From owner-freebsd-security  Wed May  3 17:40:59 2000
Delivered-To: freebsd-security@freebsd.org
Received: from localhost (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id E404C37BA2F; Wed,  3 May 2000 17:40:25 -0700 (PDT)
	(envelope-from green@FreeBSD.org)
Date: Wed, 3 May 2000 20:40:11 -0400 (EDT)
From: Brian Fundakowski Feldman <green@FreeBSD.org>
X-Sender: green@green.dyndns.org
To: Mike Nowlin <mike@argos.org>
Cc: Dan Tso <dan@tsolab.org>,
	Fabio da Silva Cunha <fsc@mymail.com.br>,
	freebsd-security@FreeBSD.ORG
Subject: Re: e-mail auditing in sendmail 8.9.3/8.10.1
In-Reply-To: <Pine.LNX.4.05.10004290213100.13604-100000@jason.argos.org>
Message-ID: <Pine.BSF.4.21.0005031851190.60116-100000@green.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 29 Apr 2000, Mike Nowlin wrote:

> It also depends on what you're trying to catch.  It's trivial for someone
> to bypass whatever you do to sendmail for outgoing messages - just open a
> connection directly to the receiving machine on port 25 and "emulate"
> sendmail - some mail readers can do this anyway, avoiding sendmail.  
> Firewalling can help -- if I remember correctly, there's some
> sort of rule in ipfw or ipf that provides "only allow packets destined for
> port 25 of some other machine if they're originating on a program running
> as root" capability....  If you're just trying to catch someone doing a
> particular thing, and you have enough drive space available, tcpdump and
> ports/net/tcpshow can record everything on port 25 as sorta-text...

Here's an example of that:

ipfw add 1000 pass tcp from any to any 25 uid 0 out	# or "uid root"
ipfw add 1100 deny log logamount 0 tcp from any to any 25 out
(I need to MFC logamount 0... try some big number like 1000 instead, as
you don't really want to fill your logs up...)

This will give non-root users EACCES if they attempt to connect to port
25 outbound.  This doesn't solve everything, but it would keep spammers
on your system from doing their spamming without using your MTA.

> --mike

--
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green@FreeBSD.org                    `------------------------------'




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message