Re: we were attacked

To: Craig Sanders <cas@taz.net.au>
Cc: debian-isp@lists.debian.org
Subject: Re: we were attacked
From: Ward Vandewege <ward@pong.be>
Date: Sat, 8 Apr 2006 20:57:08 -0400
Message-id: <[🔎] 20060409005708.GA5147@io.pong.be>
In-reply-to: <[🔎] 20060409003155.GD12804@taz.net.au>
References: <[🔎] 44367C04.6030609@tau.org.ar> <[🔎] 002101c65b0f$4d43e4d0$6501a8c0@emea.hpqcorp.net> <[🔎] 20060408133308.GQ606@verkkotelakka.net> <[🔎] 20060408135058.GB31962@io.pong.be> <[🔎] 20060409003155.GD12804@taz.net.au>

On Sun, Apr 09, 2006 at 10:31:55AM +1000, Craig Sanders wrote:
> On Sat, Apr 08, 2006 at 09:50:58AM -0400, Ward Vandewege wrote:
> > > > 4) use wrapper for emails - I have one which includes special headers to
> > > > mails sent from php, I'm going to modify it to support limits on no. of
> > > > mails sent in timeframe
> > > 
> > > I hope you share this.
> > 
> > Here's an example of such a wrapper:
> 
> this is useful but far from foolproof. any script can open a connection
> to "localhost:25" and speak SMTP directly to the local mail server. if
> the web server isn't running an smtp server (which is very unlikely -
> most do, if only to cater for formmail scripts, and to forward system
> mail to the sysadmin) the attacker can check the MX record for the
> domain being attacked and connect directly to port 25 of the mail host.

Quite - and you need to tell php to use sendmail rather than smtp for the
mail() function, etc. I assumed it was obvious that any mailserver on the
same host/other hosts that are accesible from it on port 25 should be
firewalled. After all this wrapper only traps php's mail() function.

> > # Just make all e-mail come from webmaster@ the domain. That address _should_
> > # always be defined.
> > (out, s) = popen2('/usr/sbin/sendmail -t -i -f webmaster@' + sys.argv[1])
> 
> i do the exact opposite. i require all mail sent by web scripts to go
> to a real person, whoever is responsible for that script (which may be
> webmaster for the domain or it may not)....and failing to set a sender
> address (so that it goes to www-data) is grounds for deletion/disabling
> of the script.

Yes, that's another way of dealing with it. Hardcoding the sender to
webmaster@ was a bit of an experiment - it's mostly to make sure that there
is a valid sender address - otherwise my mailservers will simply refuse to
accept the message for delivery.

Ward.

-- 
Pong.be         -(  "Just wait,  My crystal ball is infallible." -- Linus  )-
Virtual hosting -( Torvalds, discussing the future of smart I/O hardware.  )-
http://pong.be  -(                                                         )-
GnuPG public key: http://gpg.dtype.org

Reply to:

Follow-Ups:
- Re: we were attacked
  - From: danilo lujambio <danilo@tau.org.ar>

References:
- we were attacked
  - From: danilo lujambio <danilo@tau.org.ar>
- RE: we were attacked
  - From: "Marek Podmaka" <marki@onee.sk>
- Re: we were attacked
  - From: Juha-Matti Tapio <jmtapio@verkkotelakka.net>
- Re: we were attacked
  - From: Ward Vandewege <ward@pong.be>
- Re: we were attacked
  - From: Craig Sanders <cas@taz.net.au>

Prev by Date: Re: we were attacked
Next by Date: Re: Debian SNMP package to monitor Ascend MAX units
Previous by thread: Re: we were attacked
Next by thread: Re: we were attacked
Index(es):
- Date
- Thread