 Feb 2000 19:32:52 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000219003334.A1117@saturn.kn-bremen.de>, Juergen Lock writes: > Hi! > > Is there such a thing as in the subject? Something that lets me, > say, put rules in groups, easily move around or clone groups, apply > global changes to groups like search/replace addresses/netmasks? > sure i can hack something up with a bit of perl/whatever for my > specific problem, but maybe there is something more general out > there... > > I currently need something for ipfw but even if what you use only > knows ipfilter (or something else?) i'd like to hear about it, > i may happen to like it so much that i'd just add ipfw > support... :) (as long as source is available, obviously.) > > I have seen `flc' that was linked on (i think) the ipfilter homepage > but decided to ask here first as it seems no longer maintained and > would need to be updated (its from 1995!) to at least add all the > ipfw features that are new since then. The idea to be able to > generate rules for several different packet filters from the same > input file certainly looked interesting tho and it would seem a > bit strange to assume that really noone uses it anymore... > (or is there a successor maybe?) When I used IPFW and on the boxes that I still use IPFW on, I had a shell script that would build "firewall.conf" files, or in the case of my network at home, that would bring up a firewall for an interface when I dialled into work or my friend's ISP. My firewall scripts contained something on the lines of the following. KRB5_CLIENTS="host1 host2 host3" KRB_SRVRS="krb1 krb2" KRB_PORTS="88,750" TRUSTED_HOSTS="host1 1.2.3.0/24 host5" for SYSTEM in $KRB5_CLIENTS; do for KRB in $KRB_SRVRS; do fw allow udp from $SYSTEM to $KRB $KRB_PORTS fw allow udp from $KRB $KRB_PORTS to $SYSTEM done done for SYSTEM in $TRUSTED_HOSTS; do .... fw deny log ip from any to any Once a script has been created for a firewall, maintaining the definitions section of the script was easy. To expand on this idea, one could apply this concept to IP Filter rules, thought the syntax would be different. The fw function could become a generic routine that would transform arguments into input for various firewalls. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca UNIX Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 22: 3: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 3879637B5D0 for ; Mon, 21 Feb 2000 22:03:03 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id WAA03255; Mon, 21 Feb 2000 22:01:09 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda03251; Mon Feb 21 22:00:57 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id WAA62933; Mon, 21 Feb 2000 22:00:56 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdY62931; Mon Feb 21 22:00:11 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id WAA57009; Mon, 21 Feb 2000 22:00:09 -0800 (PST) Message-Id: <200002220600.WAA57009@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdO56997; Mon Feb 21 21:59:14 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: kc5vdj@swbell.net Cc: matt@ARPA.MAIL.NET (Matt Heckaman), dmartin@origen.com, freebsd-security@FreeBSD.ORG Subject: Re: Strange Spam In-reply-to: Your message of "Sun, 20 Feb 2000 23:55:54 CST." <200002210556.XAA70351@ppp-208-188-200-9.dialup.kscymo.swbell.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 21 Feb 2000 21:59:14 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200002210556.XAA70351@ppp-208-188-200-9.dialup.kscymo.swbell .net>, Jim Bryant writes: > In reply: > > Wow, how strange. I always sucked at finding patterns though, maybe some > > of the english majors could figure this out, lol =) > > > > Matt > > -- > > Matt Heckaman [matt@arpa.mail.net|matt@relic.net] [Please do not send me] > > !Powered by FreeBSD/x86! [http://www.freebsd.org] [any SPAM (UCE) e-mail] > > could be a substitution code, or a template code. > > looks too formatted to be spam, but then it could just be spam. look > at the address in the From and Received headers. Could be some right > wing anti-education militia schizo trying to make cause.org look bad > by spoofing their address. > > who knows. Aww come on guys. Where's your sense of adventure. It's got to be a conspiracy and you know how everybody loves a conspiracy. Now that I've set the record straight. I think it's a Microsoft thing. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca UNIX Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 22:12:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 6CEDC37B55C for ; Mon, 21 Feb 2000 22:12:43 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id WAA03307; Mon, 21 Feb 2000 22:12:09 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda03305; Mon Feb 21 22:11:57 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id WAA62979; Mon, 21 Feb 2000 22:11:57 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdF62977; Mon Feb 21 22:11:10 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id WAA57058; Mon, 21 Feb 2000 22:11:09 -0800 (PST) Message-Id: <200002220611.WAA57058@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdJ57054; Mon Feb 21 22:10:43 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: Cy Schubert - ITSD Open Systems Group Cc: kc5vdj@swbell.net, matt@ARPA.MAIL.NET (Matt Heckaman), dmartin@origen.com, freebsd-security@FreeBSD.ORG Subject: Re: Strange Spam In-reply-to: Your message of "Mon, 21 Feb 2000 21:59:14 PST." <200002220600.WAA57009@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 21 Feb 2000 22:10:43 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My apologies, this should have been sent to -chat. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca UNIX Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." In message <200002220600.WAA57009@cwsys.cwsent.com>, Cy Schubert - ITSD Open Sy stems Group writes: > In message <200002210556.XAA70351@ppp-208-188-200-9.dialup.kscymo.swbell > .net>, > Jim Bryant writes: > > In reply: > > > Wow, how strange. I always sucked at finding patterns though, maybe some > > > of the english majors could figure this out, lol =) > > > > > > Matt > > > -- > > > Matt Heckaman [matt@arpa.mail.net|matt@relic.net] [Please do not send me] > > > !Powered by FreeBSD/x86! [http://www.freebsd.org] [any SPAM (UCE) e-mail] > > > > could be a substitution code, or a template code. > > > > looks too formatted to be spam, but then it could just be spam. look > > at the address in the From and Received headers. Could be some right > > wing anti-education militia schizo trying to make cause.org look bad > > by spoofing their address. > > > > who knows. > > Aww come on guys. Where's your sense of adventure. It's got to be a > conspiracy and you know how everybody loves a conspiracy. > > Now that I've set the record straight. I think it's a Microsoft thing. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca > UNIX Group, ITSD, ISTA > Province of BC > "COBOL IS A WASTE OF CARDS." > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 22:47: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from bourbon.sfc.wide.ad.jp (bourbon.sfc.wide.ad.jp [203.178.141.171]) by hub.freebsd.org (Postfix) with ESMTP id 3CFAD37B612; Mon, 21 Feb 2000 22:47:02 -0800 (PST) (envelope-from max@wide.ad.jp) Received: from bourbon.sfc.wide.ad.jp (bourbon [203.178.141.171]) by bourbon.access.sfc.wide.ad.jp (8.9.3+3.2W/3.7W-12/11/99/smtpfeed 1.01) with ESMTP id PAA50680; Tue, 22 Feb 2000 15:46:49 +0900 (JST) (envelope-from max@wide.ad.jp) Date: Tue, 22 Feb 2000 15:46:49 +0900 Message-ID: From: Masafumi NAKANE To: imp@village.org Cc: 3APA3A@SECURITY.NNOV.RU, kris@hub.freebsd.org, serg@dor.zaural.ru, freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: Re[2]: delegate buffer overflow (ports) In-Reply-To: In your message of "Fri, 28 Jan 2000 18:24:55 -0700" <200001290124.SAA65757@harmony.village.org> References: <18578.000128@sandy.ru> <200001280936.CAA60674@harmony.village.org> <200001290124.SAA65757@harmony.village.org> User-Agent: Wanderlust/2.2.17 (One Of Us) SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) Emacs/20.5 (i386--freebsd) MULE/4.0 (HANANOEN) MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu") Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I finally got some time to sit down and look at the issue closely. I agree the source of the DeleGate isn't really secure. Here's my proposal. 1. Define NO_PACKAGE so that the CD-ROM and the FTP won:t include the package. And this will require the users to do ``make install'' if they want to use DeleGate on their machines. 2. When a user simply types ``make'' or ``make install'' or whatever, show something like: ********************************************************************** * WARNING! WARNING! WARNING! WARNING! * * This program has known security problems. * * It is strongly recommended that you do not use this program. * * * * If you would like to use this program despite the danger, * * run make with ``FORCE_BUILD=YES''. * ********************************************************************** 3. If a user runs make with ``FORCE_BUID=YES'', build/install the program with some security warining at the pre-build time as well as post-install time. What do people think? Cheers, Max To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 22:52:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8DFF837B5D1; Mon, 21 Feb 2000 22:52:11 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id WAA65616; Mon, 21 Feb 2000 22:52:11 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 21 Feb 2000 22:52:11 -0800 (PST) From: Kris Kennaway To: Masafumi NAKANE Cc: imp@village.org, 3APA3A@SECURITY.NNOV.RU, kris@hub.freebsd.org, serg@dor.zaural.ru, freebsd-security@FreeBSD.ORG, asami@freebsd.org Subject: Re: Re[2]: delegate buffer overflow (ports) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 22 Feb 2000, Masafumi NAKANE wrote: > 2. When a user simply types ``make'' or ``make install'' or whatever, > show something like: > > ********************************************************************** > * WARNING! WARNING! WARNING! WARNING! * > * This program has known security problems. * I'd change the above to "known security problems which may allow a remote attacker to take control of your machine. See FreeBSD security advisory 00:04 for more information.". > * It is strongly recommended that you do not use this program. * > * * > * If you would like to use this program despite the danger, * > * run make with ``FORCE_BUILD=YES''. * > ********************************************************************** With something like this in place I have no objections. Kris ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 21 23:58:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from bourbon.sfc.wide.ad.jp (bourbon.sfc.wide.ad.jp [203.178.141.171]) by hub.freebsd.org (Postfix) with ESMTP id CC3E237B53D; Mon, 21 Feb 2000 23:58:21 -0800 (PST) (envelope-from max@wide.ad.jp) Received: from bourbon.sfc.wide.ad.jp (bourbon [203.178.141.171]) by bourbon.access.sfc.wide.ad.jp (8.9.3+3.2W/3.7W-12/11/99/smtpfeed 1.01) with ESMTP id QAA51239; Tue, 22 Feb 2000 16:58:04 +0900 (JST) (envelope-from max@wide.ad.jp) Date: Tue, 22 Feb 2000 16:58:03 +0900 Message-ID: From: Masafumi NAKANE To: kris@FreeBSD.org Cc: imp@village.org, 3APA3A@SECURITY.NNOV.RU, serg@dor.zaural.ru, freebsd-security@FreeBSD.ORG, asami@freebsd.org Subject: Re: Re[2]: delegate buffer overflow (ports) In-Reply-To: In your message of "Mon, 21 Feb 2000 22:52:11 -0800 (PST)" References: User-Agent: Wanderlust/2.2.17 (One Of Us) SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) Emacs/20.5 (i386--freebsd) MULE/4.0 (HANANOEN) MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu") Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > ********************************************************************** > > * WARNING! WARNING! WARNING! WARNING! * > > * This program has known security problems. * > > I'd change the above to "known security problems which may allow a remote > attacker to take control of your machine. See FreeBSD security advisory > 00:04 for more information.". Yes, this sounds better. I have made and committed these changes. Please look at it and send any comment before the ports freeze. Cheers, Max To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 23 5:50:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from shell.monmouth.com (shell.monmouth.com [209.191.58.1]) by hub.freebsd.org (Postfix) with ESMTP id 87B6837B89E for ; Wed, 23 Feb 2000 05:50:38 -0800 (PST) (envelope-from pechter@bg-tc-ppp873.monmouth.com) Received: from bg-tc-ppp873.monmouth.com (bg-tc-ppp873.monmouth.com [209.191.53.249]) by shell.monmouth.com (8.9.3/8.9.3) with ESMTP id IAA21207; Wed, 23 Feb 2000 08:49:21 -0500 (EST) Received: (from pechter@localhost) by bg-tc-ppp873.monmouth.com (8.9.3/8.9.3) id IAA06975; Wed, 23 Feb 2000 08:54:24 -0500 (EST) (envelope-from pechter) From: Bill Pechter Message-Id: <200002231354.IAA06975@bg-tc-ppp873.monmouth.com> Subject: Denial of Service.... anyone else see this attempt. To: abuse@aol.com Date: Wed, 23 Feb 2000 08:54:22 -0500 (EST) Cc: freebsd-security@freebsd.org Reply-To: bpechter@shell.monmouth.com X-Phone-Number: 732-935-0629 X-OS-Type: FreeBSD 4.0-CURRENT X-Mailer: ELM [version 2.4ME+ PL66 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear sirs: I'd like to report what appears to be an attack on my machine. I picked up 6500 of these attempts ending when I dropped outside connectivity at 8:34 this morning. This is a denial of service, since all my machine was doing was logging these messages. This attack fully saturated my 33.6 ppp link. Bill Pechter pechter@monmouth.com ----- Forwarded message from The root of all evil ----- From root Wed Feb 23 04:59:32 2000 Date: Wed, 23 Feb 2000 04:59:23 -0500 (EST) From: The root of all evil Message-Id: <200002230959.EAA65453@bg-tc-ppp369.monmouth.com> To: root Subject: tcpd: unknown@fes-d004.icq.aol.com[205.188.153.100] tried to use rpc.rquotad (denied) [fes-d004.icq.aol.com] ----- End of forwarded message from The root of all evil ----- bpechter@monmouth.com | Microsoft: Where do you want to go today? | Linux: Where do you want to go tomorrow? | BSD: Are you guys coming, or what? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 23 7:13:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id BC21537B88E for ; Wed, 23 Feb 2000 07:13:28 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA08193; Wed, 23 Feb 2000 07:10:20 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda08191; Wed Feb 23 07:10:17 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA77931; Wed, 23 Feb 2000 07:10:16 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdj77929; Wed Feb 23 07:10:01 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA52518; Wed, 23 Feb 2000 07:10:01 -0800 (PST) Message-Id: <200002231510.HAA52518@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdC52506; Wed Feb 23 07:09:56 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: bpechter@shell.monmouth.com, pechter@pechter.dyndns.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: Denial of Service.... anyone else see this attempt. In-reply-to: Your message of "Wed, 23 Feb 2000 08:54:22 EST." <200002231354.IAA06975@bg-tc-ppp873.monmouth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 23 Feb 2000 07:09:56 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'd like to say to all on this list that this type of message should probably not be posted here on FreeBSD-Security. INCIDENTS@securityfocu s.com is a better place for this. They discuss this and many other types of incidents. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca UNIX Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." In message <200002231354.IAA06975@bg-tc-ppp873.monmouth.com>, Bill Pechter writ es: > Dear sirs: > > I'd like to report what appears to be an attack on my machine. > > I picked up 6500 of these attempts ending when I dropped outside > connectivity at 8:34 this morning. > > This is a denial of service, since all my machine was doing was logging > these messages. > > This attack fully saturated my 33.6 ppp link. > > Bill Pechter > pechter@monmouth.com > > > ----- Forwarded message from The root of all evil ----- > > >From root Wed Feb 23 04:59:32 2000 > Date: Wed, 23 Feb 2000 04:59:23 -0500 (EST) > From: The root of all evil > Message-Id: <200002230959.EAA65453@bg-tc-ppp369.monmouth.com> > To: root > Subject: tcpd: unknown@fes-d004.icq.aol.com[205.188.153.100] tried to use rpc > .rquotad (denied) > > [fes-d004.icq.aol.com] > > > ----- End of forwarded message from The root of all evil ----- > bpechter@monmouth.com | Microsoft: Where do you want to go today? > | Linux: Where do you want to go tomorrow? > | BSD: Are you guys coming, or what? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 23 15: 2:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by hub.freebsd.org (Postfix) with ESMTP id 9326737BA33 for ; Wed, 23 Feb 2000 15:02:42 -0800 (PST) (envelope-from bokr@accessone.com) Received: from [129.250.38.61] (helo=dfw-mmp1.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp (Exim 3.12 #7) id 12Nknp-0006jo-00 for freebsd-security@freebsd.org; Wed, 23 Feb 2000 23:02:41 +0000 Received: from [204.250.68.168] (helo=gazelle) by dfw-mmp1.email.verio.net with smtp (Exim 3.12 #7) id 12Nknn-0002zQ-00 for freebsd-security@FreeBSD.ORG; Wed, 23 Feb 2000 23:02:40 +0000 Message-Id: <3.0.5.32.20000223150439.008f5ab0@mail.accessone.com> X-Sender: bokr@mail.accessone.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Wed, 23 Feb 2000 15:04:39 -0800 To: freebsd-security@FreeBSD.ORG From: Bengt Richter Subject: NG report of "Security hole in GNOME" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following appeared on comp.unix.bsd.freebsd.misc: Any details? ------------------ FreeBSD users should be aware that the stable ports of GNOME will install a spy file named .ICEauthority and information about your system will be transmitted every time a GNOME function is invoked. -- Lars Eighner 700 Hearn #101 Austin TX 78703 eighner@io.com (512) 474-1920 (FAX answers 6th ring) http://www.io.com/%7Eeighner/ bookstore: http://www.io.com/%7Eeighner/bookstore/ Any two philosophers can tell each other all they know in two hours. ------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 23 16: 3: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from sprig.tougas.net (h24-66-217-148.xx.wave.shaw.ca [24.66.217.148]) by hub.freebsd.org (Postfix) with ESMTP id A6A4237B926 for ; Wed, 23 Feb 2000 16:03:05 -0800 (PST) (envelope-from dtougas@sprig.tougas.net) Received: (from dtougas@localhost) by sprig.tougas.net (8.9.3/8.9.3) id RAA02347 for freebsd-security@freebsd.org; Wed, 23 Feb 2000 17:04:57 -0700 (MST) (envelope-from dtougas) Date: Wed, 23 Feb 2000 17:04:57 -0700 From: Damien Tougas To: freebsd-security@freebsd.org Subject: SSH port forwarding Message-ID: <20000223170457.A2185@tougas.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am looking at setting up a VPN using the SSH port forwarding features, but I have a question: I have inetd listening on port X for ppp connections. I set up SSH on the client machine to pass all packets going from port X on the client to port X on the server through the secure channel. After starting ppp, I do netstat -a and realize that the actual ppp connection is taking place on random port Y. My question is, is SSH smart enough to realize this has taken place and encrypt the session on port Y as well? If not, how do I set it up so that the random port picked during the negotiation process is also sent through the secure channel? Thanks. -- Damien Tougas, P.Eng. Phone: (780)434-5889 Fax: (780)434-5889 E-mail: damien@tougas.net http://www.tougas.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 23 16:57:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.securify.com (relay.securify.com [207.5.63.61]) by hub.freebsd.org (Postfix) with SMTP id 8557B37BA55 for ; Wed, 23 Feb 2000 16:57:08 -0800 (PST) (envelope-from tomb@cgf.net) Received: by relay.securify.com; id QAA22768; Wed, 23 Feb 2000 16:56:01 -0800 Received: from unknown(10.5.63.6) by relay.securify.com via smap (V5.5) id xma022758; Wed, 23 Feb 00 16:55:54 -0800 Received: from cgf.net (leek.securify.com [10.5.63.100]) by dude.securify.com (8.8.7/8.8.7) with ESMTP id QAA12347; Wed, 23 Feb 2000 16:55:53 -0800 Message-ID: <38B4817A.E97174EE@cgf.net> Date: Wed, 23 Feb 2000 16:55:22 -0800 From: tomb X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Cy Schubert - ITSD Open Systems Group , freebsd-security@freebsd.org Subject: Re: Denial of Service.... anyone else see this attempt. References: <200002231510.HAA52518@cwsys.cwsent.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I totally disagree as long as the machine in question is a FreeBSD box. Although there is very little we can do to prevent this kind of activity. The information IS of interest. If nothing else provides us us with stat's on who's doing what and where. The last thing we should be doing is discouraging people from sending information relating to FreeBSD security. If it seem's like it belongs on a different list then post it on and politely re-direct the initator to that list. Tom Cy Schubert - ITSD Open Systems Group wrote: > > I'd like to say to all on this list that this type of message should > probably not be posted here on FreeBSD-Security. INCIDENTS@securityfocu > s.com is a better place for this. They discuss this and many other > types of incidents. > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca > UNIX Group, ITSD, ISTA > Province of BC > "COBOL IS A WASTE OF CARDS." > > In message <200002231354.IAA06975@bg-tc-ppp873.monmouth.com>, Bill > Pechter writ > es: > > Dear sirs: > > > > I'd like to report what appears to be an attack on my machine. > > > > I picked up 6500 of these attempts ending when I dropped outside > > connectivity at 8:34 this morning. > > > > This is a denial of service, since all my machine was doing was logging > > these messages. > > > > This attack fully saturated my 33.6 ppp link. > > > > Bill Pechter > > pechter@monmouth.com > > > > > > ----- Forwarded message from The root of all evil ----- > > > > >From root Wed Feb 23 04:59:32 2000 > > Date: Wed, 23 Feb 2000 04:59:23 -0500 (EST) > > From: The root of all evil > > Message-Id: <200002230959.EAA65453@bg-tc-ppp369.monmouth.com> > > To: root > > Subject: tcpd: unknown@fes-d004.icq.aol.com[205.188.153.100] tried to use rpc > > .rquotad (denied) > > > > [fes-d004.icq.aol.com] > > > > > > ----- End of forwarded message from The root of all evil ----- > > bpechter@monmouth.com | Microsoft: Where do you want to go today? > > | Linux: Where do you want to go tomorrow? > > | BSD: Are you guys coming, or what? > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Tom Brown --------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 23 18:54:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id E399137BA70 for ; Wed, 23 Feb 2000 18:54:05 -0800 (PST) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Wed, 23 Feb 2000 19:54:03 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma020913; Wed, 23 Feb 00 19:53:46 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id TAA89868; Wed, 23 Feb 2000 19:52:41 -0700 (MST) Date: Wed, 23 Feb 2000 19:52:41 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: tomb Cc: freebsd-security@FreeBSD.ORG Subject: Re: Denial of Service.... anyone else see this attempt. In-Reply-To: <38B4817A.E97174EE@cgf.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 23 Feb 2000, tomb wrote: > I totally disagree as long as the machine in question is a FreeBSD box. But nothing in there is FreeBSD-specific. To start with, it's not even a security vulnerability. > The information IS of interest. If nothing else provides us us with > stat's on who's doing what and where. That's exactly on charter for the incidents@securityfocus.com list. That list REALLY is more appropriate. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 0:45:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from hydrant.intranova.net (hydrant.intranova.net [209.201.95.10]) by hub.freebsd.org (Postfix) with SMTP id 2D0B737BCB9 for ; Thu, 24 Feb 2000 00:45:50 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 3043 invoked from network); 23 Feb 2000 23:57:57 -0000 Received: from localhost (user50972@127.0.0.1) by hydrant.intranova.net with SMTP; 23 Feb 2000 23:57:57 -0000 Date: Wed, 23 Feb 2000 18:57:56 -0500 (EST) From: Omachonu Ogali To: Bengt Richter Cc: freebsd-security@FreeBSD.ORG Subject: Re: NG report of "Security hole in GNOME" In-Reply-To: <3.0.5.32.20000223150439.008f5ab0@mail.accessone.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's completely untrue. .ICEauthority has been around for a while and if you peek at it you'll see it contains authentication information for the X server, sort of like an xhost (I think). Do man iceauth to read on it more, and do us a favor and relay this back to the newsgroup... On Wed, 23 Feb 2000, Bengt Richter wrote: > The following appeared on comp.unix.bsd.freebsd.misc: > Any details? > ------------------ > FreeBSD users should be aware that the stable ports of GNOME > will install a spy file named .ICEauthority and information > about your system will be transmitted every time a GNOME function > is invoked. > > > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 1:25:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from hydrant.intranova.net (hydrant.intranova.net [209.201.95.10]) by hub.freebsd.org (Postfix) with SMTP id 1DBBE37BAED for ; Thu, 24 Feb 2000 01:25:55 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 4278 invoked from network); 24 Feb 2000 05:26:07 -0000 Received: from localhost (user69074@127.0.0.1) by hydrant.intranova.net with SMTP; 24 Feb 2000 05:26:07 -0000 Date: Thu, 24 Feb 2000 00:26:07 -0500 (EST) From: Omachonu Ogali To: tomb Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@freebsd.org Subject: Re: Denial of Service.... anyone else see this attempt. In-Reply-To: <38B4817A.E97174EE@cgf.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok...in that case, please move to incidents@securityfocus.com, as this is not an incident reporting mailing list, rather, a mailing list for users/developers to discuss FreeBSD security. On Wed, 23 Feb 2000, tomb wrote: > I totally disagree as long as the machine in question is a FreeBSD box. > Although there is very little we can do to prevent this kind of > activity. The information IS of interest. If nothing else provides us > us with stat's on who's doing what and where. > > The last thing we should be doing is discouraging people from sending > information relating to FreeBSD security. > > If it seem's like it belongs on a different list then post it on and > politely re-direct the initator to that list. > > Tom > > > Cy Schubert - ITSD Open Systems Group wrote: > > > > I'd like to say to all on this list that this type of message should > > probably not be posted here on FreeBSD-Security. INCIDENTS@securityfocu > > s.com is a better place for this. They discuss this and many other > > types of incidents. > > > > Regards, Phone: (250)387-8437 > > Cy Schubert Fax: (250)387-5766 > > Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca > > UNIX Group, ITSD, ISTA > > Province of BC > > "COBOL IS A WASTE OF CARDS." > > > > In message <200002231354.IAA06975@bg-tc-ppp873.monmouth.com>, Bill > > Pechter writ > > es: > > > Dear sirs: > > > > > > I'd like to report what appears to be an attack on my machine. > > > > > > I picked up 6500 of these attempts ending when I dropped outside > > > connectivity at 8:34 this morning. > > > > > > This is a denial of service, since all my machine was doing was logging > > > these messages. > > > > > > This attack fully saturated my 33.6 ppp link. > > > > > > Bill Pechter > > > pechter@monmouth.com > > > > > > > > > ----- Forwarded message from The root of all evil ----- > > > > > > >From root Wed Feb 23 04:59:32 2000 > > > Date: Wed, 23 Feb 2000 04:59:23 -0500 (EST) > > > From: The root of all evil > > > Message-Id: <200002230959.EAA65453@bg-tc-ppp369.monmouth.com> > > > To: root > > > Subject: tcpd: unknown@fes-d004.icq.aol.com[205.188.153.100] tried to use rpc > > > .rquotad (denied) > > > > > > [fes-d004.icq.aol.com] > > > > > > > > > ----- End of forwarded message from The root of all evil ----- > > > bpechter@monmouth.com | Microsoft: Where do you want to go today? > > > | Linux: Where do you want to go tomorrow? > > > | BSD: Are you guys coming, or what? > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 2:11:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id DD08137BBE7 for ; Thu, 24 Feb 2000 02:11:33 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id CAA11200; Thu, 24 Feb 2000 02:11:31 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda11197; Thu Feb 24 02:11:19 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id CAA06428; Thu, 24 Feb 2000 02:11:18 -0800 (PST) Message-Id: <200002241011.CAA06428@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdSK6095; Thu Feb 24 01:50:13 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cschuber To: tomb Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@freebsd.org Subject: Re: Denial of Service.... anyone else see this attempt. In-reply-to: Your message of "Wed, 23 Feb 2000 16:55:22 PST." <38B4817A.E97174EE@cgf.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 24 Feb 2000 01:50:13 -0800 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since you're interested Denial of Service attacks, you might be interested in this too. I just got port scanned on ports 119 and 25. My point is that this and the previous posting about a DDoS have nothing to do with FreeBSD. Unless either of these has anything to do with FreeBSD specifically, e.g. FreeBSD vulnerability, securing FreeBSD, it shouldn't be here. Port scans and DDoS attacks should go to the appropriate mailing list. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca UNIX Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." In message <38B4817A.E97174EE@cgf.net>, tomb writes: > I totally disagree as long as the machine in question is a FreeBSD box. > Although there is very little we can do to prevent this kind of > activity. The information IS of interest. If nothing else provides us > us with stat's on who's doing what and where. > > The last thing we should be doing is discouraging people from sending > information relating to FreeBSD security. > > If it seem's like it belongs on a different list then post it on and > politely re-direct the initator to that list. > > Tom > > > Cy Schubert - ITSD Open Systems Group wrote: > > > > I'd like to say to all on this list that this type of message should > > probably not be posted here on FreeBSD-Security. INCIDENTS@securityfocu > > s.com is a better place for this. They discuss this and many other > > types of incidents. > > > > Regards, Phone: (250)387-8437 > > Cy Schubert Fax: (250)387-5766 > > Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca > > UNIX Group, ITSD, ISTA > > Province of BC > > "COBOL IS A WASTE OF CARDS." > > > > In message <200002231354.IAA06975@bg-tc-ppp873.monmouth.com>, Bill > > Pechter writ > > es: > > > Dear sirs: > > > > > > I'd like to report what appears to be an attack on my machine. > > > > > > I picked up 6500 of these attempts ending when I dropped outside > > > connectivity at 8:34 this morning. > > > > > > This is a denial of service, since all my machine was doing was logging > > > these messages. > > > > > > This attack fully saturated my 33.6 ppp link. > > > > > > Bill Pechter > > > pechter@monmouth.com > > > > > > > > > ----- Forwarded message from The root of all evil ----- > > > > > > >From root Wed Feb 23 04:59:32 2000 > > > Date: Wed, 23 Feb 2000 04:59:23 -0500 (EST) > > > From: The root of all evil > > > Message-Id: <200002230959.EAA65453@bg-tc-ppp369.monmouth.com> > > > To: root > > > Subject: tcpd: unknown@fes-d004.icq.aol.com[205.188.153.100] tried to use > rpc > > > .rquotad (denied) > > > > > > [fes-d004.icq.aol.com] > > > > > > > > > ----- End of forwarded message from The root of all evil ----- > > > bpechter@monmouth.com | Microsoft: Where do you want to go today > ? > > > | Linux: Where do you want to go tomor > row? > > > | BSD: Are you guys coming, or what? > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Tom Brown > --------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 2:30:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id B094437BB81 for ; Thu, 24 Feb 2000 02:30:16 -0800 (PST) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 12NvWk-0002fi-00; Thu, 24 Feb 2000 10:29:46 +0000 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 12NvWl-0005Dz-00; Thu, 24 Feb 2000 10:29:47 +0000 X-Mailer: exmh version 2.0.2 2/24/98 To: Damien Tougas Cc: freebsd-security@freebsd.org Subject: Re: SSH port forwarding In-reply-to: Your message of "Wed, 23 Feb 2000 17:04:57 MST." <20000223170457.A2185@tougas.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 24 Feb 2000 10:29:47 +0000 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I am looking at setting up a VPN using the SSH port forwarding > features, but I have a question: > > I have inetd listening on port X for ppp connections. I set > up SSH on the client machine to pass all packets going from port X > on the client to port X on the server through the secure channel. > > After starting ppp, I do netstat -a and realize that the actual ppp > connection is taking place on random port Y. My question is, is SSH > smart enough to realize this has taken place and encrypt the session > on port Y as well? If not, how do I set it up so that the random > port picked during the negotiation process is also sent through > the secure channel? Ah, which ports are you talking about? A typical port-forwarding setup looks like this when in progress: Client Machine Server Machine +----------------------+ +-----------------------+ ! User process ! ! Server process ! ! +--------------+ ! ! +----------------+ ! ! ! ! ! ! ! ! ! ! ! --+--+ ! <- A D -> ! +--+-- ! ! ! ! ! ! ! ! ! ! ! ! ! +--------------+ ! ! ! ! +----------------+ ! ! ! ! ! ! ! ! SSH client ! ! ! ! SSH server ! ! +--------------+ ! ! ! ! +----------------+ ! ! ! ! ! ! ! ! ! ! ! ! ! (--+--+ ! <- B C -> ! +--+--) ! ! ! ! ( ! ! SSH tunnel ! ! ) ! ! ! ! (==+================================+====+==) ! ! ! ! ! ! ! ! ! ! ! +--------------+ ! ! +----------------+ ! ! ! ! ! +----------------------+ +-----------------------+ Your server process will be listening on its normal port number (D). The ssh client will often be listening on the same port number (B). It has to be told which port to linten on and what address and port the SSH server should be told to use at the other end. The user process will use an arbitary port (A). It has to be told to contact the SSH client (on port (B)) instead of contacting the server process directly. The SSH server will use an arbitary port when forwarding the connection from itself to the server process (C). So which ports do you think are wrong? And on which machine? -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 3:43:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta04.onebox.com (mta04.onebox.com [216.33.158.211]) by hub.freebsd.org (Postfix) with ESMTP id 50C4C37BADD for ; Thu, 24 Feb 2000 03:43:13 -0800 (PST) (envelope-from chutima_s@zdnetonebox.com) Received: from onebox.com ([216.33.158.150]) by mta04.onebox.com (InterMail vM.4.01.02.17 201-229-119) with SMTP id <20000224114310.PVOW28348.mta04.onebox.com@onebox.com> for ; Thu, 24 Feb 2000 03:43:10 -0800 Received: from [203.155.33.180] by onebox.com with HTTP; Thu, 24 Feb 2000 03:43:10 -0800 Date: Thu, 24 Feb 2000 03:43:10 -0800 Subject: FWTK for SMTP From: "Chutima S." To: freebsd-security@FreeBSD.ORG Message-Id: <20000224114310.PVOW28348.mta04.onebox.com@onebox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear all, I'm looking for tool for proxy smtp and pop3. Many people suggest to use FWTK, so I read man page about smap, smapd, plug-gw from fwtk. I understand that for smtp I can use plug-gw or smap&smapd. Is there any security topic for me to choose them. And for pop3 I plan to use plug-gw. Welcome for any comment from you all. Thanks, -- Chutima Subsirin chutima_s@zdnetonebox.com - email ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 6:30:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id E522337BD39 for ; Thu, 24 Feb 2000 06:30:41 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA11836; Thu, 24 Feb 2000 06:30:38 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda11834; Thu Feb 24 06:30:28 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA07109; Thu, 24 Feb 2000 06:30:28 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdEL7099; Thu Feb 24 06:29:50 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id GAA11133; Thu, 24 Feb 2000 06:29:50 -0800 (PST) Message-Id: <200002241429.GAA11133@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdM11126; Thu Feb 24 06:29:21 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: "Chutima S." Cc: freebsd-security@FreeBSD.ORG Subject: Re: FWTK for SMTP In-reply-to: Your message of "Thu, 24 Feb 2000 03:43:10 PST." <20000224114310.PVOW28348.mta04.onebox.com@onebox.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 24 Feb 2000 06:29:21 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000224114310.PVOW28348.mta04.onebox.com@onebox.com>, "Chutima S." writes: > Dear all, > > I'm looking for tool for proxy smtp and pop3. Many people suggest to > use FWTK, so I read man page about smap, smapd, plug-gw from fwtk. I > understand that for smtp I can use plug-gw or smap&smapd. Is there any > security topic for me to choose them. And for pop3 I plan to use plug-gw. This question was asked a number of years ago either here or BUGTRAQ. The answer given was that FWTK's smap did not have any anti-spam facility. I'm not sure whether it has change or not. If it has not, you may want to check out the smtpd port in the ports collection. It does the same function as smap using a similar process, and it has an anti-spam facility. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca UNIX Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 6:35:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from hydrant.intranova.net (hydrant.intranova.net [209.201.95.10]) by hub.freebsd.org (Postfix) with SMTP id 64A6F37BC77 for ; Thu, 24 Feb 2000 06:35:16 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 6648 invoked from network); 24 Feb 2000 14:08:44 -0000 Received: from localhost (user41422@127.0.0.1) by hydrant.intranova.net with SMTP; 24 Feb 2000 14:08:44 -0000 Date: Thu, 24 Feb 2000 09:08:44 -0500 (EST) From: Omachonu Ogali To: Lars Eighner Cc: bokr@accessone.com, freebsd-security@freebsd.org Subject: Re: Security hole in GNOME In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ICEauthority is NOT for calling someone up, it used for authentication between two XWindows servers, it does not transmit information, rather it protects your XWindows server from being tampered with by defining an access list of what clients/hostnames are allowed access your server, and most of the time that list only contains your local hostname. IF you sat down and ran tcpdump you would see its trying to resolve the hostname you specified for your machine which doesn't exist probably and is calling an external name server to help it, before you go off spreading rumors, try to sit down and study it. On Thu, 24 Feb 2000, Lars Eighner wrote: > > bokr@accessone.com (Bengt Richter) wrote: > |On Wed, 23 Feb 2000 07:52:37 -0600, eighner@io.com (Lars Eighner) > |wrote: > | > |> > |>FreeBSD users should be aware that the stable ports of GNOME > |>will install a spy file named .ICEauthority and information > |>about your system will be transmitted every time a GNOME function > |>is invoked. > > |Can you back up your information, please? Note following: > | > |--begin inclusion-- > |Date: Wed, 23 Feb 2000 18:57:56 -0500 (EST) > |From: Omachonu Ogali > |To: Bengt Richter > |cc: freebsd-security@FreeBSD.ORG > |Subject: Re: NG report of "Security hole in GNOME" > | > |That's completely untrue. .ICEauthority has been around for a while > |and if > |you peek at it you'll see it contains authentication information for > |the X > |server, sort of like an xhost (I think). Do man iceauth to read on it > |more, and do us a favor and relay this back to the newsgroup... > > Well, *did* you do man iceauth? If you had you would have found > one little paragraph that refers to commands described "below" > but of course there is no "below." None the less, it should be > clear that the purpose of iceauth is to transmit information about > one system to another system. Furthermore, when you invoke a > GNOME session or one of the GNOME applications, it will bring up > the ppp link and call someone. Suppose MicroSoft made Windows > call them up every time Windows was used? People would be > screaming bloody murder. Why should this behavior be acceptable > from GNOME? > > Moreover, if this behavior were on the up and up, why wouldn't > there be some reasonable documentation? And why isn't there a > way to disable this behavior for machines that are not on an > intranet -- which is the only situation in which this behavior > might be desirable. Try typing ICEauthority or iceauth into > a few of your favorite search engines. There simply is no > explanation of what this is or why anyone thinks it is desirable. > There is one FAQ in French which is a puzzle to me, but which > has be interpreted for me by another correspondent to the > effect that the purpose of ICEauthority is to brand users > with software along the lines of what the Pentium III chip > attempts to do with hardware. Again, when Intel does it, > everyone yelps: so why exactly should such a vaguely documented > "feature" that certainly appears to do the same thing be > accept in GNUware? > > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 6:48:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from sprig.tougas.net (h24-66-217-148.xx.wave.shaw.ca [24.66.217.148]) by hub.freebsd.org (Postfix) with ESMTP id 0CBBB37BD05 for ; Thu, 24 Feb 2000 06:48:52 -0800 (PST) (envelope-from dtougas@sprig.tougas.net) Received: (from dtougas@localhost) by sprig.tougas.net (8.9.3/8.9.3) id HAA04743; Thu, 24 Feb 2000 07:50:32 -0700 (MST) (envelope-from dtougas) Date: Thu, 24 Feb 2000 07:50:32 -0700 From: Damien Tougas To: David Pick Cc: freebsd-security@freebsd.org Subject: Re: SSH port forwarding Message-ID: <20000224075032.A4699@tougas.net> References: <20000223170457.A2185@tougas.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from D.M.Pick@qmw.ac.uk on Thu, Feb 24, 2000 at 10:29:47AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for your detailed diagram, that is great. I realized a while after I sent the question, that I was being brain dead, and did not fully grasp what was going on and was in fact not setting up my connection properly. Now that I have it set it up correctly, it all makes sense to me now. This seems like an easy way to set up a VPN. The box is both doing NAT and the VPN, and hence makes it easy to use it as both an internet gateway as well as a VPN. I have heard this method referred to as a poor man's VPN, why? Are there better/more preferred methods of setting up a VPN? SKIP or IPSEC? Why would I want to use one of those instead? Would I need two boxes to achieve the same functionality? -- Damien Tougas, P.Eng. Phone: (780)434-5889 Fax: (780)434-5889 E-mail: damien@tougas.net http://www.tougas.net On Thu, Feb 24, 2000 at 10:29:47AM +0000, David Pick wrote: > > > I am looking at setting up a VPN using the SSH port forwarding > > features, but I have a question: > > > > I have inetd listening on port X for ppp connections. I set > > up SSH on the client machine to pass all packets going from port X > > on the client to port X on the server through the secure channel. > > > > After starting ppp, I do netstat -a and realize that the actual ppp > > connection is taking place on random port Y. My question is, is SSH > > smart enough to realize this has taken place and encrypt the session > > on port Y as well? If not, how do I set it up so that the random > > port picked during the negotiation process is also sent through > > the secure channel? > > Ah, which ports are you talking about? A typical port-forwarding > setup looks like this when in progress: > > Client Machine Server Machine > +----------------------+ +-----------------------+ > ! User process ! ! Server process ! > ! +--------------+ ! ! +----------------+ ! > ! ! ! ! ! ! ! ! > ! ! --+--+ ! <- A D -> ! +--+-- ! ! > ! ! ! ! ! ! ! ! ! ! > ! +--------------+ ! ! ! ! +----------------+ ! > ! ! ! ! ! ! > ! SSH client ! ! ! ! SSH server ! > ! +--------------+ ! ! ! ! +----------------+ ! > ! ! ! ! ! ! ! ! ! ! > ! ! (--+--+ ! <- B C -> ! +--+--) ! ! > ! ! ( ! ! SSH tunnel ! ! ) ! ! > ! ! (==+================================+====+==) ! ! > ! ! ! ! ! ! ! ! > ! +--------------+ ! ! +----------------+ ! > ! ! ! ! > +----------------------+ +-----------------------+ > > Your server process will be listening on its normal port number (D). > > The ssh client will often be listening on the same port number (B). It has > to be told which port to linten on and what address and port the SSH server > should be told to use at the other end. > > The user process will use an arbitary port (A). It has to be told to contact > the SSH client (on port (B)) instead of contacting the server process directly. > > The SSH server will use an arbitary port when forwarding the connection > from itself to the server process (C). > > So which ports do you think are wrong? And on which machine? > > -- > David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 7:15: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 91F9F37BD63 for ; Thu, 24 Feb 2000 07:14:57 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA11937; Thu, 24 Feb 2000 07:13:39 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda11935; Thu Feb 24 07:13:29 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA07293; Thu, 24 Feb 2000 07:13:28 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdIF7291; Thu Feb 24 07:12:50 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA11289; Thu, 24 Feb 2000 07:12:50 -0800 (PST) Message-Id: <200002241512.HAA11289@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdK11284; Thu Feb 24 07:12:16 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: Damien Tougas Cc: David Pick , freebsd-security@FreeBSD.ORG Subject: Re: SSH port forwarding In-reply-to: Your message of "Thu, 24 Feb 2000 07:50:32 MST." <20000224075032.A4699@tougas.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 24 Feb 2000 07:12:15 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000224075032.A4699@tougas.net>, Damien Tougas writes: > Thanks for your detailed diagram, that is great. I realized a while > after I sent the question, that I was being brain dead, and did not > fully grasp what was going on and was in fact not setting up my > connection properly. Now that I have it set it up correctly, it all > makes sense to me now. > > This seems like an easy way to set up a VPN. The box is both doing > NAT and the VPN, and hence makes it easy to use it as both an > internet gateway as well as a VPN. I have heard this method referred > to as a poor man's VPN, why? Are there better/more preferred > methods of setting up a VPN? SKIP or IPSEC? Why would I want to > use one of those instead? Would I need two boxes to achieve the same > functionality? You may want to try pipsecd in the ports collection. Also, 4.0 will have KAME IPsec built into it. I've been using pipsecd since the summer between FreeBSD and Linux boxes. It implements IPsec using the BSD Tunnel Interface. I've heard on this list that SKIP isn't that stable under FreeBSD. A coworker of mine uses SKIP on a Sun. He tells me it's not much more stable on Solaris either. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca UNIX Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 7:40:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 9DEA637BECB for ; Thu, 24 Feb 2000 07:40:35 -0800 (PST) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 12O0NG-0005vw-00; Thu, 24 Feb 2000 15:40:18 +0000 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 12O0NE-0005Pe-00; Thu, 24 Feb 2000 15:40:16 +0000 X-Mailer: exmh version 2.0.2 2/24/98 To: Damien Tougas Cc: freebsd-security@freebsd.org Subject: Re: SSH port forwarding In-reply-to: Your message of "Thu, 24 Feb 2000 07:50:32 MST." <20000224075032.A4699@tougas.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 24 Feb 2000 15:40:16 +0000 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > This seems like an easy way to set up a VPN. The box is both doing > NAT and the VPN, and hence makes it easy to use it as both an > internet gateway as well as a VPN. I have heard this method referred > to as a poor man's VPN, why? Are there better/more preferred > methods of setting up a VPN? SKIP or IPSEC? Why would I want to > use one of those instead? Would I need two boxes to achieve the same > functionality? SSH is: 1) reliable now 2) available now 3) easier to set up in small/simple cases 4) available on multiple platforms 5) doesn't "do" UDP &c without extra code IPSEC is: 1) better (more thought) designed 2) more extensible and scales better 3) harder to set up in simple/small cases 4) not so easily available/installed 5) does all IP packet types, not just TCP 6) probably the future especially with IPv6 SKIP is: 1) unknown to me except by reputation -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 8:57:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from acc0.visti.net (acc0.visti.net [195.64.225.233]) by hub.freebsd.org (Postfix) with ESMTP id F020237BF1D for ; Thu, 24 Feb 2000 08:56:57 -0800 (PST) (envelope-from karp@visti.net) Received: from lab.visti.net (lab.visti.net [195.64.225.242]) by acc0.visti.net (8.8.8-Elvisti-980428/8.8.8) with ESMTP id SAA16065 for ; Thu, 24 Feb 2000 18:56:55 +0200 (EET) Received: from localhost (karp@localhost) by lab.visti.net (8.9.3/8.9.3) with ESMTP id SAA25414 for ; Thu, 24 Feb 2000 18:56:53 +0200 (EET) X-Authentication-Warning: lab.visti.net: karp owned process doing -bs Date: Thu, 24 Feb 2000 18:56:53 +0200 (EET) From: Alexander Karptsov To: freebsd-security@freebsd.org Subject: mysterious behaviour of the ipfw ... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi ! My perl script, which gets counters' statistics from "ipfw show |", mysteriously warns me from time to time. When I added debug mode to it I saw next (please note: my ipfw begins with rule number 100 and ip number 10/8): ---begin--- ipfw: impossible 00000 72058736529113354 18446744073709551615 deny ip from 56.2.0.0:25.0.0.0 to any tcpflg fin 00000 856036610469789962 18446744073709551615 deny ip from 57.2.0.0:25.0.0.0 to any tcpflg fin 00000 72057637017485578 18446744073709551615 deny ip from 58.2.0.0:110.0.0.0 to any tcpflg fin 00000 72058736529113354 18446744073709551615 deny ip from 59.2.0.0:110.0.0.0 to any tcpflg fin 00000 856036610469789962 18446744073709551615 deny ip from 60.2.0.0:110.0.0.0 to any tcpflg fin 00000 29884682 4294967295 deny ip from any to any tcpflg fin 00000 29884682 4294967295 deny ip from any to any tcpflg fin 00000 18446744069414584320 18446744073709551615 deny ip from 63.2.0.0:68.0.67.0 to any 00000 0 0 deny ip from any to any tcpflg fin 00000 0 0 deny ip from any to any tcpflg fin 00000 0 0 deny ip from any to any 00000 199311555 4294967295 deny ip from any to any 00000 0 0 deny ip from 233.253.0.0:80.0.0.0 to any tcpflg fin 00000 0 0 deny ip from 234.253.0.0:80.0.0.0 to any tcpflg fin 00000 0 0 deny ip from any to any 00115 0 0 skipto 65000 tcp from 10.0.1.1 to 10.1.0.1 110 in recv fxp1 00117 3732 392720 count ip from 10.0.1.1 to any in recv fxp1 00118 3732 392720 skipto 65000 ip from 10.0.1.1 to any in recv fxp1 .... 53625 0 0 deny ip from 164.129.1.0:157.45.0.0 to any ipopt !ssrr,!rr tcpflg fin,syn 00000 424016351330304 58304181043200 ----end----- line 115 is first from my rules which left (100..114 disappeared), and rules from 65000 and below also disappeared. Can anyone comments this ? Thanks. P.S. $uname -sr FreeBSD 3.4-19991223-STABLE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 9:22:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from Proxy.wertep.com (relay2.wertep.com [194.44.90.130]) by hub.freebsd.org (Postfix) with ESMTP id 2E47337BCEF for ; Thu, 24 Feb 2000 09:22:29 -0800 (PST) (envelope-from yuro@wertep.com) Received: from She.wertep.com (she-tun-proxy [192.168.252.2]) by Proxy.wertep.com (8.9.3/8.9.3) with ESMTP id TAA69880; Thu, 24 Feb 2000 19:22:22 +0200 (EET) (envelope-from yuro@wertep.com) Received: from localhost (yuro@localhost) by She.wertep.com (8.9.3/8.9.3) with ESMTP id TAA02688; Thu, 24 Feb 2000 19:22:22 +0200 (EET) (envelope-from yuro@wertep.com) Date: Thu, 24 Feb 2000 19:22:22 +0200 (EET) From: Hupalo Yurij To: Alexander Karptsov Cc: freebsd-security@FreeBSD.ORG Subject: Re: mysterious behaviour of the ipfw ... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, update ipfw to kernel version... maybe ipfw is out of the date... On Thu, 24 Feb 2000, Alexander Karptsov wrote: > Hi ! > > My perl script, which gets counters' statistics from "ipfw show |", > mysteriously warns me from time to time. When I added debug mode to it > I saw next (please note: my ipfw begins with rule number 100 > and ip number 10/8): > > ---begin--- > > ipfw: impossible > 00000 72058736529113354 18446744073709551615 deny ip from 56.2.0.0:25.0.0.0 to any tcpflg fin > 00000 856036610469789962 18446744073709551615 deny ip from 57.2.0.0:25.0.0.0 to any tcpflg fin > 00000 72057637017485578 18446744073709551615 deny ip from 58.2.0.0:110.0.0.0 to any tcpflg fin > 00000 72058736529113354 18446744073709551615 deny ip from 59.2.0.0:110.0.0.0 to any tcpflg fin > 00000 856036610469789962 18446744073709551615 deny ip from 60.2.0.0:110.0.0.0 to any tcpflg fin > 00000 29884682 4294967295 deny ip from any to any tcpflg fin > 00000 29884682 4294967295 deny ip from any to any tcpflg fin > 00000 18446744069414584320 18446744073709551615 deny ip from 63.2.0.0:68.0.67.0 to any > 00000 0 0 deny ip from any to any tcpflg fin > 00000 0 0 deny ip from any to any tcpflg fin > 00000 0 0 deny ip from any to any > 00000 199311555 4294967295 deny ip from any to any > 00000 0 0 deny ip from 233.253.0.0:80.0.0.0 to any tcpflg fin > 00000 0 0 deny ip from 234.253.0.0:80.0.0.0 to any tcpflg fin > 00000 0 0 deny ip from any to any > 00115 0 0 skipto 65000 tcp from 10.0.1.1 to 10.1.0.1 110 in recv fxp1 > 00117 3732 392720 count ip from 10.0.1.1 to any in recv fxp1 > 00118 3732 392720 skipto 65000 ip from 10.0.1.1 to any in recv fxp1 > > .... > > 53625 0 0 deny ip from 164.129.1.0:157.45.0.0 to any ipopt !ssrr,!rr tcpflg fin,syn > 00000 424016351330304 58304181043200 > > ----end----- > > line 115 is first from my rules which left (100..114 disappeared), > and rules from 65000 and below also disappeared. > > > Can anyone comments this ? Thanks. > > P.S. > $uname -sr > FreeBSD 3.4-19991223-STABLE > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 9:25:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.caprice.mb.ca (caprice.mb.ca [205.200.216.3]) by hub.freebsd.org (Postfix) with ESMTP id CC53737C257 for ; Thu, 24 Feb 2000 09:25:01 -0800 (PST) (envelope-from grub@grub.net) Received: from grub.net (grub@grub.caprice.mb.ca [205.200.216.10]) by mail.caprice.mb.ca (8.9.3/8.9.3) with ESMTP id LAA01547; Thu, 24 Feb 2000 11:24:55 GMT (envelope-from grub@grub.net) Message-ID: <38B56A49.74D5C091@grub.net> Date: Thu, 24 Feb 2000 11:28:41 -0600 From: Gordon Grieder Organization: blah X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Alexander Karptsov Cc: freebsd-security@FreeBSD.ORG Subject: Re: mysterious behaviour of the ipfw ... References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alexander Karptsov wrote: > > Hi ! > > My perl script, which gets counters' statistics from "ipfw show |", > mysteriously warns me from time to time. When I added debug mode to it > I saw next (please note: my ipfw begins with rule number 100 > and ip number 10/8): [snip] I'm just starting to look into this odd behaviour that has been affecting a machine here for a couple of weeks, I wonder if it's related to your problem. FreeBSD 3.1-RELEASE (yeah, yeah) and IPFW. ipfw show returns: 00100 0 0 allow ip from any to any via lo0 00000 127 858993459455 deny 161 from any to any 00000 0 0 deny ip from 0.0.0.0:103.102.181.56 to any My rules are not showing up but are indeed in effect. I have no idea about this rule 00000 that should not be there. Each time I show the status, the information for rule 00000 seems to change. 5 pastes from 5 ipfw shows: 00000 127 858993459455 deny 233 from any to any 00000 127 858993459455 deny udp from any 0,0,0,0,0,0,0,0,0,0,0 to any 0,0,0,0,0,0,0,0,0,0,0,0,0,0 00000 127 858993459455 deny kryptolan from any to any 00000 127 858993459455 deny scps from any to any 00000 127 858993459455 deny 241 from any to any Any ideas are welcome, and yes, I will be upgrading to 3.4. I'm just curious as to what is causing this. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 11:19:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from acc0.visti.net (acc0.visti.net [195.64.225.233]) by hub.freebsd.org (Postfix) with ESMTP id B9A4937B995 for ; Thu, 24 Feb 2000 11:19:01 -0800 (PST) (envelope-from karp@visti.net) Received: from lab.visti.net (lab.visti.net [195.64.225.242]) by acc0.visti.net (8.8.8-Elvisti-980428/8.8.8) with ESMTP id VAA11788; Thu, 24 Feb 2000 21:18:59 +0200 (EET) Received: from localhost (karp@localhost) by lab.visti.net (8.9.3/8.9.3) with ESMTP id VAA26977; Thu, 24 Feb 2000 21:18:57 +0200 (EET) X-Authentication-Warning: lab.visti.net: karp owned process doing -bs Date: Thu, 24 Feb 2000 21:18:57 +0200 (EET) From: Alexander Karptsov To: Hupalo Yurij Cc: freebsd-security@FreeBSD.ORG Subject: Re: mysterious behaviour of the ipfw ... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 24 Feb 2000, Hupalo Yurij wrote: > Hi, > update ipfw to kernel version... > maybe ipfw is out of the date... > No, ipfw is from this stable. $uname -sr FreeBSD 3.4-19991223-STABLE $ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 11:36:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from acc0.visti.net (acc0.visti.net [195.64.225.233]) by hub.freebsd.org (Postfix) with ESMTP id A4D7C37BE08 for ; Thu, 24 Feb 2000 11:36:48 -0800 (PST) (envelope-from karp@visti.net) Received: from lab.visti.net (lab.visti.net [195.64.225.242]) by acc0.visti.net (8.8.8-Elvisti-980428/8.8.8) with ESMTP id VAA14699; Thu, 24 Feb 2000 21:36:45 +0200 (EET) Received: from localhost (karp@localhost) by lab.visti.net (8.9.3/8.9.3) with ESMTP id VAA27186; Thu, 24 Feb 2000 21:36:44 +0200 (EET) X-Authentication-Warning: lab.visti.net: karp owned process doing -bs Date: Thu, 24 Feb 2000 21:36:44 +0200 (EET) From: Alexander Karptsov To: Gordon Grieder Cc: freebsd-security@FreeBSD.ORG Subject: Re: mysterious behaviour of the ipfw ... In-Reply-To: <38B56A49.74D5C091@grub.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 24 Feb 2000, Gordon Grieder wrote: > Each time I show the status, the information for rule 00000 seems to > change. hm, strange,strange ... but this isn't true for me, I see this from time to time, maybe once a day. > > 5 pastes from 5 ipfw shows: > 00000 127 858993459455 deny 233 from any to any > 00000 127 858993459455 deny udp from any 0,0,0,0,0,0,0,0,0,0,0 to any > 0,0,0,0,0,0,0,0,0,0,0,0,0,0 > 00000 127 858993459455 deny kryptolan from any to any > 00000 127 858993459455 deny scps from any to any > 00000 127 858993459455 deny 241 from any to any > > Any ideas are welcome, and yes, I will be upgrading to 3.4. I'm just > curious as to what is causing this. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 11:48:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from msk1.mail.ru (mx1.mail.ru [194.67.23.32]) by hub.freebsd.org (Postfix) with ESMTP id 4EB7137C24A; Thu, 24 Feb 2000 11:48:24 -0800 (PST) (envelope-from rakukin@mail.ru) Received: from f4.int ([10.0.0.51] helo=f4.mail.ru) by msk1.mail.ru with esmtp (Exim 3.02 #116) id 12O4Jw-00083J-00; Thu, 24 Feb 2000 22:53:08 +0300 Received: from mail by f4.mail.ru with local (Exim 3.02 #112) id 12O4Et-0001Zs-00; Thu, 24 Feb 2000 22:47:55 +0300 Received: from [194.85.224.35] by koi.mail.ru with HTTP; Thu, 24 Feb 2000 19:47:55 +0000 (GMT) From: "A. Rakukin" To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org Subject: X authorization Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 194.85.229.131 via proxy [194.85.224.35] Reply-To: "A. Rakukin" Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Date: Thu, 24 Feb 2000 22:47:55 +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi to all, Would be grateful for help or explanation. I used to think that by default nobody can run anything on my display. But now I revealed that it is enough to export DISPLAY on remote host to access my xserver. 'xhost' on the server (that has been accessed) says that access control enabled, only authorized clients can connect and nothing more. What is the possible source of the problem? I have not customized any authorization mechanisms... I run FreeBSD 3.4. Thank you, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 11:51:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 8136937BE41 for ; Thu, 24 Feb 2000 11:51:19 -0800 (PST) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id NAA22705; Thu, 24 Feb 2000 13:51:07 -0600 (CST) (envelope-from jeff-ml@mountin.net) Received: from dial-95.max1.wa.cyberlynk.net(207.227.118.95) by peak.mountin.net via smap (V1.3) id sma022691; Thu Feb 24 13:50:52 2000 Message-Id: <3.0.3.32.20000224134938.00a19830@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 24 Feb 2000 13:49:38 -0600 To: Cy Schubert - ITSD Open Systems Group From: "Jeffrey J. Mountin" Subject: Re: FWTK for SMTP Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200002241429.GAA11133@cwsys.cwsent.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:29 AM 2/24/00 -0800, Cy Schubert - ITSD Open Systems Group wrote: >This question was asked a number of years ago either here or BUGTRAQ. >The answer given was that FWTK's smap did not have any anti-spam >facility. I'm not sure whether it has change or not. If it has not, >you may want to check out the smtpd port in the ports collection. It >does the same function as smap using a similar process, and it has an >anti-spam facility. That depends on the version of smap. Using an old, very changed smap. ;) As for diffs/patches/source I'd need to look at the license, ask another party, and preferrable make some changes. Have limited time for the last part, but need to test it on 4.0 fairly soon and track down a minor bug at a minimum. Haven't looked, but wonder if they changed smap to either spawn children or if it's mulit-threaded. Was one drawback to using smap compared to an MTA directly. The question should be asked about smtpd. A busy server would need the ability to handle more than one connection or risk falling behind. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 11:53:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from mel.alcatel.fr (mel.alcatel.fr [212.208.74.132]) by hub.freebsd.org (Postfix) with ESMTP id 8604137C290 for ; Thu, 24 Feb 2000 11:53:52 -0800 (PST) (envelope-from Stephane.Lentz@ansf.alcatel.fr) Received: from aifhs2.alcatel.fr (mailhub.alcatel.fr [155.132.180.80]) by mel.alcatel.fr (ALCANET/SMTP) with ESMTP id UAA01688; Thu, 24 Feb 2000 20:45:28 +0100 From: Stephane.Lentz@ansf.alcatel.fr Received: from nsfws7.ansf.alcatel.fr (nsfws7.ansf.alcatel.fr [155.132.195.132]) by aifhs2.alcatel.fr (ALCANET/SMTP2) with ESMTP id UAA01158; Thu, 24 Feb 2000 20:50:19 +0100 (MET) Received: (from angel@localhost) by nsfws7.ansf.alcatel.fr (ALCANET/SMTP) id UAA31639; Thu, 24 Feb 2000 20:51:44 +0100 Date: Thu, 24 Feb 2000 20:51:44 +0100 To: Cy Schubert - ITSD Open Systems Group Cc: "Chutima S." , freebsd-security@FreeBSD.ORG Subject: Re: FWTK for SMTP Message-ID: <20000224205144.A31621@nsfws7.ansf.alcatel.fr> Reply-To: Stephane.Lentz@ansf.alcatel.fr References: <20000224114310.PVOW28348.mta04.onebox.com@onebox.com> <200002241429.GAA11133@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200002241429.GAA11133@cwsys.cwsent.com>; from Cy Schubert - ITSD Open Systems Group on Thu, Feb 24, 2000 at 06:29:21AM -0800 Organization: Alcanet International Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 24, 2000 at 06:29:21AM -0800, Cy Schubert - ITSD Open Systems Group wrote: > In message <20000224114310.PVOW28348.mta04.onebox.com@onebox.com>, > > ... > > I'm looking for tool for proxy smtp and pop3. Many people suggest to > > use FWTK, so I read man page about smap, smapd, plug-gw from fwtk. I > > understand that for smtp I can use plug-gw or smap&smapd. Is there any > > security topic for me to choose them. And for pop3 I plan to use plug-gw. > > This question was asked a number of years ago either here or BUGTRAQ. > The answer given was that FWTK's smap did not have any anti-spam > facility. I'm not sure whether it has change or not. If it has not, > you may want to check out the smtpd port in the ports collection. It > does the same function as smap using a similar process, and it has an > anti-spam facility. Anti-spam Patches do exist : check http://www.fwtk.org/fwtk/patches/patches.html#2.2 Stephane. -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 11:57:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id EB8E937C38A; Thu, 24 Feb 2000 11:57:29 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id LAA41772; Thu, 24 Feb 2000 11:57:15 -0800 (PST) (envelope-from dillon) Date: Thu, 24 Feb 2000 11:57:15 -0800 (PST) From: Matthew Dillon Message-Id: <200002241957.LAA41772@apollo.backplane.com> To: "A. Rakukin" Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: X authorization References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Hi to all, : :Would be grateful for help or explanation. I used to think that by default :nobody can run anything on my display. But now I revealed that it is enough :to export DISPLAY on remote host to access my xserver. 'xhost' on the server :(that has been accessed) says that : :access control enabled, only authorized clients can connect : :and nothing more. What is the possible source of the problem? :I have not customized any authorization mechanisms... :I run FreeBSD 3.4. : :Thank you, :Alex I'll bet you are using ssh. Your assumptions as to 'xhost' are correct. Just setting DISPLAY on machine B to point to machine A will not give machine B access to machine A's X display. Machine A must give machine B access, typically through the 'xhost' command. However, some programs will tunnel X sessions automatically. ssh is one of these. If you are sitting on machine A and you ssh to machine B, you will then be able to run X binaries on machine B and have them show up on machine A's display. The X protocol will run through the 'secure' ssh session. I don't know many people who do this, at least not between two local machines sitting on the same LAN, because running an X client through an encrypted ssh session tends to really slow down the client. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 12:35:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from naiad.eclipse.net.uk (naiad.eclipse.net.uk [195.188.32.29]) by hub.freebsd.org (Postfix) with ESMTP id E9FD137B881 for ; Thu, 24 Feb 2000 12:35:12 -0800 (PST) (envelope-from sthen@naiad.eclipse.net.uk) Received: by naiad.eclipse.net.uk (Postfix, from userid 475) id C5383142CC; Thu, 24 Feb 2000 20:35:03 +0000 (GMT) Date: Thu, 24 Feb 2000 20:35:03 +0000 From: Stuart Henderson To: Stephane.Lentz@ansf.alcatel.fr Cc: Cy Schubert - ITSD Open Systems Group , "Chutima S." , freebsd-security@FreeBSD.ORG Subject: Re: FWTK for SMTP Message-ID: <20000224203503.K54067@naiad.eclipse.net.uk> References: <20000224114310.PVOW28348.mta04.onebox.com@onebox.com> <200002241429.GAA11133@cwsys.cwsent.com> <20000224205144.A31621@nsfws7.ansf.alcatel.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.1.2i In-Reply-To: <20000224205144.A31621@nsfws7.ansf.alcatel.fr>; from Stephane.Lentz@ansf.alcatel.fr on Thu, Feb 24, 2000 at 08:51:44PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 24, 2000 at 08:51:44PM +0100, Stephane.Lentz@ansf.alcatel.fr wrote: > On Thu, Feb 24, 2000 at 06:29:21AM -0800, Cy Schubert - ITSD Open Systems Group wrote: > > In message <20000224114310.PVOW28348.mta04.onebox.com@onebox.com>, > > > ... > > > I'm looking for tool for proxy smtp and pop3. Many people suggest to > > > use FWTK, so I read man page about smap, smapd, plug-gw from fwtk. I > > > understand that for smtp I can use plug-gw or smap&smapd. Is there any > > > security topic for me to choose them. And for pop3 I plan to use plug-gw. > > > > This question was asked a number of years ago either here or BUGTRAQ. > > The answer given was that FWTK's smap did not have any anti-spam > > facility. I'm not sure whether it has change or not. If it has not, > > you may want to check out the smtpd port in the ports collection. It > > does the same function as smap using a similar process, and it has an > > anti-spam facility. > > Anti-spam Patches do exist : check http://www.fwtk.org/fwtk/patches/patches.html#2.2 Check correct operation of your server after applying these patches. Specifically, check that smapd doesn't do this... 20:24> /usr/home/sthen:naiad$ telnet ##### 25 Trying #####... Connected to #####. Escape character is '^]'. 220 ##### SMTP/smap Ready. helo naiad.eclipse.net.uk 250 (naiad.eclipse.net.uk) pleased to meet you. mail from: <> Connection closed by foreign host. [status 1] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 12:46:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by hub.freebsd.org (Postfix) with ESMTP id C706237B8F0 for ; Thu, 24 Feb 2000 12:46:22 -0800 (PST) (envelope-from bokr@accessone.com) Received: from [129.250.38.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp (Exim 3.12 #7) id 12O59L-0002AC-00; Thu, 24 Feb 2000 20:46:15 +0000 Received: from [204.250.68.168] (helo=gazelle) by dfw-mmp4.email.verio.net with smtp (Exim 3.12 #7) id 12O59F-0001MY-00; Thu, 24 Feb 2000 20:46:10 +0000 Message-Id: <3.0.5.32.20000224124813.008fce80@mail.accessone.com> X-Sender: bokr@mail.accessone.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Thu, 24 Feb 2000 12:48:13 -0800 To: Omachonu Ogali From: Bengt Richter Subject: Re: Security hole in GNOME Cc: eighner@io.com (Lars Eighner), freebsd-security@freebsd.org In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I did do "man iceauth" and I did search via Alta Vista, and Lars Eighner is right about the scarcity of information in those areas. I would welcome a fix to the man pages (I am running 3.3-RELEASE, perhaps it's been fixed?). I do think calling .ICEauthority a "spy file" borders on FUDspam. OTOH, if the attempt to contact an external name server is bound to be useless (as you suggest it will be for a non-existent hostname), then it might be nice to be able to configure X safely not to call. I saw someplace advice to delete the .ICEauthority file if the X server takes a long time to start up, but with no explanation. Is this a sanctioned procedure? (Actually, I tried it, and a new .ICEauthority is created on the next startx. If you "hd .ICEauthority" you see some text including "ICE" and "tcp:xxxx" and several "MIT-MAGIC-COOKIE-1" and ":/tmp/.ICE-unix/yyy" and looking in the latter directory, I find a new socket yyy). So the advice may not accomplish much, I guess. Will have to look in the sources when I get time. BTW ;-), does the "ICE" relate to the Jargon File's definition? : -- ice [coined by USENETter Tom Maddox, popularized by William Gibson's cyberpunk SF novels: a contrived acronym for `Intrusion Countermeasure Electronics'] Security software (in Gibson's novels, software that responds to intrusion by attempting to literally kill the intruder). Also, `icebreaker': a program designed for cracking security on a system. -- If the lack of man and other info is an instance of security-by-obscurity, that would seem a concern. I'm for more light, and less FUD. Regards, Bengt Richter At 09:08 2000-02-24 -0500, you wrote: >ICEauthority is NOT for calling someone up, it used for authentication >between two XWindows servers, it does not transmit information, rather it >protects your XWindows server from being tampered with by defining an >access list of what clients/hostnames are allowed access your server, >and most of the time that list only contains your local hostname. IF >you sat down and ran tcpdump you would see its trying to resolve the >hostname you specified for your machine which doesn't exist probably >and is calling an external name server to help it, before you go off >spreading rumors, try to sit down and study it. > >On Thu, 24 Feb 2000, Lars Eighner wrote: > >> >> bokr@accessone.com (Bengt Richter) wrote: >> |On Wed, 23 Feb 2000 07:52:37 -0600, eighner@io.com (Lars Eighner) >> |wrote: >> | >> |> >> |>FreeBSD users should be aware that the stable ports of GNOME >> |>will install a spy file named .ICEauthority and information >> |>about your system will be transmitted every time a GNOME function >> |>is invoked. >> >> |Can you back up your information, please? Note following: >> | >> |--begin inclusion-- >> |Date: Wed, 23 Feb 2000 18:57:56 -0500 (EST) >> |From: Omachonu Ogali >> |To: Bengt Richter >> |cc: freebsd-security@FreeBSD.ORG >> |Subject: Re: NG report of "Security hole in GNOME" >> | >> |That's completely untrue. .ICEauthority has been around for a while >> |and if >> |you peek at it you'll see it contains authentication information for >> |the X >> |server, sort of like an xhost (I think). Do man iceauth to read on it >> |more, and do us a favor and relay this back to the newsgroup... >> >> Well, *did* you do man iceauth? If you had you would have found >> one little paragraph that refers to commands described "below" >> but of course there is no "below." None the less, it should be >> clear that the purpose of iceauth is to transmit information about >> one system to another system. Furthermore, when you invoke a >> GNOME session or one of the GNOME applications, it will bring up >> the ppp link and call someone. Suppose MicroSoft made Windows >> call them up every time Windows was used? People would be >> screaming bloody murder. Why should this behavior be acceptable >> from GNOME? >> >> Moreover, if this behavior were on the up and up, why wouldn't >> there be some reasonable documentation? And why isn't there a >> way to disable this behavior for machines that are not on an >> intranet -- which is the only situation in which this behavior >> might be desirable. Try typing ICEauthority or iceauth into >> a few of your favorite search engines. There simply is no >> explanation of what this is or why anyone thinks it is desirable. >> There is one FAQ in French which is a puzzle to me, but which >> has be interpreted for me by another correspondent to the >> effect that the purpose of ICEauthority is to brand users >> with software along the lines of what the Pentium III chip >> attempts to do with hardware. Again, when Intel does it, >> everyone yelps: so why exactly should such a vaguely documented >> "feature" that certainly appears to do the same thing be >> accept in GNUware? >> >> > >-- >+-------------------------------------------------------------------------+ >| Omachonu Ogali oogali@intranova.net | >| Intranova Networking Group http://tribune.intranova.net | >| PGP Key ID: 0xBFE60839 | >| PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | >+-------------------------------------------------------------------------+ > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 15:53:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 3F63E37BCCB for ; Thu, 24 Feb 2000 15:53:24 -0800 (PST) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id RAA24385; Thu, 24 Feb 2000 17:53:16 -0600 (CST) (envelope-from jeff-ml@mountin.net) Received: from dial-98.max1.wa.cyberlynk.net(207.227.118.98) by peak.mountin.net via smap (V1.3) id sma024382; Thu Feb 24 17:52:56 2000 Message-Id: <3.0.3.32.20000224175152.007e07a0@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 24 Feb 2000 17:51:52 -0600 To: Stuart Henderson From: "Jeffrey J. Mountin" Subject: Re: FWTK for SMTP Cc: security@FreeBSD.ORG In-Reply-To: <20000224203503.K54067@naiad.eclipse.net.uk> References: <20000224205144.A31621@nsfws7.ansf.alcatel.fr> <20000224114310.PVOW28348.mta04.onebox.com@onebox.com> <200002241429.GAA11133@cwsys.cwsent.com> <20000224205144.A31621@nsfws7.ansf.alcatel.fr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:35 PM 2/24/00 +0000, Stuart Henderson wrote: >> >> Anti-spam Patches do exist : check http://www.fwtk.org/fwtk/patches/patches.html#2.2 > >Check correct operation of your server after applying >these patches. Specifically, check that smapd doesn't do >this... > >20:24> /usr/home/sthen:naiad$ telnet ##### 25 >Trying #####... >Connected to #####. >Escape character is '^]'. >220 ##### SMTP/smap Ready. >helo naiad.eclipse.net.uk >250 (naiad.eclipse.net.uk) pleased to meet you. >mail from: <> >Connection closed by foreign host. >[status 1] That's nasty. Why doesn't it send back a 5xx error for an empty envelope value? A lot of mailer-daemon error messages are sent with a blank like this and without an error code... Should see how much the code has improved. Last time I looked a newer version the coding style still left a bit to be desired, IMO. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 17:19: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from blaubaer.kn-bremen.de (blaubaer.kn-bremen.de [195.37.179.254]) by hub.freebsd.org (Postfix) with ESMTP id A3A5A37BC74 for ; Thu, 24 Feb 2000 17:18:57 -0800 (PST) (envelope-from nox@saturn.kn-bremen.de) Received: from saturn.kn-bremen.de (uucp@localhost) by blaubaer.kn-bremen.de (8.9.1/8.9.1) with UUCP id CAA19565; Fri, 25 Feb 2000 02:13:18 +0100 Received: (from nox@localhost) by saturn.kn-bremen.de (8.9.3/8.8.5) id BAA49678; Fri, 25 Feb 2000 01:39:06 +0100 (CET) Date: Fri, 25 Feb 2000 01:39:06 +0100 (CET) From: Juergen Lock Message-Id: <200002250039.BAA49678@saturn.kn-bremen.de> To: jeff-ml@mountin.net Subject: Re: FWTK for SMTP X-Newsgroups: local.list.freebsd.security In-Reply-To: <3.0.3.32.20000224134938.00a19830@207.227.119.2> References: Organization: home Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article <3.0.3.32.20000224134938.00a19830@207.227.119.2> you write: >At 06:29 AM 2/24/00 -0800, Cy Schubert - ITSD Open Systems Group wrote: >>This question was asked a number of years ago either here or BUGTRAQ. >>The answer given was that FWTK's smap did not have any anti-spam >>facility. I'm not sure whether it has change or not. If it has not, >>you may want to check out the smtpd port in the ports collection. It >>does the same function as smap using a similar process, and it has an >>anti-spam facility. > >That depends on the version of smap. Using an old, very changed smap. ;) > >As for diffs/patches/source I'd need to look at the license, ask another >party, and preferrable make some changes. Have limited time for the last >part, but need to test it on 4.0 fairly soon and track down a minor bug at >a minimum. > >Haven't looked, but wonder if they changed smap to either spawn children or >if it's mulit-threaded. Was one drawback to using smap compared to an MTA >directly. It fork()s. or it can run off inetd (which afaik always was true). Btw anyone who wants to run it should (other than some stop-relaying patch) apply at least the fix in ports/14826, otherwise you may end up with mails cut in half. wondering why this simple fix still hasn't been committed... -- Juergen Lock (remove dot foo from address to reply) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 24 18:36:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from sprout.cgf.net (adsl-207-215-8-122.dsl.snfc21.pacbell.net [207.215.8.122]) by hub.freebsd.org (Postfix) with ESMTP id D9F0937BD7F; Thu, 24 Feb 2000 18:36:46 -0800 (PST) (envelope-from tomb@cgf.net) Received: from cgf.net (localhost.cgf.net [127.0.0.1]) by sprout.cgf.net (8.9.3/8.9.3) with ESMTP id SAA02074; Thu, 24 Feb 2000 18:36:50 -0800 (PST) (envelope-from tomb@cgf.net) Message-ID: <38B5EAC2.5063CC6@cgf.net> Date: Thu, 24 Feb 2000 18:36:50 -0800 From: tom brown Organization: Badger Baisters (We do it with Lard) X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: "A. Rakukin" Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: X authorization References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "A. Rakukin" wrote: > Hi to all, > > Would be grateful for help or explanation. I used to think that by default > nobody can run anything on my display. But now I revealed that it is enough > to export DISPLAY on remote host to access my xserver. 'xhost' on the server > (that has been accessed) says that > > access control enabled, only authorized clients can connect > > and nothing more. What is the possible source of the problem? > I have not customized any authorization mechanisms... > I run FreeBSD 3.4. > > Thank you, > Alex > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message If you are realy bothered by this you could apply IPFW filters to ports between 6000-6100 to prevent any connection to the X system. I think that there is also a kerberos token based scheme of athentication. I've never used it but details are at : http://www.xfree86.org If you want to know more about the vunerabilites of X: http://packetstorm.securify.com/opensec-exploits/exploits/netapps/x-win/ Tom Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 25 7:59:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 739BA37C31F for ; Fri, 25 Feb 2000 07:59:22 -0800 (PST) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id MAA24685; Fri, 25 Feb 2000 12:59:27 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200002251559.MAA24685@ns1.via-net-works.net.ar> Subject: PAM and quotas To: freebsd-security@freebsd.org Date: Fri, 25 Feb 2000 12:59:26 -0300 (GMT) Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello: Sorry if this is not the correct forum to post this, but I think it's on-charter. I want my POP3 and FTP users to authenticate via an SQL database (Postgress). Reasons: -I want to add/delete users in a transactional way. -Centralized management. -Protection in case of malconfiguration from users forwarding ports via ssh. My first move was to try to make my pop3d and ftpd (wu-ftpd, but I can change it if needed) to use a dbm. The idea was to recreate the dbm from scratch on each change of the SQL. I can handle the overhead. But a problem arise: If the user is not on /etc/passwd he can't have quotas (or am I wrong here?) and I need them. So I thought I could use PAM instead by fetching from somewhere (or writing) a PAM-SQL module. But the problem remains: is there a way I can make quotas and PAM work together? Any help/pointer will be very apretiatted? Thanks and regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 25 9: 7: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.datais.com (mail.targetnet.com [207.245.246.3]) by hub.freebsd.org (Postfix) with ESMTP id 16AF337C2F5 for ; Fri, 25 Feb 2000 09:07:00 -0800 (PST) (envelope-from james@targetnet.com) Received: from james by mail.datais.com with local (Exim 3.02 #1) id 12OOC0-0009Bv-00; Fri, 25 Feb 2000 12:06:16 -0500 Date: Fri, 25 Feb 2000 12:06:16 -0500 From: James FitzGibbon To: Fernando Schapachnik Cc: freebsd-security@freebsd.org Subject: Re: PAM and quotas Message-ID: <20000225120616.A9161@targetnet.com> References: <200002251559.MAA24685@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre1i In-Reply-To: <200002251559.MAA24685@ns1.via-net-works.net.ar> Organization: Targetnet.com Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Fernando Schapachnik (fpscha@ns1.via-net-works.net.ar) [000225 11:01]: > overhead. But a problem arise: If the user is not on /etc/passwd he > can't have quotas (or am I wrong here?) and I need them. You can have quotas without having a user in the password file; at it's heart, quotas on UFS filesystems operate on uids, not on user names. The edquota program in the base and setquota (in the ports collection) want a username so that they can derive the uid from /etc/passwd. At my last job I wrote a tool to set quotas based on an explicit provided uid (it used the quotactl syscall) in perl, and this worked for a user base of more than 100,000 users, none of whom had /etc/passwd entries. I think the best bet would be to take the source for setquota (see /usr/ports/sysutils/setquota) and modify it to allow you to specify an explicit uid. The file quotatool.c contains the code. You could modify it such that giving a username of '#1000' attempted to set the quota for uid 1000, or perhaps just calling atol() on the username from the command line if the call to getpwnam() fails. -- j. James FitzGibbon james@targetnet.com Targetnet.com Inc. Voice/Fax +1 416 306-0466/0452 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 25 15:23:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from awfulhak.org (dynamic-68.max4-du-ws.dialnetwork.pavilion.co.uk [212.74.9.196]) by hub.freebsd.org (Postfix) with ESMTP id 6B8E437BE56; Fri, 25 Feb 2000 15:23:30 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@shift.lan.awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id XAA54988; Fri, 25 Feb 2000 23:22:11 GMT (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id VAA00381; Fri, 25 Feb 2000 21:59:59 GMT (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200002252159.VAA00381@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Matthew Dillon Cc: "A. Rakukin" , freebsd-questions@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.Awfulhak.org Subject: Re: X authorization In-Reply-To: Message from Matthew Dillon of "Thu, 24 Feb 2000 11:57:15 PST." <200002241957.LAA41772@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 25 Feb 2000 21:59:59 +0000 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > :Hi to all, > : > :Would be grateful for help or explanation. I used to think that by default > :nobody can run anything on my display. But now I revealed that it is enough > :to export DISPLAY on remote host to access my xserver. 'xhost' on the server > :(that has been accessed) says that > : > :access control enabled, only authorized clients can connect > : > :and nothing more. What is the possible source of the problem? > :I have not customized any authorization mechanisms... > :I run FreeBSD 3.4. > : > :Thank you, > :Alex > > I'll bet you are using ssh. > > Your assumptions as to 'xhost' are correct. Just setting DISPLAY on > machine B to point to machine A will not give machine B access to > machine A's X display. Machine A must give machine B access, typically > through the 'xhost' command. I wouldn't say ``typically''. Using xhost is bad as it gives anybody on the given host access to your display. Xauth is the correct way to do it. It stuffs an authentication key in the .Xauthority file allowing access only to people with access to the .Xauthority file. Check the xauth man page for the magic incantation. > However, some programs will tunnel X sessions automatically. ssh is > one of these. If you are sitting on machine A and you ssh to machine B, > you will then be able to run X binaries on machine B and have them show > up on machine A's display. The X protocol will run through the > 'secure' ssh session. > > I don't know many people who do this, at least not between two local > machines sitting on the same LAN, because running an X client through > an encrypted ssh session tends to really slow down the client. *shrug* I do it all the time for convenience. sshd is on just about every machine I use, whereas the alternative of mucking about with xon, rstart or some locally brewed version is a pain. Besides, CPUs these days can easily encrypt stuff faster than your standard 10mbit network can transport them. > -Matt > Matthew Dillon > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 25 18:40:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from web1604.mail.yahoo.com (web1604.mail.yahoo.com [128.11.23.204]) by hub.freebsd.org (Postfix) with SMTP id A427237B9EC for ; Fri, 25 Feb 2000 18:40:24 -0800 (PST) (envelope-from thuan_an@yahoo.com) Received: (qmail 12083 invoked by uid 60001); 26 Feb 2000 02:40:24 -0000 Message-ID: <20000226024024.12082.qmail@web1604.mail.yahoo.com> Received: from [210.230.225.11] by web1604.mail.yahoo.com; Fri, 25 Feb 2000 18:40:24 PST Date: Fri, 25 Feb 2000 18:40:24 -0800 (PST) From: Tran Ngoc Thuan An Subject: Asking about the file dhcpdb.bind To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Sir/Madam, I have read the file dhcpdb.bind but I didn't understand much. Is that file store informations of the one who accessed the host? An example of one line in that file is: 1:0x00004c438911:192.168.1.0:1:0x00004c438911:"Thu Dec 3 19:15:11 1998":0068 Is "1:0x00004c438911" the MAC address of the accessing computer? Is "Thu Dec 3 19:15:11 1998" is the date and time of accessing? And is "0068" the number of that computer which is stored is the file dhcpdb.pool? But which computer has the IP address "192.168.1.0"? Because I've found that all the lines in dhcpdb.bind have the same one ("192.168.1.0"). Another question is what is the usage of the file dhcpdb.bind? Now our company is very interested in the security problem of our Internet system, could we use that file to inquire who had accessed our system? Would you please help me or tell me where I could find the answer? Now I couldn't have any detail document about that. I'm very sorry if my questions is so silly because I'm very new in both UNIX and Free BSD. I'm using Free BSD version 3.3. I'm Vietnamese but now working in Japan, I've found that many Japanese sites are concerned in Free BSD and security fields. I can understand Japanese so if you could have some Japanese answers or documents, you couldn't have to translate them into English. Thank you very much in advanced, and looking forward your reply, Tran Ngoc Thuan An __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 26 4:28:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from asl.simtel.ru (asl.simtel.ru [193.124.97.157]) by hub.freebsd.org (Postfix) with ESMTP id A7F5737BB99 for ; Sat, 26 Feb 2000 04:28:32 -0800 (PST) (envelope-from alec@asl.simtel.ru) Received: (from alec@localhost) by asl.simtel.ru (8.9.3/8.9.2) id PAA24951 for freebsd-security@FreeBSD.ORG; Sat, 26 Feb 2000 15:28:28 +0300 (MSK) (envelope-from alec) Date: Sat, 26 Feb 2000 15:28:28 +0300 (MSK) From: Alec Larin Message-Id: <200002261228.PAA24951@asl.simtel.ru> To: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth 7cb8cf82 subscribe freebsd-security alec@noc.simtel.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 26 5:18:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from msk1.mail.ru (mx1.mail.ru [194.67.23.32]) by hub.freebsd.org (Postfix) with ESMTP id D082C37BC18; Sat, 26 Feb 2000 05:18:47 -0800 (PST) (envelope-from rakukin@mail.ru) Received: from f4.int ([10.0.0.51] helo=f4.mail.ru) by msk1.mail.ru with esmtp (Exim 3.02 #116) id 12OhCY-000CWV-00; Sat, 26 Feb 2000 16:24:06 +0300 Received: from mail by f4.mail.ru with local (Exim 3.02 #112) id 12Oh7E-000CVz-00; Sat, 26 Feb 2000 16:18:36 +0300 Received: from [194.85.224.35] by koi.mail.ru with HTTP; Sat, 26 Feb 2000 13:18:36 +0000 (GMT) From: "A. Rakukin" To: "tom brown" Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re[2]: X authorization Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 194.85.229.131 via proxy [194.85.224.35] In-Reply-To: <38B5EAC2.5063CC6@cgf.net> Reply-To: "A. Rakukin" Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Date: Sat, 26 Feb 2000 16:18:36 +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----Original Message----- From: tom brown To: "A. Rakukin" Date: Thu, 24 Feb 2000 18:36:50 -0800 Subject: Re: X authorization > "A. Rakukin" wrote: > > > Hi to all, > > > > Would be grateful for help or explanation. I used to think that by default > > nobody can run anything on my display. But now I revealed that it is enough > > to export DISPLAY on remote host to access my xserver. 'xhost' on the server > > (that has been accessed) says that > > > > access control enabled, only authorized clients can connect > > > > and nothing more. What is the possible source of the problem? > > I have not customized any authorization mechanisms... > > I run FreeBSD 3.4. > > > > Thank you, > > Alex > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > If you are realy bothered by this you could apply IPFW filters to ports between > 6000-6100 to prevent any connection to the X system. > > I think that there is also a kerberos token based scheme of athentication. > I've never used it but details are at : > http://www.xfree86.org > > > If you want to know more about the vunerabilites of X: > http://packetstorm.securify.com/opensec-exploits/exploits/netapps/x-win/ > > Tom > > Tom > > > Thank you for links! But I think unauthorized access must be disabled earlier. I would not like to install any filters and also kerberos, just to make system work as it should... Tanks, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 26 5:19:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from msk1.mail.ru (mx1.mail.ru [194.67.23.32]) by hub.freebsd.org (Postfix) with ESMTP id B060137C021; Sat, 26 Feb 2000 05:19:24 -0800 (PST) (envelope-from rakukin@mail.ru) Received: from f1.int ([10.0.0.48] helo=f1.mail.ru) by msk1.mail.ru with esmtp (Exim 3.02 #116) id 12OhD3-000CYZ-00; Sat, 26 Feb 2000 16:24:37 +0300 Received: from mail by f1.mail.ru with local (Exim 3.02 #107) id 12Oh6r-000Epu-00; Sat, 26 Feb 2000 16:18:13 +0300 Received: from [194.85.224.35] by koi.mail.ru with HTTP; Sat, 26 Feb 2000 13:18:13 +0000 (GMT) From: "A. Rakukin" To: "Brian Somers" Cc: "Matthew Dillon" , freebsd-questions@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.Awfulhak.org Subject: Re[2]: X authorization Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 194.85.229.131 via proxy [194.85.224.35] Reply-To: "A. Rakukin" Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Date: Sat, 26 Feb 2000 16:18:13 +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----Original Message----- From: Brian Somers To: Matthew Dillon Date: Fri, 25 Feb 2000 21:59:59 +0000 Subject: Re: X authorization > > > > :Hi to all, > > : > > :Would be grateful for help or explanation. I used to think that by default > > :nobody can run anything on my display. But now I revealed that it is enough > > :to export DISPLAY on remote host to access my xserver. 'xhost' on the server > > :(that has been accessed) says that > > : > > :access control enabled, only authorized clients can connect > > : > > :and nothing more. What is the possible source of the problem? > > :I have not customized any authorization mechanisms... > > :I run FreeBSD 3.4. > > : > > :Thank you, > > :Alex > > > > I'll bet you are using ssh. sshd is not running on the host which has been accessed... I am aware of the X-connections forwarding ability of ssh, but it is not the case... > > > > Your assumptions as to 'xhost' are correct. Just setting DISPLAY on > > machine B to point to machine A will not give machine B access to > > machine A's X display. Machine A must give machine B access, typically > > through the 'xhost' command. > > I wouldn't say ``typically''. Using xhost is bad as it gives anybody > on the given host access to your display. Xauth is the correct way > to do it. It stuffs an authentication key in the .Xauthority file > allowing access only to people with access to the .Xauthority file. > Check the xauth man page for the magic incantation. I know that xhost is insecure. But it worked earlier! And now I have a situation as follows: I merely start X (via xdm) on host A, no windows/commands there, then go to host B, type `export DISPLAY=A:0; xterm' and see xterm window opened on the display of A! Then test `xhost' on A and see no hosts allowed... I think something has been changed in the configuration casually, and would be grateful for any advice what might it be. I loked through Xsessions etc, but have not found anything, unfortunately... > > > However, some programs will tunnel X sessions automatically. ssh is > > one of these. If you are sitting on machine A and you ssh to machine B, > > you will then be able to run X binaries on machine B and have them show > > up on machine A's display. The X protocol will run through the > > 'secure' ssh session. > > > > I don't know many people who do this, at least not between two local > > machines sitting on the same LAN, because running an X client through > > an encrypted ssh session tends to really slow down the client. > > *shrug* I do it all the time for convenience. sshd is on just about > every machine I use, whereas the alternative of mucking about with > xon, rstart or some locally brewed version is a pain. Besides, CPUs > these days can easily encrypt stuff faster than your standard 10mbit > network can transport them. In any case, I would like to forbid unauthorized access at first! > > > -Matt > > Matthew Dillon > > > > > > Thanks to all, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 26 5:37:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from awfulhak.org (dynamic-117.max4-du-ws.dialnetwork.pavilion.co.uk [212.74.9.245]) by hub.freebsd.org (Postfix) with ESMTP id BE6A837B960; Sat, 26 Feb 2000 05:37:10 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@shift.lan.awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id NAA59097; Sat, 26 Feb 2000 13:28:55 GMT (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id NAA38907; Sat, 26 Feb 2000 13:28:55 GMT (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200002261328.NAA38907@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: "A. Rakukin" Cc: "Brian Somers" , "Matthew Dillon" , freebsd-questions@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.awfulhak.org, brian@hak.lan.awfulhak.org Subject: Re: Re[2]: X authorization In-Reply-To: Message from "A. Rakukin" of "Sat, 26 Feb 2000 16:18:13 +0300." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 26 Feb 2000 13:28:55 +0000 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Your assumptions as to 'xhost' are correct. Just setting DISPLAY on > > > machine B to point to machine A will not give machine B access to > > > machine A's X display. Machine A must give machine B access, typically > > > through the 'xhost' command. > > > > I wouldn't say ``typically''. Using xhost is bad as it gives anybody > > on the given host access to your display. Xauth is the correct way > > to do it. It stuffs an authentication key in the .Xauthority file > > allowing access only to people with access to the .Xauthority file. > > Check the xauth man page for the magic incantation. > > I know that xhost is insecure. But it worked earlier! > And now I have a situation as follows: I merely start X (via xdm) on host A, > no windows/commands there, then go to host B, > type `export DISPLAY=A:0; xterm' and see xterm window > opened on the display of A! Then test `xhost' on A and see no hosts allowed... > > I think something has been changed in the configuration casually, > and would be grateful for any advice what might it be. > I loked through Xsessions etc, but have not found anything, > unfortunately... Well, if the person executing the X program (on B) either has a correct .Xauthority or a xhost permit, they're allowed display. If they haven't got xhost authority, I would think their .Xauthority must be valid. [.....] > In any case, I would like to forbid unauthorized access at first! This should be the default (and is for me). [.....] > Thanks to all, > Alex -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 26 6:25: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from unicorn.blackhats.org (unicorn.blackhats.org [194.109.83.155]) by hub.freebsd.org (Postfix) with ESMTP id 107BD37BC6D for ; Sat, 26 Feb 2000 06:25:06 -0800 (PST) (envelope-from unicorn@blackhats.org) Received: by unicorn.blackhats.org (Postfix, from userid 1002) id 9107E12C1D; Sat, 26 Feb 2000 14:53:04 +0100 (CET) Date: Sat, 26 Feb 2000 14:53:04 +0100 From: The Unicorn To: skalir scalar Cc: freebsd-security@FreeBSD.ORG Subject: Re: Unauthorized Access... Message-ID: <20000226145304.L55346@unicorn.blackhats.org> References: <20000210023406.13102.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre4i In-Reply-To: <20000210023406.13102.qmail@hotmail.com>; from skalir@hotmail.com on Wed, Feb 09, 2000 at 05:34:06PM +0000 X-Files: The Truth Is Out There! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi skalir, On Wed, 09 Feb 2000, skalir scalar wrote: > I am looking for Sections/Chapters/Etc of the US Code to cut/paste > into my message of the day on my servers that states something about > "Chapter 1234, Section 12.34.56 of US Code, Says unauthorized...." > "Access is probihibted" Currently I have the following text appear in a banner (and /etc/motd for those not seeing the banner :-): ----%<----%<----%<----%<---- SNIP ----%<----%<----%<----%<----%<---- BEWARE ====== This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials. ----%<----%<----%<----%<---- SNIP ----%<----%<----%<----%<----%<---- > or something of the such, if you could reply with a url > or just paste some in an email > > would be greatfully helpful > > thanks in advance. --- End of Quoted Text --- Ciao, Unicorn. -- ======= _ __,;;;/ TimeWaster ================================================ ,;( )_, )~\| A Truly Wise Man Never Plays PGP: 64 07 5D 4C 3F 81 22 73 ;; // `--; Leapfrog With A Unicorn... 52 9D 87 08 51 AA 35 F0 ==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! ======= Echelon Teasers: NSA CIA FBI Mossad BVD MI5 Cocaine Cuba Revolution Espionage To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 26 6:38:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from field.videotron.net (field.videotron.net [205.151.222.108]) by hub.freebsd.org (Postfix) with ESMTP id 09B4337BB1C for ; Sat, 26 Feb 2000 06:38:23 -0800 (PST) (envelope-from youlgok@attglobal.net) Received: from attglobal.net ([24.200.44.120]) by field.videotron.net (Sun Internet Mail Server sims.3.5.1999.12.14.10.29.p8) with ESMTP id <0FQJ005G3KKUBJ@field.videotron.net> for freebsd-security@freebsd.org; Sat, 26 Feb 2000 09:36:30 -0500 (EST) Date: Sat, 26 Feb 2000 09:38:36 -0500 From: Youlgok Subject: [Q] comparison of sshes To: freebsd-security@freebsd.org Reply-To: youlgok@attglobal.net Message-id: <38B7E56B.8B2201C@attglobal.net> MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What is the major differences in OpenSSH-1.2.2, SSH-1.2.27 and SSH2-2.0.13? As I understand, OpenSSH is inter operable with SSH, but SSH2. Which one is more secure: OpenSSH or SSH and SSH2? I just installed OpenSSH-1.2.2 and from Windows machine it can be connected by ssh, but ssh2. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 26 7:28:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from mout1.freenet.de (mout1.freenet.de [62.104.201.3]) by hub.freebsd.org (Postfix) with ESMTP id C1EB837BCC2; Sat, 26 Feb 2000 07:28:01 -0800 (PST) (envelope-from netchild@leidinger.net) Received: from [62.104.201.6] (helo=mx0.freenet.de) by mout1.freenet.de with esmtp (Exim 3.13 #1) id 12Oj8O-0003uL-00; Sat, 26 Feb 2000 16:27:56 +0100 Received: from [213.6.171.130] (helo=Magelan.Leidinger.net) by mx0.freenet.de with esmtp (Exim 3.13 #3) id 12Oj8O-00021E-00; Sat, 26 Feb 2000 16:27:56 +0100 Received: from Leidinger.net (netchild@localhost [127.0.0.1]) by Magelan.Leidinger.net (8.9.3/8.9.3) with ESMTP id QAA02773; Sat, 26 Feb 2000 16:24:14 +0100 (CET) (envelope-from netchild@Leidinger.net) Message-Id: <200002261524.QAA02773@Magelan.Leidinger.net> Date: Sat, 26 Feb 2000 16:24:13 +0100 (CET) From: Alexander Leidinger Subject: Re: Re[2]: X authorization To: rakukin@mail.ru Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 26 Feb, A. Rakukin wrote: [CC striped] > sshd is not running on the host which has been accessed... > I am aware of the X-connections forwarding ability of ssh, > but it is not the case... [...] > I know that xhost is insecure. But it worked earlier! > And now I have a situation as follows: I merely start X (via xdm) on host A, > no windows/commands there, then go to host B, > type `export DISPLAY=A:0; xterm' and see xterm window > opened on the display of A! Then test `xhost' on A and see no hosts allowed... Is your ${HOME} shared between those hosts? What does "xauth list" print (don't post it here, look at it carefully by yourself)? Bye, Alexander. -- Sarcasm is just one of the many services we offer. http://www.Leidinger.net Alexander+Home @ Leidinger.net Key fingerprint = 7423 F3E6 3A7E B334 A9CC B10A 1F5F 130A A638 6E7E To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 26 12:46:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 2D0C737BE9F for ; Sat, 26 Feb 2000 12:46:33 -0800 (PST) (envelope-from dave@elvis.mu.org) Received: (from dave@localhost) by elvis.mu.org (8.9.1/8.9.1) id OAA25820; Sat, 26 Feb 2000 14:46:44 -0600 (CST) (envelope-from dave) Date: Sat, 26 Feb 2000 14:46:44 -0600 From: Dave McKay To: Youlgok Cc: freebsd-security@FreeBSD.ORG Subject: Re: [Q] comparison of sshes Message-ID: <20000226144644.A25743@elvis.mu.org> References: <38B7E56B.8B2201C@attglobal.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="0OAP2g/MAC+5xKAE"; micalg=pgp-md5; protocol="application/pgp-signature" X-Mailer: Mutt 0.95.7i In-Reply-To: <38B7E56B.8B2201C@attglobal.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Youlgok (youlgok@attglobal.net) wrote: > What is the major differences in OpenSSH-1.2.2, SSH-1.2.27 and > SSH2-2.0.13? As I understand, OpenSSH is inter operable with SSH, but > SSH2. Which one is more secure: OpenSSH or SSH and SSH2? >=20 > I just installed OpenSSH-1.2.2 and from Windows machine it can be > connected by ssh, but ssh2. I have seen trouble with ssh2 connecting to openssh 1.2. I think the problem has to do with a protocal mismatch. --=20 Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com I'm feeling lucky... --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBOLg7tHY8vP7IQ1TlAQGi9AP9F2A4R+W1afGPh6h0odB5gThfMDdLrRvR CnTA+NuV17OrJN9Mwaex2VuJLsBfVJXatF0H93mDAFY5X1xIyM9dsxzXsbG+uBuP EWz2soS1x3ZcVHnwliZkWUxLXouIhKz77+vgol+XLJ76TLhvLcpzdFrjpI3gxaSb FS6zTRqfC1c= =RUYo -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 26 13:11:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from jgl.reno.nv.us (rno-max6-27.gbis.net [207.228.61.155]) by hub.freebsd.org (Postfix) with ESMTP id B5CDB37B5D8 for ; Sat, 26 Feb 2000 13:11:11 -0800 (PST) (envelope-from dan@jgl.reno.nv.us) Received: from danco (danco.home [10.0.0.2]) by jgl.reno.nv.us (8.9.3/8.9.3) with SMTP id NAA04071; Sat, 26 Feb 2000 13:08:33 -0800 (PST) (envelope-from dan@jgl.reno.nv.us) Message-ID: <103d01bf809d$a7a82a60$0200000a@danco.home> From: "Dan O'Connor" To: "The Unicorn" , "skalir scalar" Cc: Subject: Re: Unauthorized Access... Date: Sat, 26 Feb 2000 13:08:32 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> I am looking for Sections/Chapters/Etc of the US Code to cut/paste >> into my message of the day on my servers that states something about >> "Chapter 1234, Section 12.34.56 of US Code, Says unauthorized...." >> "Access is probihibted" You're looking for 18 USC 1030 (http://www4.law.cornell.edu/uscode/18/1030.html); specifically, paras. (a)(4), (5), (6) and (7). --Dan ** The thing I like most about Windows 98 is... ** You can download FreeBSD with it! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 26 23:11:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 2BE5337B558 for ; Sat, 26 Feb 2000 23:11:40 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id AAA15635; Sun, 27 Feb 2000 00:10:45 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <38B8CFB8.21A4B9F0@softweyr.com> Date: Sun, 27 Feb 2000 00:18:16 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Dan O'Connor" Cc: The Unicorn , skalir scalar , freebsd-security@FreeBSD.ORG Subject: Re: Unauthorized Access... References: <103d01bf809d$a7a82a60$0200000a@danco.home> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dan O'Connor wrote: > > >> I am looking for Sections/Chapters/Etc of the US Code to cut/paste > >> into my message of the day on my servers that states something about > >> "Chapter 1234, Section 12.34.56 of US Code, Says unauthorized...." > >> "Access is probihibted" > > You're looking for 18 USC 1030 > (http://www4.law.cornell.edu/uscode/18/1030.html); specifically, paras. > (a)(4), (5), (6) and (7). Not unless you are storing "information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954" on your computer. Try again. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 26 23:34: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from jgl.reno.nv.us (rno-max3-08.gbis.net [207.228.60.200]) by hub.freebsd.org (Postfix) with ESMTP id 8485037B5EC for ; Sat, 26 Feb 2000 23:33:53 -0800 (PST) (envelope-from dan@jgl.reno.nv.us) Received: from danco (danco.home [10.0.0.2]) by jgl.reno.nv.us (8.9.3/8.9.3) with SMTP id XAA30022; Sat, 26 Feb 2000 23:32:19 -0800 (PST) (envelope-from dan@jgl.reno.nv.us) Message-ID: <00d201bf80f4$c95db380$0200000a@danco.home> From: "Dan O'Connor" To: "Wes Peters" Cc: "The Unicorn" , "skalir scalar" , Subject: Re: Unauthorized Access... Date: Sat, 26 Feb 2000 23:32:16 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> You're looking for 18 USC 1030 >> (http://www4.law.cornell.edu/uscode/18/1030.html); specifically, paras. >> (a)(4), (5), (6) and (7). > >Not unless you are storing > > "information that has been determined by the > United States Government pursuant to an Executive order or > statute to require protection against unauthorized disclosure for > reasons of national defense or foreign relations, or any > restricted data, as defined in paragraph y. of section 11 of the > Atomic Energy Act of 1954" > >on your computer. Try again. No need to...The 104th Congress extended this in 1996 [Pub.L. 104-294]. The law now also applies to "protected computers" which "means a computer...which is used in interstate or foreign commerce or communication" [18 USC 1030(e)(2)(B)]. I think any halfway-decent lawyer can make an argument that *any* computer connected to the Internet is engaged in interstate or foreign communication... --Dan ** The thing I like most about Windows 98 is... ** You can download FreeBSD with it! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 26 23:55:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f116.law8.hotmail.com [216.33.241.116]) by hub.freebsd.org (Postfix) with SMTP id CF9E237B5AD for ; Sat, 26 Feb 2000 23:55:28 -0800 (PST) (envelope-from smurfclanz@hotmail.com) Received: (qmail 97410 invoked by uid 0); 27 Feb 2000 07:55:28 -0000 Message-ID: <20000227075528.97409.qmail@hotmail.com> Received: from 161.142.232.12 by www.hotmail.com with HTTP; Sat, 26 Feb 2000 23:55:28 PST X-Originating-IP: [161.142.232.12] From: "PinkSmurf Mushroom" To: freebsd-security@freebsd.org Subject: Mixter's shlog.c Date: Sat, 26 Feb 2000 23:55:28 PST Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've stumble upon Mixter's fixed code, shlog.c. It will log down any connections that will produce a shell. But so far I'm unable to make it log sh shell since most exploits will produce sh upon a successful attack. I've added the script to /etc/profile and /etc/csh.cshrc. Should I add it to other file in order for it to log down sh shell? Below is the code : ---------------------------------------------------------------- /* * shlog.c (c) Mixter * FIXED Version (thanks to scagneti@chisel.toolcity.net) * Well, this does not too much.. it will determine the * origin (remote IP address) from which a shell is launched (user * id/remote host), and write a syslog entry, everytime a login shell * is invoked. This can help against login trojans, or just for providing * better audit trails. * Put a call to shlog into /etc/profile and/or /etc/bashrc */ #include #include #include #include #include #include #define IO_STDIN 0 int main (int argc, char **argv) { struct sockaddr_in sin; unsigned int nl = sizeof (struct sockaddr_in); int test = getpeername (IO_STDIN, (struct sockaddr *) &sin, &nl); (void) openlog (argv[0], LOG_PID, LOG_AUTHPRIV); if (test == 0) syslog (LOG_NOTICE | LOG_AUTHPRIV, "shell '%s' (uid: %d euid: %d gid: %d) invoked by remote connection from host %s", getenv ("SHELL"), getuid (), geteuid (), getgid (), inet_ntoa (sin.sin_addr)); else syslog (LOG_NOTICE | LOG_AUTHPRIV, "shell '%s' (uid: %d euid: %d gid: %d) invoked from local host or program", getenv ("SHELL"), getuid (), geteuid (), getgid ()); (void) closelog (); return 0; } ---------------------------------------------------------------- smurfy =p ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message