|
|
Subscribe / Log in / New account

Security

mod_spambot

It has been known for years that spammers harvest web sites for email addresses to add to their lists. Various sites have responded by hiding or obfuscating email addresses found on their pages; some people go to extreme measures to keep their address from ever appearing on a page. One wonders what they are worried about; your editor only receives a mere 3-4000 spams per day to his highly-public email address, after all.

Suffice to say that without SpamAssassin LWN would likely have collapsed under the flood years ago.

Some folks have decided that it is time to take a more active stance against the harvesting of email addresses from web pages. The result is an Apache module called mod_spambot; version 0.47 was recently released. The idea behind this module is to detect accesses by address harvesters and shut them down. Unfortunately, the approach this module takes is too simplistic to work in many situations.

mod_spambot is essentially a traffic throttling module. If a given site pulls down too many pages in a given time period (default is 100 pages in one hour), its access is cut off. There is also a "honeypot" option which will, instead, feed the (presumed) harvester a set of pseudo-random pages with bogus email addresses in them. This approach may well cut off some spammers, but anybody who has maintained a busy web site can see a few problems fairly quickly:

  • This approach will also cut off others who may be grabbing large numbers of pages from the site. Search engines come to mind, as do archive sites or anybody wanting to mirror a portion of a site. Cutting off people who thoughtlessly run a recursive wget to grab an entire site has some appeal; "download the site" operations account for a substantial part of LWN's bandwidth usage. But most site operators do not want to pull the plug on search engines and the like. mod_spambot allows the administrator to construct a whitelist, but who wants to figure out how to whitelist every possible search engine of interest?

  • There are some very large networks out there hiding behind a massive router and a single IP address. Traffic which looks like it originates from a single host may, in fact, be generated by hundreds of individual readers.

  • Increasingly large amounts of traffic are generated by robots whose sole purpose is to get a referrer URL onto a "top referrers" page somewhere on the site. Purveyors of Internet gambling experiences and particular types of imagery appear to like this approach to marketing. The interesting thing is that these accesses come simultaneously from a large number of IP addresses. These people, clearly, are using a network of zombie machines for their attacks. Spammers already use zombies to deliver their mail; it is hard to believe that they would not use those machines for address harvesting as well.

So throttling robots based on IP address will miss some attackers while blocking legitimate users of the site. It would be nice to prevent one's web site from being used as a resource by spammers, but this approach is not, yet, the way to that end.

Comments (16 posted)

Brief items

Update on RFID passports

Bruce Schneier looks at current plans for RFID-enabled U.S. passports; it seems that things are headed in the right direction. "The most important feature they've included is an access-control system for the RFID chip. The data on the chip is encrypted, and the key is printed on the passport. The officer swipes the passport through an optical reader to get the key, and then the RFID reader uses the key to communicate with the RFID chip. This means that the passport-holder can control who has access to the information on the chip; someone cannot skim information from the passport without first opening it up and reading the information inside. Good security."

Comments (1 posted)

Greasing the wheel with Greasemonkey (SecurityFocus)

Here's a SecurityFocus column on how the recent GreaseMonkey vulnerability was handled. "If we must continue the discussion to encompass the model of open source, then I have to say that the approach Greasemonkey took shows what makes open source great: openness. Throughout the whole painful process, information was available to those who needed it: developers, IT folks, users, and security pros. No one was kept in the dark, and all the details -- code, communications, thought processes, and so on -- were always available so that interested parties could make decisions based on facts instead of promises and conjecture."

Comments (none posted)

New vulnerabilities

gaim: buffer overflow

Package(s):gaim CVE #(s):CAN-2005-2103
Created:August 10, 2005 Updated:February 27, 2006
Description: Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:158543 gaim 2006-02-25
Slackware SSA:2005-242-03 gaim 2005-08-31
Fedora FEDORA-2005-751 gaim 2005-08-17
Fedora FEDORA-2005-750 gaim 2005-08-17
Mandriva MDKSA-2005:139 gaim 2005-08-15
Gentoo 200508-06 gaim 2005-08-15
Ubuntu USN-168-1 gaim 2005-08-12
Red Hat RHSA-2005:589-01 gaim 2005-08-09

Comments (none posted)

sysreport: insecure temporary file

Package(s):sysreport CVE #(s):CAN-2005-2104
Created:August 9, 2005 Updated:November 11, 2005
Description: Bill Stearns discovered a bug in the way sysreport creates temporary files. It is possible that a local attacker could obtain sensitive information about the system when sysreport is run.
Alerts:
Fedora FEDORA-2005-1072 sysreport 2005-11-10
Fedora FEDORA-2005-1071 sysreport 2005-11-10
Red Hat RHSA-2005:598-01 sysreport 2005-08-09

Comments (none posted)

ucd-snmp: denial of service

Package(s):ucd-snmp CVE #(s):CAN-2005-2177
Created:August 9, 2005 Updated:January 27, 2006
Description: A denial of service bug was found in the way ucd-snmp uses network stream protocols. A remote attacker could send a ucd-snmp agent a specially crafted packet which will cause the agent to crash.
Alerts:
Mandriva MDKSA-2006:025 net-snmp 2006-01-26
Ubuntu USN-190-2 ucd-snmp 2005-11-21
Debian DSA-873-1 net-snmp 2005-10-26
Red Hat RHSA-2005:395-01 net-snmp 2005-10-05
Ubuntu USN-190-1 net-snmp 2005-09-29
Red Hat RHSA-2005:373-01 net-snmp 2005-09-28
Mandriva MDKSA-2005:137 ucd-snmp 2005-08-11
Red Hat RHSA-2005:720-01 ucd-snmp 2005-08-09

Comments (none posted)

xpdf: denial of service

Package(s):xpdf kpdf CVE #(s):CAN-2005-2097
Created:August 9, 2005 Updated:August 2, 2006
Description: A flaw was discovered in Xpdf in that could allow an attacker to construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened.
Alerts:
Debian DSA-1136-1 gpdf 2006-08-02
Mandriva MDKSA-2005:138-1 cups 2005-09-19
Debian DSA-780-1 kdegraphics 2005-08-22
SuSE SUSE-SR:2005:019 multi 2005-08-19
Fedora FEDORA-2005-732 cups 2005-08-17
Fedora FEDORA-2005-733 cups 2005-08-17
Gentoo 200508-08 xpdf 2005-08-16
Fedora FEDORA-2005-730 xpdf 2005-08-15
Fedora FEDORA-2005-729 xpdf 2005-08-15
Mandriva MDKSA-2005:136 gpdf 2005-08-11
Mandriva MDKSA-2005:135 kdegraphics 2005-08-11
Mandriva MDKSA-2005:134 xpdf 2005-08-11
Mandriva MDKSA-2005:138 cups 2005-08-11
Red Hat RHSA-2005:708-01 gpdf 2005-08-10
Red Hat RHSA-2005:706-01 CUPS 2005-08-09
Red Hat RHSA-2005:671-01 kdegraphics 2005-08-09
Red Hat RHSA-2005:670-01 xpdf 2005-08-09
Ubuntu USN-163-1 xpdf 2005-08-09

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds