"Linux Gazette...making Linux just a little more lovable!"


The Answer Guy


By James T. Dennis, [email protected]


Contents:


 Netscape Mail Block

Date: Sun, 15 Dec 1996 23:16:10 -0800 (PST)

hi... mitch here in mobile, alabama...
i need to refuse to accept email from a particular person... how can i configure netscape and/or cnd1.0 to bounce the person's mail back to them?

 I'd use procmail. CND uses procmail as your "local delivery agent" (by default). This means that sendmail passes any mail to a local account to procmail and lets procmail due the final delivery to your mail box (/var/spool/mail/$YOUR_LOGIN_NAME).

However, when procmail does this, it checks for a .procmailrc file in your home directory (and does some ownership and permissions checks on it for you).

procmail is a little programming language specifically for processing mail.

Your .procmailrc file can have a variety of settings and clauses (which are called "recipes" by the author). You can also modularize this by using a variety of INCLUDE directives. Here's a simple example that should get you started.

:0 hr
* ^From.*[email protected]
* !^FROM_MAILER
* !^FROM_DAEMON
* !^X-Loop: ${USERNAME}@`hostname`"
| (formail -r -A"X-Loop: ${USERNAME}@`hostname`" \
   -A"Precedence: junk" ;\
   echo "Your mail is not welcome here."
   echo "Please don't mail me again."
   echo 
   cat ~/your.signature.or.flame
   )
The :0 marks this as a new recipe (so each new recipe starts with a :0 line). The 'h' on that line is one of several flags to procmail about what parts of the message to hand to your action line (which comes up later). 'h' says: give me the header 'r' says: treat the incoming data as "raw" (so his failure to put a blank line at the end of his message won't cause your response to fail).

The four "star" lines after that are conditions -- the first specifies that the header indicates that the message be "from" your spammer (or unwanted sender). This will actually match any "from" or "From:" line that contains your targets e-mail address. The next two lines try to ensure that you don't respond to daemons and mailers (mailing lists). The next one (which you should fill in with your username and hostname) makes sure that your don't respond to your own response.

Those three conditions are to protect your script from being tricked into doing bad things. Consider them to be the minimum overhead on any autoresponders that you write.

The next line (starting with a "|" pipe character) is the action to take.

In procmail there are three types of actions. A filename simply specifies an mbox (elm, pine, or mailx compatible) folder to file this away in. A directory name specifies an mh or mmdf folder to store the message in (mh and mmdf use different naming schemes for the messages in their folder directories -- you don't need to worry about this unless you use on of these mail user agents). A '!' (bang) line specifies an e-mail address to which to bounce the message. A '|' (pipe) line specifies that the message should be filtered through a local program.

formail is a program that comes with the procmail package. It "formats mail headers." This particular formail command formats a "reply" (-r) header and adds two additional header lines -- a standard "Precedence: junk" line and a personal "X-" line (which the RFC822 spec allows you to use to embed custom information into a header). This is where your message adds the line that would prevent an attack by routing your response back into your script (a mail loop).

The echo and cat statements after the formail line just provide output that is appended after the mail header. This becomes the body of your response. You can add additional echo lines -- or you can create a file and just 'cat' it here.

If you are new to procmail (which is almost certain given your question -- autoresponders are some of the first things procmail'ers learn) you may be nervous about 'breaking' something and losing some of your mail. So -- to protect yourself from that you might want start your .procmailrc with the following simple recipe:

 
	:0 c
	fallback
Which (if it is the *first* recipe) simply appends a copy of every incoming message to a file (in your ~/Mail directory by default) named fallback. You can compare the contents of that folder to your inbox until you're confident that things are working as you expect.

Please read the procmail and procmailex (examples) man pages for more details. The author Stephen van der Berg, has also written an automated mail list management package called SmartList -- which is highly regarded among people who've tried it. I like SmartList *much* more than majordomo.

--Jim


 Dealing with e-mail on a pop3 server

Date: Tue, 28 Jan 1997 04:02:06 -0800 (PST)

From Moe Green:

Is there any way (or any program out there) which will not only get my email from a pop3 server off of one account, then distribute it to multiple users on my system by either the from: or subject: lines???

Example: Perhaps popclient could get the mail and save to temp, then is there a program which would go through and say, hmmm...this mail is from [email protected] and it goes to root...then the next message is from [email protected] and it goes to dave???

Thanks for your time, keep up the good work.
-Moe Green, [email protected]

 It is possible to write procmail scripts that can do this sort of thing. However I don't recommend this approach at all.

The current version of 'popclient' is called 'fetchmail' (because it supports IMAP and some other mail store and forward protocols).

It's default is to fetch the mail from your POP or IMAP server and feed it to the smtpd (sendmail) on your local host. This means that any special processing that would be done by the aliases or .forward files (especially any processing through procmail scripts) will be done automatically.

It is possible to over-ride that feature and feed the messages through a pipe or into a file. It is also possible, using procmail or any scripting language, to parse and dispatch the file. Using anything other than procmail would require that you know *alot* about RFC822 (the standard for internet mail headers) and about e-mail in general.

I did write an article on procmail this month -- but may have submitted it too late for inclusion into this month's Linux Gazette. The gist of it is available on my own mail server (send mail to [email protected] with a subject of ``procmail'' or ``mailbot'').

The reason I don't recommend all of this is that it violates the intentions and design of internet e-mail. A better solution is to find a provider of UUCP services (or at least SMTP/MX services). UUCP is the *right* way to provide e-mail to disconnected (dial-up) hosts and networks. It was designed and implemented over 25 years ago and all of the mail systems on the Internet know how to gateway to UUCP sites.

As for SMTP/MX services for disconnected hosts/networks. Various ways of hacking sendmail and DNS configurations have been developed in the last few years -- with a variety of shell scripts and custom programs to support them. All of these provide essentially the same services as mail via UUCP over TCP -- but without conforming to any standard (meaning that whatever you learn and configure with one ISP probably won't work with the next one).

Glad I could help. I hope that article on procmail helps.

--Jim


 Security Problem

Date: Tue, 28 Jan 1997 04:02:06 -0800 (PST)

From Jay:

Recently a cracker got into my linux system on the internet. He didn't do a lot of damage but he did turn off system logging. I guess so I couldn't see what he'd done. Now I can't get it working again....

  1. I've made sure that the syslogd program is running using 'ps'
  2. I've read the syslogd.conf file to make sure it's logging everything, and where it's going to.
  3. I've checked permissions on the log file
  4. I did a 'kill -HUP' on the syslogd process and it writes 'restart' to the log
  5. 'logger' does nothing when I run it (no log entry, no error)
  6. All my C programs that wrote to syslog don't anymore
Anyone have any good ideas what to do from here?

Thanks
--Jay, [email protected]

 I do but they are rather too involved for me to type up tonight.

I really recommend that you reinstall the OS and all binaries from scratch whenever you think that root has been compromised on a system. I realize that this is a time-consuming proposition -- but it is the only way to really be sure.

I also recommend tripwire (ftp.cs.perdue.edu in the COAST archive -- and it's mirrors).

Please feel free to write me if you continue to have system security problems. [email protected]

Sorry to take so long to respond. I've been literally swamped all month.

--Jim


 More on Security Problem

Date: Tue, 28 Jan 1997 18:56:22 -0800 (PST)

From Jay:

>>> Recently a cracker got into my linux system on the internet.
>>
>> Did you restart the whole system?
>> I would consider replacing syslog from your CD's and
>> restarting your system.
>
I found that the cracker had replaced my syslogd with a packet sniffer. I think he had copied the syslogd code and replaced parts of it with his sniffer. It seemed to have some functionality but not a lot...

I also found a SUID version of bash in my /tmp directory. My thought is that this is how he originally got root access.

 Not too surprising. He was probably using a 'rootkit.' However he obviously didn't do a very good job of covering his tracks.

You should consider all passwords for all of the systems on the local net to be compromised. Force password changes across the board and consider installing ssh or stelnet (secure, encrypted replacements to rlogin/rsh and telnet respectively).

He probably got in through the "Leshka" sendmail bug (allowing any shell user to create a root owned SUID shell in /tmp/ on any system with an SUID root copy of sendmail (version ~8.6.x to 8.7.x ???) using a bug in sendmail's handling of ARGV[0] and it's subsequent SIGHUP handling.

Everyone using earlier versions of sendmail should upgrade to 8.8.3 or later (www.sendmail.org for details).

How important are this system and the other systems on the same LAN segment to your business?

I'd seriously consider hiring a qualified consultant for a full day risk assessment and audit. Unfortunately you'll probably pay at least $125/hr for anyone that's worth talking to and many of the "security consultants" out there are snake oil salesmen.

I personally trust Peter Shipley (www.dis.org) and Brent Chapman (www.greatcircle.com) (co-author of the O'Reilly Firewalls book) Strat Rose (www.virtual.net) and Dan Farmer (www.trouble.org) (co-author of SATAN). Most of them are live in the SF Bay Area (silicon valley) and most of them aren't available most of the time (Brent is working on a large project to integrate the SGI and Cray WAN's; Strata has accepted a full-time position at synopsis.com, etc).

I only consider myself to be a student, at best an apprentice, at data security. I'm willing to help -- but I can offer a list of satisfied clients for RASA services and I have no official "credentials."

--Jim


 Dial-up Problem

Date: Tue, 28 Jan 1997 22:56:35 -0800 (PST)

From Seth Vidal:

I was reading your answer in LG(#13) to the individual who had slow rate problems with ppp. Something which he did not mention that might be of help is the MTU. Some isp's set the mtu or have ppp do the negotiation. NOT all. Some of the newer ones have not quite figured out that a 14.4 or 28.8 is not going to get a packet size over 576 very often. If he sets his mtu to 576 (or even 296 for a 14.4) he may be able to force the provider's setting down. I have found that in a standard (slackware or redhat) linux distribution that the mtu defaults to 1500 which will result in slow downs and problems if your modem encounters errors frequently. I know what ppp is "supposed to do" when set up correctly. But he cannot control the ignorance of his ISP and therefore it would be to his behest to give that a try. If you'd like to pass the information along to the individual who wrote the message feel free. I hope this helps him and any others.

cheers,
Seth Vidal, [email protected]


 X Window Problem

Date: Tue, 28 Jan 1997 04:02:06 -0800 (PST)

From: Chris Lee, [email protected]

1.) X Windows I got a Cirrus 5434 1mb video card, whenin 640x480x8bit the video is *fine* not great, I get little specs once in awhile on the screen, they go away with a simple [refresh] but still... When in 800x600x8bit I get lines, not specs anymore, alomst allways horizontial, and about 3pixels high, and allways croos the entire screen, not the virtual screen though, and they also go away with a simple [refresh] thses line occur alot more then the specs did. My vid card works fine in DOS/Windows. Any suggestions ?

 You can look for the SuperProbe utility that comes with most recent distributions. This will provide info that can be autodetected about your video card.

Frankly XWindows configuration under XFree86 is black magic. A few people are really good at it and mere mortals (such as I) just plug along and hope for the best.

The new XFree86 3.1.2 release seems to be better about this but I'm sure that I'm not getting the optimal color and clock settings from my various X installations either.

2.)Is there any Linux or X-Windows mailing-lists ? would help alot for me.

There are many Linux mailing lists -- and some of them and some independent ones cover XFree86 (which is used by Linux, FreeBSD and the rest of the free BSD derivatives (NetBSD and OpenBSD).

The three best web sites for information about Linux seem to be:

I don't know much about X Windows and the XFree86 project but I think they maintain a web site -- probably at www.xfree86.org.

It's an often overlooked fact that there are competitors to Linux in the field of freely available Unix for PC's. You can look at www.freebsd.org, www.netbsd.org and www.openbsd.org for some of those.

Thanks for your time :)
Chris Lee, Computer Science
P.S. Damn you Linux people are great, so much out there, so many people helping you, nothing like this for DOS/Windows

DOS heralded the "sharing" of software (shareware) while Linux and the GNU project has promoted a *giving* of software -- and support.

I think one is largely and extension of the other.

Personally some of the best news I've heard for die hard PC users in the last year is the announcement that Caldera purchased DR-DOS and intends to release the sources as soon as the clean up the code enough to compile cleanly in a sane production environment. Look at www.caldera.com for details about that.

OpenDOS will be one of the final pieces in the puzzle of how we (PC users, IS managers, and others) can truly protect the investment we've made in our legacy software. (Currently, with dosemu -- the BIOS emulator, you have to install a copy of DOS unto your system in addition to installing and configuring the Linux interface to your DOS programs -- which is want dosemu provides).

-- Jim


Previous "Answer Guy" Columns

Answer Guy #1, January 1997


Copyright © 1997, James T. Dennis
Published in Issue 14 of the Linux Gazette


[ TABLE OF 
CONTENTS ] [ FRONT PAGE ]  Back  Next