From owner-freebsd-security  Fri Jun 21 17: 1:32 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [63.229.157.2])
	by hub.freebsd.org (Postfix) with ESMTP id 96B2237B405
	for <security@freebsd.org>; Fri, 21 Jun 2002 17:01:24 -0700 (PDT)
Received: (from root@localhost)
	by lariat.org (8.9.3/8.9.3) id SAA26010
	for security@freebsd.org; Fri, 21 Jun 2002 18:01:16 -0600 (MDT)
Date: Fri, 21 Jun 2002 18:01:16 -0600 (MDT)
From: Brett Glass <brett@lariat.org>
Message-Id: <200206220001.SAA26010@lariat.org>
To: security@freebsd.org
Subject: Possible security liability: Filling disks with junk or spam
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Two years ago, at BSDCon, I reported on a form of abuse known as a
"Rumplestiltskin attack," in which an attacker guessed names in rapid
succession so as to find valid e-mail addresses to spam. Well, as it turns
out, one doesn't need to do this to find addresses on FreeBSD systems that can
be filled with mail.  /etc/passwd contains quite a few pseudo-users which, if
mailed, cause the mail to be stored on the disk as if it were addressed to a
real user. No one may ever read it, but it's possible to fill the partition
and thereby wreak havoc.

A client recently called me in puzzlement, saying that his system was
misbehaving, and it turned out that this was what had happened. The address
"news@victim.com" had somehow wound up on quite a few spammers' lists. He'd
never used or hosted netnews, and so had no need for the pseudo-user. But that
pseudo-user was there by default, and the system dutifully created a mailbox
for him/her/it when the very first spam arrived. It started growing by leaps
and bounds until it was -- I kid you not! -- several hundred megabytes in
size. At which point the partition ran out of room.

It seems to me that pseudo-users should be non-mailable, just as a basic
security policy. Ideas for the best way to implement this in the default
install?

--Brett Glass

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message