Date: Sat, 22 Jun 2002 22:07:47 -0700 From: Lawrence Sica <lomifeh@earthlink.net> To: Trevor Johnson <trevor@jpj.net> Cc: security@freebsd.org Subject: Re: Possible security liability: Filling disks with junk or spam Message-ID: <3D1557A3.4030504@earthlink.net> References: <20020621210455.F13586-100000@blues.jpj.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Trevor Johnson wrote: >>A client recently called me in puzzlement, saying that his system was >>misbehaving, and it turned out that this was what had happened. The address >>"news@victim.com" had somehow wound up on quite a few spammers' lists. He'd >>never used or hosted netnews, and so had no need for the pseudo-user. But that >>pseudo-user was there by default, and the system dutifully created a mailbox >>for him/her/it when the very first spam arrived. It started growing by leaps >>and bounds until it was -- I kid you not! -- several hundred megabytes in >>size. At which point the partition ran out of room. >> >>It seems to me that pseudo-users should be non-mailable, just as a basic >>security policy. Ideas for the best way to implement this in the default >>install? > > > My reading of the RFCs (excerpts follow) is that the "news" and "usenet" > addresses should receive mail when NNTP is in use. It seems like a task > for the sysadmin. How about comments in /etc/inetd.conf along the lines > of: > > # Enable e-mail to the "ftp" address if you turn this on (RFC 2142). > #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l > # > # Enable e-mail to the "uucp" address if you turn this on (RFC 2142). > #uucpd stream tcp nowait root /usr/libexec/uucpd uucpd > # > # Enable e-mail to "usenet" and "news" addresses if you turn this on (RFC 2142). > #nntp stream tcp nowait usenet /usr/libexec/nntpd nntpd > > with the addresses commented out in /etc/aliases? Running "df" every few > months wouldn't hurt, of course. > Consider that the daily output includes a df output so you just need to read your root email ;) They are commented in /etc/aliases. Actually you want to uncomment them. If a news user exists for example and no aliases is there it delivers it to the local spool for the news user. an alias would make it go elsewhere. Imho nothing is broken, and this isn't a security issue so much an admin issue. This is where knowing your system and paying attention come into play. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D1557A3.4030504>