Security
Backscatter increase clogs inboxes
Backscatter, also known as blowback, is the result of a spammer forging the sender address on an email that is sent to a non-existent address. Many mail servers do not reject invalid addresses when they receive the email and instead generate a bounce message sometime later. The unfortunate victim, then, is the one whose address was forged as the sender. Sometimes, hundreds or thousands of bounce messages can be generated which flood the inbox of an innocent bystander.
Backscatter seems to be on the rise recently, the LWN inbox has seen a huge increase in the number of bounces over the last week or so. There may be some connection to some Google domains contributing to the problem, but that cannot explain all of it. One basic problem is that many mail servers are generating the bounce messages after accepting mail for invalid addresses, rather than rejecting it while the SMTP transaction is still in progress.
When a mail server gets a connection from a sending machine, it gets several pieces of information about the email in addition to its contents. Both a "from" and "to" address are included in this extra information, which is usually called the envelope, for obvious reasons. After receiving each piece of the envelope, a mail server has the opportunity to reject the message. Typically this isn't done for valid-looking sender addresses, except in limited blacklist situations, but it certainly can and should be done when the recipient address is invalid.
Due to a variety of mail server configuration issues, many mail servers do not avail themselves of rejecting mail for invalid senders. Instead, they defer their decision until sometime later. Servers that relay mail will not know whether some of the addresses they relay are valid, while other servers (qmail for example) separate the SMTP conversation program from the local delivery program for security reasons and thus do not have that information available. Other valid or semi-valid reasons exist, but once the mail has been accepted, the proper means of indicating a bad address is no longer available.
In the days before spam—remember those?—a mail server could generally trust that the sender address in the envelope was the real sender. So an incorrectly addressed email could be bundled up in a bounce message and sent to the sender. If the sender address is valid, it is very little different than a bounce that is generated by the sender's machine when the mail gets rejected at SMTP time. Unfortunately, the majority of sender addresses these days are forged.
But spammers don't want to use just any forged address, they want to use something that is valid or appears valid. Mail servers have gotten better at testing sender addresses for validity before accepting mail from them. So, where does an enterprising spammer get a valid email address? They pick one at random from their list of "500,000 guaranteed opt-in email addresses" that they bought from some other miscreant. They use those lists to send their spam to as well as using them to choose sender addresses to use.
As might be guessed, the SpamAssassin mailing lists have been discussing the problem recently, especially trying to find ways to reduce the amount received. SpamAssassin does have the VBounce plugin to recognize bounce messages. By default, it doesn't increase the score of bounces by much as it is meant to be used with procmail to put bounces in a separate place from spam.
Another idea floated on the list is to use SPF or DKIM records for a domain. The belief is that spammers avoid using those domains because it is likely to cause their message to be immediately classified as spam. Anecdotal evidence seems to indicate that backscatter can be significantly reduced in this way.
Brief items
Bruce Schneier reviews Access Denied
Bruce Schneier takes a look at Access Denied, a new book on internet censorship from the MIT Press. "Today, things are very different. Internet censorship is flourishing. Organizations selectively block employees' access to the Internet. At least 26 countries -- mainly in the Middle East, North Africa, Asia, the Pacific and the former Soviet Union -- selectively block their citizens' Internet access. Even more countries legislate to control what can and cannot be said, downloaded or linked to. 'You have no sovereignty where we gather,' said Barlow. Oh yes we do, the governments of the world have replied."
New Massive Botnet Twice the Size of Storm (Dark Reading)
Dark Reading reports from the RSA conference on an enormous botnet that is currently active with roughly 400,000 bots. "The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa."
OpenPacket.org 1.0 Is Live
From Richard Bejtlich's weblog comes the news that OpenPacket.org is open for business. "The mission of OpenPacket.org is to provide quality network traffic traces to researchers, analysts, and other members of the digital security community. One of the most difficult problems facing researchers, analysts, and others is understanding traffic carried by networks. At present there is no central repository of traces from which a student of network traffic could draw samples. OpenPacket.org will provide one possible solution to this problem."
Security reports
Freezing More Than Bits: Chilling Effects of the OLPC XO Security Model
A paper that will be presented at the USENIX Usability, Psychology and Security (UPSEC) conference takes a look at the OLPC Bitfrost security model [PDF]. "In this paper, we discuss Bitfrost, the security model developed by the One Laptop Per Child project for its XO laptop computers. Bitfrost implements a number of security measures intended primarily to deter theft and malware, but which also introduce severe threats to data security and individual privacy. We describe several of the technical provisions in Bitfrost, outline the risks they enable, and consider their legal ramifications and the psychological impact posed for children and society."
New vulnerabilities
alsaplayer: arbitrary code execution
| Package(s): | alsaplayer | CVE #(s): | CVE-2007-5301 | ||||
| Created: | April 7, 2008 | Updated: | April 9, 2008 | ||||
| Description: | From the Debian advisory: Erik Sjölund discovered a buffer overflow vulnerability in the Ogg Vorbis input plugin of the alsaplayer audio playback application. Successful exploitation of this vulnerability through the opening of a maliciously-crafted Vorbis file could lead to the execution of arbitrary code. | ||||||
| Alerts: |
| ||||||
audit: privilege escalation
| Package(s): | audit | CVE #(s): | CVE-2008-1628 | ||||||||||||||||
| Created: | April 9, 2008 | Updated: | August 1, 2008 | ||||||||||||||||
| Description: | From the Red Hat bugzilla entry: A vulnerability has been reported in Linux Audit, which potentially can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to a boundary error within the "audit_log_user_command()" function in lib/audit_logging.c. This can be exploited to cause a stack-based buffer overflow via an overly long "command" argument and potentially execute arbitrary code with the privileges of the application using libaudit. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
comix: arbitrary code execution
| Package(s): | comix | CVE #(s): | CVE-2008-1568 | ||||||||||||
| Created: | April 9, 2008 | Updated: | April 28, 2008 | ||||||||||||
| Description: | From the NVD entry: comix 3.6.4 allows attackers to execute arbitrary commands via a filename containing shell metacharacters that are not properly sanitized when executing the rar, unrar, or jpegtran programs | ||||||||||||||
| Alerts: |
| ||||||||||||||
flash-plugin: multiple vulnerabilities
| Package(s): | flash-plugin | CVE #(s): | CVE-2007-6637 CVE-2007-6019 CVE-2007-0071 CVE-2008-1655 CVE-2008-1654 | ||||||||||||
| Created: | April 9, 2008 | Updated: | April 18, 2008 | ||||||||||||
| Description: | From the Red Hat advisory: Several input validation flaws were found in the way Flash Player displayed certain content. These may have made it possible to execute arbitrary code on a victim's machine, if the victim opened a malicious Adobe Flash file. (CVE-2007-0071, CVE-2007-6019) A flaw was found in the way Flash Player established TCP sessions to remote hosts. A remote attacker could, consequently, use Flash Player to conduct a DNS rebinding attack. (CVE-2007-5275, CVE-2008-1655) A flaw was found in the way Flash Player restricted the interpretation and usage of cross-domain policy files. A remote attacker could use Flash Player to conduct cross-domain and cross-site scripting attacks. (CVE-2007-6243, CVE-2008-1654) A flaw was found in the way Flash Player interacted with web browsers. An attacker could use malicious content presented by Flash Player to conduct a cross-site scripting attack. (CVE-2007-6637) | ||||||||||||||
| Alerts: |
| ||||||||||||||
gnome-ssh-askpass, openssh: privilege escalation
| Package(s): | gnome-ssh-askpass | CVE #(s): | CVE-2008-1657 | ||||||||||||||||||||
| Created: | April 7, 2008 | Updated: | October 2, 2008 | ||||||||||||||||||||
| Description: | From the Gentoo advisory: OpenSSH will execute the contents of the ".ssh/rc" file even when the "ForceCommand" directive is enabled in the global sshd_config (CVE-2008-1657). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
konversation: arbitrary code execution
| Package(s): | konversation | CVE #(s): | CVE-2007-4400 | ||||||||
| Created: | April 9, 2008 | Updated: | April 9, 2008 | ||||||||
| Description: | From the Red Hat bugzilla: Media script (/usr/share/apps/konversation/scripts/media) that is distributed with konversation package reportedly does not escape tags from media files corr[e]ctly allowing command injection into IRC channel. | ||||||||||
| Alerts: |
| ||||||||||
m4: execution of arbitrary code
| Package(s): | m4 | CVE #(s): | CVE-2008-1687 CVE-2008-1688 | ||||
| Created: | April 8, 2008 | Updated: | April 9, 2008 | ||||
| Description: | m4-1.4.11 fixes two issues with possible security implications. A minor security fix with the use of "maketemp" and "mkstemp" -- these are now quoted to prevent the (rather unlikely) possibility that an unquoted string could match an existing macro causing operations to be done on the wrong file. Also, a problem with the '-F' option (introduced with version 1.4) could cause a core dump or possibly (with certain file names) the execution of arbitrary code. | ||||||
| Alerts: |
| ||||||
nx nxnode: multiple vulnerabilities
| Package(s): | nx nxnode | CVE #(s): | |||||||||
| Created: | April 7, 2008 | Updated: | July 10, 2008 | ||||||||
| Description: | From the Gentoo advisory: Multiple integer overflow and buffer overflow vulnerabilities have been discovered in the X.Org X server as shipped by NX and NX Node (vulnerabilities 1-4 in GLSA 200801-09). A remote attacker could exploit these vulnerabilities via unspecified vectors, leading to the execution of arbitrary code with the privileges of the user on the machine running the NX server. | ||||||||||
| Alerts: |
| ||||||||||
otrs: SOAP command execution
| Package(s): | otrs | CVE #(s): | CVE-2008-1515 | ||||||||
| Created: | April 4, 2008 | Updated: | April 17, 2008 | ||||||||
| Description: | A bug in the trouble ticket system OTRS allowed a remote attacker to get remote access without specifying a valid user name via the SOAP interface. | ||||||||||
| Alerts: |
| ||||||||||
pdns-recursor: DNS cache poisoning
| Package(s): | pdns-recursor | CVE #(s): | CVE-2008-1637 | ||||||||||||||||||||||||||||
| Created: | April 9, 2008 | Updated: | August 21, 2008 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry: Amit Klein of Trusteer discovered and documented weakness in a way PowerDNS Recursor generates DNS queries and transaction IDs used in DNS queries. This weakness can be used to predict transaction IDs used in a subsequent queries after observing certain amount of consequent previous queries, leading to a high possibility of performing a successful cache poisoning attack. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
pecl-apc: arbitrary code execution
| Package(s): | pecl-apc | CVE #(s): | CVE-2008-1488 | ||||||||||||||||
| Created: | April 9, 2008 | Updated: | July 15, 2008 | ||||||||||||||||
| Description: | From the Gentoo advisory: Daniel Papasian discovered a stack-based buffer overflow in the apc_search_paths() function in the file apc.c when processing long filenames. A remote attacker could exploit this vulnerability to execute arbitrary code in PHP applications that pass user-controlled input to the include() function. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
PolicyKit: authentication bypass
| Package(s): | PolicyKit | CVE #(s): | CVE-2008-1658 | ||||||||
| Created: | April 9, 2008 | Updated: | April 17, 2008 | ||||||||
| Description: | From the Red Hat bugzilla entry: Format string vulnerability was discovered in the PolicyKit grant helper. User may specify password with formatting sequences and cause polkit-grant-helper to crash or bypass authentication. | ||||||||||
| Alerts: |
| ||||||||||
silc-toolkit: buffer overflow
| Package(s): | silc-toolkit | CVE #(s): | CVE-2008-1552 | ||||||||||||
| Created: | April 4, 2008 | Updated: | July 31, 2008 | ||||||||||||
| Description: | A flaw in processing PKCS#1-Messages in silc-toolkit could lead to a buffer overflow. Remote attackers could exploit that to crash the server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2008-1561 CVE-2008-1562 CVE-2008-1563 | ||||||||||||||||||||||||||||||||
| Created: | April 4, 2008 | Updated: | October 2, 2008 | ||||||||||||||||||||||||||||||||
| Description: | Multiple flaws in wireshark could lead to crashes when certain packets are processed. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>