Security
A look at Rspamd
SpamAssassin has been the dominant spam-filtering program in the free-software community for at least a decade. But the relative newcomer Rspamd is making significant gains, and may be a project worth serious consideration by those running email servers. It is designed to be easier to extend with new functionality, and the architecture supports running multiple, parallel processes even on clusters.
Vsevolod Stakhov started work on Rspamd in 2010 with the goal of building a more modular alternative to SpamAssassin—both in the architecture of program and in how its spam-filtering tests are designed. The latest major release was version 0.9.0 in May, which added support for native SpamAssassin rules, Domain-based Message Authentication, Reporting and Conformance (DMARC), and many other improvements. A series of minor updates have followed, the latest being 0.9.8 on June 25. The program is packaged for Debian, Ubuntu, Fedora, openSUSE, and is available in the FreeBSD ports collection.
Regarding its modular architecture, Rspamd is designed to run in multiple processes, with one controller process coordinating several workers that may be running locally or on other machines. The workers can each handle a separate task, such as performing statistical analysis of message content or conducting traditional rule-based filtering. The various processes communicate over HTTPS. The system is event-driven, with the intent to not block anywhere in the code, so that it can process many incoming messages simultaneously.
As for the actual spam-filtering tests, Rspamd's core modules are written in C, but the project also supports a flexible system for writing new filters as Lua plugins. The documentation lists eight Lua modules that ship with the default release. They include support for real-time blacklists (RBLs), recognizing common mailing-list signatures, detecting phishing URLs, and more.
The C modules, though, constitute what the project considers the core filtering functionality. They include support for Sender Policy Framework (SPF) validation checking, SURBL blacklists, DomainKeys Identified Mail (DKIM), and more. Like SpamAssassin, Rspamd uses the output of its various filters to assign a score to each message, indicating the likelihood that it is spam. The central filtering tool is a regular-expression engine that scans message body and header content, much like the one found in SpamAssassin.
In fact, there is a separate plugin available that lets one use unaltered SpamAssassin rules with Rspamd. But one difference that the Rpsamd project takes particular pride in is that it can support more sophisticated rules. Its expression-matching engine uses a more complex classifier than the traditional, single-word Bayesian algorithm used in SpamAssassin. Rspamd's algorithm, known as OSB-Bayes (for "Orthogonal Sparse Bigrams") was originally described in a 2006 paper [PDF].
In essence, OSB-Bayes adjusts the "spam probability" factor calculated for a message by de-emphasizing those trigger features (such as suspicious words) that seem to be evenly distributed in a message and emphasizing those trigger features that appear in clusters. The purported advantage is that this approach detects trigger features that are found in statistically unlikely groups, minimizing the "noise" caused by features that one would expect to find, randomly, spread out over the whole message. Rspamd's implementation uses five-word chunks, skipping small words. The process of tuning the implementation has been an ongoing one; the 0.9.0 release notes mention that the latest revisions significantly reduced the false-positive rate.
One of the other core modules implements the fuzzy hash-checking filter. This filter uses the Shingles algorithm (which chops up the text into chunks and searches for matches) to detect phrases that are similar to, but not exact matches for, suspected spam content. Rspamd provides separate fuzzy storage workers to save the hashes calculated on incoming message contents to a local database. That allows the fuzzy-checking module to learn based on a mail server's particular message traffic. Storing the hashes rather than plain text, of course, has privacy benefits.
All the filtering features in the world mean nothing if the system cannot be used in the real world, however. On the deployment front, Rspamd offers an SMTP proxy mode that can be used as an intermediary between any Mail Transfer Agent (MTA) and Mail User Agent (MUA)—although most users will probably prefer to take advantage of the direct MTA integration features. Currently, Rspamd supports integration with Exim, Postfix, Sendmail, and Haraka.
Postfix and Sendmail integration relies on Stakhov's rmilter mail filter. Haraka includes an Rspamd plugin, while Exim integration requires patching the Exim source in several places.
One other distinction between Rspamd and SpamAssassin is that Rspamd includes a web-based administration interface. It allows the user to monitor the status of worker processes, see statistics about the incoming mail traffic, and adjust several of the configuration knobs for calculating filter scores and triggering the resultant actions. There are several competing web interfaces for SpamAssassin, although they are developed by third parties.
Rspamd has certainly not supplanted SpamAssassin for many system administrators, although the project's documentation and release notes frequently mention that it is in use in real-world, high-volume deployments. In 2013, Stakhov told the SpamAssassin mailing list that he had originally written Rspamd for a single client, and has been in the process of growing the project since.
Whatever its origins, one does increasingly see it mentioned in discussions and blog posts about spam filtering—particularly for running a personal mail server, which bodes well for the long-term future. Smaller deployments are often less risky, but they are frequently how a new project gains a foothold with administrators. The project is also a 2015 Google Summer of Code mentoring organization. Between those factors and the rapid pace of development over the past year or two, Rspamd appears to be a healthy project on firm footing—one that mail server administrators might be wise to keep an eye on.
Brief items
Security quotes of the week
New vulnerabilities
cacti: two vulnerabilities
| Package(s): | cacti | CVE #(s): | CVE-2015-2665 CVE-2015-4454 | ||||||||||||||||||||
| Created: | June 25, 2015 | Updated: | July 1, 2015 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla entries:
CVE-2015-2665: Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2015-4454: SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
chicken: out-of-bounds read
| Package(s): | chicken | CVE #(s): | CVE-2015-4556 | ||||||||||||
| Created: | June 30, 2015 | Updated: | July 1, 2015 | ||||||||||||
| Description: | From the Red Hat bugzilla:
It was discovered that the string-translate* procedure from the data-structures unit can scan beyond the input string's length up to the length of the source strings in the map that's passed to string-translate*. This issue was fixed in master 8a46020, and it will make its way into CHICKEN 4.10. | ||||||||||||||
| Alerts: |
| ||||||||||||||
chromium-browser: code execution
| Package(s): | chromium-browser | CVE #(s): | CVE-2015-1266 CVE-2015-1267 CVE-2015-1268 CVE-2015-1269 | ||||||||||||||||||||||||||||
| Created: | June 25, 2015 | Updated: | November 2, 2015 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash or, potentially, execute arbitrary code with the privileges of the user running Chromium. (CVE-2015-1266, CVE-2015-1267, CVE-2015-1268, CVE-2015-1269) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
cups-x2go: multiple vulnerabilities
| Package(s): | cups-x2go | CVE #(s): | |||||||||
| Created: | July 1, 2015 | Updated: | July 13, 2015 | ||||||||
| Description: | CUPS X2Go (3.0.1.3) fixes multiple vulnerabilities. See the CUPS X2Go (3.0.1.3) release announcement for details. | ||||||||||
| Alerts: |
| ||||||||||
elfutils: unspecified vulnerabilities
| Package(s): | elfutils | CVE #(s): | |||||
| Created: | July 1, 2015 | Updated: | July 1, 2015 | ||||
| Description: | Alexander Cherepanov reported several crashes as the result of running a set of fuzzing tests against binutils. Some of these crashes might conceivably be exploitable via a crafted ELF binary file. | ||||||
| Alerts: |
| ||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2015-4692 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 29, 2015 | Updated: | July 1, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Linux kernel built for the x86 architecture, with the KVM virtualisation support(CONFIG_KVM) is vulnerable to a NULL pointer dereference flaw. It could occur while doing KVM's Virtual CPU ioctl(2) call, in Linux kernel's kvm_apic_has_events() function. An unprivileged user able to access "/dev/kvm" device, could use this flaw to crash the system kernel resulting in DoS. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libcrypto++: information disclosure
| Package(s): | libcrypto++ | CVE #(s): | CVE-2015-2141 | ||||||||||||||||||||||||||||
| Created: | June 29, 2015 | Updated: | August 24, 2015 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Evgeny Sidorov discovered that libcrypto++, a general purpose C++ cryptographic library, did not properly implement blinding to mask private key operations for the Rabin-Williams digital signature algorithm. This could allow remote attackers to mount a timing attack and retrieve the user's private key. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
librack-ruby: denial of service
| Package(s): | librack-ruby | CVE #(s): | CVE-2015-3225 | ||||||||||||||||||||||||||||||||||||||||
| Created: | June 26, 2015 | Updated: | December 22, 2015 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: There is a potential denial of service vulnerability in Rack, a modular Ruby webserver interface. Carefully crafted requests can cause a `SystemStackError` and cause a denial of service attack by exploiting the lack of a sensible depth check when doing parameter normalization. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
libwmf: denial of service
| Package(s): | libwmf | CVE #(s): | CVE-2015-4695 CVE-2015-4696 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 29, 2015 | Updated: | October 5, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian LTS advisory:
libwmf is vulnerable to two denial of service due to invalid read operations when processing specially crafted WMF files. CVE-2015-4695: Heap buffer overread in libwmf CVE-2015-4696: Read after free() in wmf2gd/wmf2eps | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
pam: denial of service
| Package(s): | pam | CVE #(s): | CVE-2015-3238 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 1, 2015 | Updated: | July 6, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
From the original report: When supplying a password of 65536 characters or more, the process will block on the write(2) call at modules/pam_unix/support.c:614 because it tries to write strlen(passwd)+1 bytes to a blocking pipe and a pipe has a limited capacity of 65536 bytes on Linux." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
php-htmLawed: multiple vulnerabilities
| Package(s): | php-htmLawed | CVE #(s): | |||||||||
| Created: | June 30, 2015 | Updated: | July 1, 2015 | ||||||||
| Description: | From the Fedora advisory:
Fix for a potential security vulnerability arising from unescaped double-quote character in single-quoted attribute value of some deprecated elements when tag transformation is enabled; recognition for non-(HTML4) standard 'allowfullscreen' attribute of 'iframe.' | ||||||||||
| Alerts: |
| ||||||||||
python-jwt: token verification bypass
| Package(s): | python-jwt | CVE #(s): | |||||||||
| Created: | June 30, 2015 | Updated: | July 1, 2015 | ||||||||
| Description: | From the Red Hat bugzilla:
If the secretKey was expected to be a RSA public key, but the attacker changed the header to indicate a signature algorithm of HMAC, the RSA public key would be used as the signing secret. | ||||||||||
| Alerts: |
| ||||||||||
roundcubemail: two vulnerabilities
| Package(s): | roundcubemail | CVE #(s): | CVE-2015-2180 CVE-2015-2181 | ||||||||||||||||||||||||||||||||||||||||
| Created: | June 29, 2015 | Updated: | May 2, 2016 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
roundcubemail was updated to version 1.0.6 to fix many minor bugs and two security issues. The security-related fixes in particular are:
The second openSUSE advisory notes that both CVEs pertain to the first issue. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
rubygem-activesupport: two vulnerabilities
| Package(s): | rubygem-activesupport | CVE #(s): | CVE-2015-3226 CVE-2015-3227 | ||||||||||||||||||||
| Created: | July 1, 2015 | Updated: | February 1, 2016 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
CVE-2015-3226: There is an XSS vulnerability in the ActiveSupport::JSON.encode method in Ruby on Rails. When a `Hash` containing user-controlled data is encode as JSON (either through `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate escaping that matches the guarantee implied by the `escape_html_entities_in_json` option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks. CVE-2015-3227: A possible denial of service attack in the XML processing in Active Support has been reported. Specially crafted XML documents can cause applications to raise a `SystemStackError` and potentially cause a denial of service attack. This only impacts applications using REXML or JDOM as their XML processor. Other XML processors that Rails supports are not impacted. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
rubygem-jquery-rails: CSRF vulnerability
| Package(s): | rubygem-jquery-rails | CVE #(s): | CVE-2015-1840 | ||||||||||||
| Created: | June 30, 2015 | Updated: | July 20, 2015 | ||||||||||||
| Description: | From the Red Hat bugzilla:
There's a vulnerability in jquery-ujs and jquery-rails that can be used to bypass CSP protections and allows attackers to send CSRF tokens to attacker domains. In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to " https://attacker.com" (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the attacker domain. | ||||||||||||||
| Alerts: |
| ||||||||||||||
rubygem-web-console: code execution
| Package(s): | rubygem-web-console | CVE #(s): | CVE-2015-3224 | ||||
| Created: | June 30, 2015 | Updated: | July 1, 2015 | ||||
| Description: | From the Red Hat bugzilla:
There is a remote code execution vulnerability in Web Console. Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default). Users whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved. | ||||||
| Alerts: |
| ||||||
unattended-upgrades: authentication bypass
| Package(s): | unattended-upgrades | CVE #(s): | CVE-2015-1330 | ||||||||||||
| Created: | June 30, 2015 | Updated: | July 2, 2015 | ||||||||||||
| Description: | From the Debian advisory:
It was discovered that unattended-upgrades, a script for automatic installation of security upgrades, did not properly authenticate downloaded packages when the force-confold or force-confnew dpkg options were enabled via the DPkg::Options::* apt configuration. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>