Re: [LI] root access from old sendmail boxes

[Suresh Ramasubramanian <r.suresh@xxxxxxxxxxxxxxx>]

[long post, tending towards a rant]

> On the contrary, I think this is something which is best brought out
> on this [os a similar] list. Precisely for the reason that the bug is

Precisely why I posted this.  I've posted earlier saying

1. Open relays are invitations for spammers and can get you blacklisted
2. Open relays have several other security risks

.... etc etc.

> in the open.. warnings are OK but some of us are more curious than the
> rest.

What prompted this post was examining the headers of a few posts in LI.  
A significant percent of LI members (including some otherwise really clued
people) use insecure sendmail [1] or other insecure MTAs.

(anything below 8.9.3 is insecure to some degree or the other).

If you say 8.8.8 is adequate and secure - the root shell hack I described
has been patched there.  BUT there's the buffer overflow attack (send a
HELO of > 1024 characters and see <g>) which hits all sendmails till 8.9.2

I'm sure even the latest 8.10.0 (like any other MTA) has it's share of
holes. Hell, even QMail has a few holes :)  These are, usually patched at
once.  I've seen lots of folk here raving about kewl new kernel patches
and abtruse c code, but this sort of basic thing stays as is :(

[No, I am ~not~ a programmer, and I wouldn't know C if it bit me on my
rear end, why do you ask? <g>]

Result of my earlier post - a rather well known member of LI decided to
upgrade his sendmail :)  Thanks yaar - that's one less relay for a spammer
to abuse.

[btw - any Linuxers, esp. those connected with NICNET / ERNET in Chennai -
please help tn.tn.nic.in upgrade it's sendmail, it's been abused and is
currently in the MAPS RBL blacklist.  Mail me offlist re this)

> And personally, I have nothing to gain by a more popular Linux, it is

I ~want~ it - because -

More Popular Linux => More Incentive for S/W makers to port to Linux <g>

> should be told as a reason why the people should not choose the
> particular type of lock, like sendmail. And NOT LINUX.

Errr..... I ~never~ said you should not choose sendmail.  With all respect
to those who say "sendmail is fundamentally insecure, $MTA - qmail,
postfix, whatever is the only choice" - the latest version of all $MTAs
are secure, the older versions are insecure, which is why an update had to
be released :)

If mail delivery was the only thing an MTA did, we could stick with
sendmail 5.x without problems (IIM-B still does, even after Wipro
"upgraded" their lab, by installing outlook instead of having students
telnet to the ancient unix server).

However, there ~are~ security risks, which is why these upgrades and
patches are released.  If you run a mailserver then keep upgrading your
MTA.  [Not, as a thoughtful soul commented on ILUG-HYD, if you run
sendmail on your desktop linux box, and relay thru your ISP <g>]

> I guess we should give _some_ benefit of doubt to people. Not all are
> dumb.

Correction.  Not dumb, but unaware.  Generalities like "security hole" are
generally ignored as something that "cannot happen to me".  Post something
specific, like a (rather old, well known and fixed) hack and watch the
scramble to upgrade ;)

-- 
Suresh Ramasubramanian     | President, CAUCE India
r.suresh@xxxxxxxxxxxxxxx   | suresh@xxxxxxxxxxxxxxx
http://www.india.cauce.org | Stopping Spam In India
--
Our informal mission is to improve the love life of operators worldwide.
		-- Peter Behrendt, president of Exabyte

--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.