From owner-freebsd-security  Fri Jun 21 17:14:40 2002
Delivered-To: freebsd-security@freebsd.org
Received: from edgemaster.zombie.org (ip68-13-69-9.om.om.cox.net [68.13.69.9])
	by hub.freebsd.org (Postfix) with ESMTP id A554337B40D
	for <security@freebsd.org>; Fri, 21 Jun 2002 17:14:35 -0700 (PDT)
Received: by edgemaster.zombie.org (Postfix, from userid 1001)
	id 72B9266B04; Fri, 21 Jun 2002 19:14:35 -0500 (CDT)
Date: Fri, 21 Jun 2002 19:14:35 -0500
From: Sean Kelly <smkelly@zombie.org>
To: Brett Glass <brett@lariat.org>
Cc: security@freebsd.org
Subject: Re: Possible security liability: Filling disks with junk or spam
Message-ID: <20020622001435.GA99704@edgemaster.zombie.org>
References: <200206220001.SAA26010@lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200206220001.SAA26010@lariat.org>
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, Jun 21, 2002 at 06:01:16PM -0600, Brett Glass wrote:
...
> A client recently called me in puzzlement, saying that his system was
> misbehaving, and it turned out that this was what had happened. The address
> "news@victim.com" had somehow wound up on quite a few spammers' lists. He'd
> never used or hosted netnews, and so had no need for the pseudo-user. But that
> pseudo-user was there by default, and the system dutifully created a mailbox
> for him/her/it when the very first spam arrived. It started growing by leaps
> and bounds until it was -- I kid you not! -- several hundred megabytes in
> size. At which point the partition ran out of room.
> 
> It seems to me that pseudo-users should be non-mailable, just as a basic
> security policy. Ideas for the best way to implement this in the default
> install?

If you look at /usr/src/etc/mail/aliases, you'll see that pseudo-users are
mapped to root.  I also see news in there:
news:   root                                                                    
usenet: news                                                                    

It seems to me that the best way to prevent such things happening would be
to keep your aliases files up to date.  Use mergemaster and also maintain
the file for any pseudo-users you may add.  At some point, the
administrator has to become responsible for the system they administer.

-- 
Sean Kelly         | PGP KeyID: 77042C7B
smkelly@zombie.org | http://www.zombie.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message