Learn how to block unwanted mail and tighten your security from Linux Gazette's Answer Guy.
By James T. Dennis
I need to refuse to accept e-mail from a particular
person. How can
I configure Netscape and/or CND1.0 to bounce the person's
mail back
to them?
--
Mitch, Mobile, Alabama
I'd use procmail, a little programming language written specifically for processing mail. CND uses procmail as the ``local delivery agent'' by default. This means that sendmail passes any mail for a local account to procmail, and then lets procmail do the final delivery to your mail box, /var/spool/mail/your_login_name. At the same time, procmail checks for a .procmailrc file in your home directory, and does some ownership and permissions checks on it for you.
The author of a .procmailrc file can specify a variety of settings and clauses which are called ``recipes'', and can also modularize the file by using a variety of INCLUDE directives. Here's a simple example that should get you started:
:0 hr * ^From.*spammer.you.despise@spamhaven.com * !^FROM_MAILER * !^FROM_DAEMON * !^X-Loop: ${USERNAME}i@`hostname`" | (formail -r -A"X-Loop: ${USERNAME}@`hostname`" \ -A"Precedence: junk";\ echo "Your mail is not welcome here."\ echo "Please don't mail me again."\ echo\ cat ~/your.signature.or.flame )The :0 marks this as a new recipe--each new recipe starts with this line. The h and the r on that line are flags tell procmail which parts of the message to hand to your action line (i.e., the one that starts with a pipe, |).
The r flag is given to prevent your response from failing if the sender has failed to put a blank line at the end of his message.
The following four ``star'' lines in the script are conditions. The first specifies that the header will show that the message is ``from'' your spammer, that is, your unwanted sender. This address will exactly match any ``from'' or ``From:'' line that contains your target e-mail address. The next two lines of the script ensure that you don't respond to daemons and mailers (mailing lists). The last * line, which you should fill in with your user name and host name, ensures that your don't respond to your own response. Those three conditions are included to protect your script from being tricked into undesirable actions. Consider them to be the minimum overhead on any auto-responders that you write.
The next line of the script, which starts with a ``|'' pipe character, describes the action to take. In procmail there are three types of actions:
formail is a program that comes with the procmail package. It ``formats mail headers''. This particular formail command formats a ``reply'' (-r) header, and adds two additional header lines--a standard ``Precedence: junk'' line and a personal ``X-'' line. The RFC822 spec allows you to use the X- line to embed custom information into a header. It is also in the formail command line that you prevent an attack by routing your response back into your own script, i.e., a mail loop.
The echo and cat statements after the formail line provide output that is appended after the mail header and that becomes the body of your response. You can add additional echo lines or you can create a file and use cat to add it here.
If you are new to procmail (which is almost certain given your question--auto-responders are some of the first things that procmail users learn), you may be nervous about breaking something and losing some of your mail. To protect yourself you will want to start your .procmailrc with the following simple recipe:
:0 c fallbackThis recipe, if it is the first recipe in the script, appends a copy of every incoming message to a file named fallback in your ~/Mail directory by default. You can compare the contents of that folder to your inbox until you are confident that everything is working as you expect.
Please read the procmail and procmailex (examples) man
pages for more
details. The author, Stephen van der Berg, has also written an
automated mail list management package called SmartList that is
highly regarded among people that I know who have used it. I like
SmartList
much better than Majordomo.
--
Jim
Is there any way (or any program out there) which will not only get my e-mail from a POP3 server off of one account, but distribute it to multiple users on my system by either the from: or subject: lines?
Perhaps popclient could get the mail and save to temp.
Then
a program could go through the saved mail and say, ``Hmmm,
this mail
is from johndoe@linux.org and it goes to root--then
the next message is from mike@canoe.net and it goes to
Dave.'' Is
there a program that will do this?
--
Moe Green, starved@ix.netcom.com
It is possible to write procmail scripts that can take this sort of action for you. Although I don't recommend this approach, I'll tell you how to do it.
The current version of popclient is called fetchmail, because it supports IMAP and some other mail store and forward protocols. The fetchmail default is to fetch the mail from your POP or IMAP server and feed it to the smtpd (sendmail) on your local host. This means that any special processing that would be done by the aliases or .forward files (especially any processing through procmail scripts) will be done automatically.
It is possible to override that feature and feed the messages through a pipe or into a file. It is also possible, using procmail or any scripting language, to parse and dispatch the file. Using anything other than procmail would require that you know a lot about RFC822, the standard for Internet mail headers, and about e-mail in general.
I wrote an article on procmail that appears in February's Linux Gazette, Issue 14. The gist of it is also available on my own mail server, and can be obtained by sending mail to info@starshine.org with a subject of procmail or mailbot.
The reason I don't recommend using procmail in this way is that it violates the intentions and design of Internet e-mail. A better solution is to find a provider of UUCP (Unix-to-Unix CoPy) services or at least SMTP/MX (Simple Mail Transfer Protocol) services. UUCP is the right way to provide e-mail to disconnected (dial-up) hosts and networks. It was designed and implemented over 25 years ago, and all of the mail systems on the Internet know how to gateway to UUCP sites.
As for SMTP/MX services for disconnected
hosts/networks, there are
various ways
of hacking sendmail and DNS (Domain Name Service) configurations
that have been
developed in the
last few years with a variety of shell scripts and custom
programs
to support them. All of these methods provide essentially the
same services as
mail via UUCP over TCP but do not conform to any standard, which
means that whatever you learn and configure with one ISP probably
won't work with the next one.
--
Jim
Recently a cracker got into my Linux system on the Internet. He didn't do a lot of damage, but I guess he did turn off system logging, since I couldn't see what he'd done. Now I can't get it working again. Here's what I've done so far:
Anyone have any good ideas what to do from here?
--
Jay
jay@shadow.ashpool.com
I do, but they are rather too involved for me to type up tonight. However, I highly recommend that you reinstall the OS and all binaries from scratch whenever you think root has been compromised on your system. I realize this is a time-consuming proposition, but it is the only way to truly be sure.
I also recommend the program tripwire that can be found at ftp.cs.perdue.edu in the COAST archive, and its mirrors.
Please feel free to write me at jimd@starshine.org if you continue to have system security problems.
Sorry to take so long to respond. I've been
literally swamped all
month.
--
Jim
I found that the cracker had replaced my syslogd with a packet sniffer. I think he had copied the syslogd code and replaced parts of it with his sniffer. It seemed to have some functionality but not a lot...
I also found a SUID version of bash in my /tmp
directory. My thought
is this is the way he originally got root access.
--
Jay
Not too surprising. He was probably using a rootkit; however, he obviously didn't do a very good job of covering his tracks. You should consider all passwords for all of the systems on the local net to be compromised. Force password changes across the board and consider installing ssh or stelnet. Both are secure, encrypted replacements to rlogin/rsh and telnet respectively.
He probably got in through the ``Leshka'' sendmail bug that allows any shell user to create a root-owned SUID shell in /tmp/ on any system that has an SUID root copy of sendmail (version ~8.6.x to 8.7.x ?). The bug involves sendmail's handling of ARGV[0] and it's subsequent SIGHUP (signal to disconnect) handling. Everyone using earlier versions of sendmail should upgrade to 8.8.3 or later (see http://www.sendmail.org/ for details).
How important are this system and the other systems on
the same LAN
segment to your business?
I'd seriously consider hiring a qualified consultant for a
full day
risk assessment and audit. Unfortunately, you'll probably
pay at least
$125/hr for anyone that's worth talking to, and many of the
``security
consultants'' out there are snake oil salesmen, so beware.
--
Jim
Jim Dennis is the proprietor of Starshine Technical Services. His professional experience includes work in technical support, quality assurance and information services (MIS) for software companies like Quarterdeck, Symantec/Peter Norton Group and McAfee Associates--as well as positions with smaller VARs. He's been using Linux since version 0.99p10 and is an active participant on an ever-changing list of mailing lists and newsgroups. He's just started collaborating on the 2nd Edition for a book on Unix systems administration. Jim is an avid science fiction fan--and recently got married at the World Science Fiction Convention in Anaheim.
This article was first published in Issue 14 of the Linux Gazette. a free on-line e-zine published by Linux Journal. Linux Gazette can be found at http://www.ssc.com/lg/.