From owner-freebsd-security Sat Jun 22 22: 8:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 11D6337B401 for ; Sat, 22 Jun 2002 22:08:37 -0700 (PDT) Received: from user-2inivlc.dialup.mindspring.com ([165.121.126.172] helo=earthlink.net) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17Lzbq-0001i6-00; Sat, 22 Jun 2002 22:08:23 -0700 Message-ID: <3D1557A3.4030504@earthlink.net> Date: Sat, 22 Jun 2002 22:07:47 -0700 From: Lawrence Sica User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Trevor Johnson Cc: security@freebsd.org Subject: Re: Possible security liability: Filling disks with junk or spam References: <20020621210455.F13586-100000@blues.jpj.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Trevor Johnson wrote: >>A client recently called me in puzzlement, saying that his system was >>misbehaving, and it turned out that this was what had happened. The address >>"news@victim.com" had somehow wound up on quite a few spammers' lists. He'd >>never used or hosted netnews, and so had no need for the pseudo-user. But that >>pseudo-user was there by default, and the system dutifully created a mailbox >>for him/her/it when the very first spam arrived. It started growing by leaps >>and bounds until it was -- I kid you not! -- several hundred megabytes in >>size. At which point the partition ran out of room. >> >>It seems to me that pseudo-users should be non-mailable, just as a basic >>security policy. Ideas for the best way to implement this in the default >>install? > > > My reading of the RFCs (excerpts follow) is that the "news" and "usenet" > addresses should receive mail when NNTP is in use. It seems like a task > for the sysadmin. How about comments in /etc/inetd.conf along the lines > of: > > # Enable e-mail to the "ftp" address if you turn this on (RFC 2142). > #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l > # > # Enable e-mail to the "uucp" address if you turn this on (RFC 2142). > #uucpd stream tcp nowait root /usr/libexec/uucpd uucpd > # > # Enable e-mail to "usenet" and "news" addresses if you turn this on (RFC 2142). > #nntp stream tcp nowait usenet /usr/libexec/nntpd nntpd > > with the addresses commented out in /etc/aliases? Running "df" every few > months wouldn't hurt, of course. > Consider that the daily output includes a df output so you just need to read your root email ;) They are commented in /etc/aliases. Actually you want to uncomment them. If a news user exists for example and no aliases is there it delivers it to the local spool for the news user. an alias would make it go elsewhere. Imho nothing is broken, and this isn't a security issue so much an admin issue. This is where knowing your system and paying attention come into play. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message