Spamassassin, spamd, FreeBSD and “autolearn: unavailable”

I recently built a mail server using FreeBSD 8.2 and compiled spamassassin from the current ports collection, to run globally. spamd looked okay and it was adding headers, but after a while I noticed the Baysian filtering didn’t seem to be working in spite of it having had enough samples through.

A closer look at the added headers showed “autolearn: no”, or “autolearn: unavailable” but never “autolearn: ham/spam”.

What was going on? RTFM and you’ll see spamassassin 3.0 and onwards has added three new autolearn return codes: disabled, failed and unavailable. The first two are pretty self-explanatory: either you’d set bayes_auto_learn 0 in the config file or there was some kind of error thrown up by the script. But I was getting the last one:

unavailable: autolearning not completed for any reason not covered above. It could be the message was already learned.

I knew perfectly well that the messages hadn’t already been learned, so was left with “any reason not covered by the above”. Unfortunately “the above” seemed to cover all bases already. There wasn’t any clue in /var/maillog or anywhere else likely.

I don’t much care for perl scripts, especially those that don’t work, so after an unpleasant rummage I discovered the problem. Simply put, it couldn’t access its database due to file permissions.

The files you need to sort are at /root/.spamassassin/bayes_* – only root will be able to write to them, not spamd – so a chmod is in order.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

A better solution is to move the Bayesian database out of /root – /var would probably be more appropriate. You can achieve this by adding something like this to /etc/spamd.cf (which should link to /usr/local/etc/mail/spamassassin/local.cf):

bayes_path /var/spamassassin/bayes/bayes
bayes_file_mode 0666

I suspect that the lower-security Linux implementation avoids these problems by setting group-write-access as default, but FreeBSD, being a server OS, doesn’t. It’s also a bug in the error handling for the milter – it should clearly report as a “failed” and write something to the log file to tell you why.

You should be able to restart spamd after the edit with /usr/local/sbin/spamdreload, but to be on the safe side I use the following after shutting down Sendmail first.

/usr/local/etc/rc.d/spamass-milter restart
/usr/local/etc/rc.d/sa-spamd/restart

I don’t know if Sendmail can cope well with having spamass-milter unavailable, but why take the risk?

 

Phone hacking gets serious

A committee of MPs are currently grilling the management of News International trying to find someone to blame for the ‘phone “hacking” scandal. It has to be someone convenient; definitely not the people who are actually responsible. That’d lose them votes. This is because those ultimately responsible are the readers of the tabloid newspapers with their insatiable appetite for the personal details of anyone famous, or in the news.

Readers of the Daily Mirror and the Sun/News of the Screws are mostly to blame, together with the Daily Mail, Express and “celebrity” magazines. They’re creating the demand; the publishers are in business to satisfy a demand. This isn’t to say I approve of the business – the cult of celebrity is one of the most rotten things about modern society – but blaming those making a living by never underestimating the public’s bad taste is like condemning a lion for eating an antelope. The tabloids are profitable; proper newspapers are a money pit.

But the politicians don’t want to blame the tabloid readers (aka most of the electorate), and neither does the news media want to blame their best customers. Instead they’re nervously jostling for position in a circular firing squad.

Politically, blaming the Murdoch Press is the best answer. Politicians would love to control the media, but in the west this is a tricky position to engineer. The fact that a sub-contracted investigator to one tabloid accessed the voice-mail of a missing person who subsequently turned out to have been murdered is a pretty flimsy pretext, but they appear to be making the most of it. Oh yes – they messed with a police investigation by deleting old messages. Hmm. My mobile ‘phone voicemail does this automatically – why blame the hack? Just convenient, and it makes it seem more shocking and no one is going to mention this obvious explanation as a possibility. This morning I heard Neil Kinnock suggesting the press needed regulating. Well it worked for Castro, Stalin and Kim Jung Il, his socialist role models?

Last weekend the News of the World was forced to close; a newspaper (in the broad sense of the word) was muzzled to cheers of delight. They were doing something illegal, and they had to go. Actually it was only made illegal in 2000 by Blair’s government (arguably it only came in to force in 2002). Prior to this it was dodgy ground, but there was always a public interest defence. This is key. Journalists used to be able to snoop on whoever they chose as long as it was in the public interest. Each individual case had to be argued on its merits; it was safe. Now journalists face a very real risk of prosecution simply for looking into the dealings of corrupt politicians, organised criminals and dodgy police officers (especially). New Labour’s idea is that only the police and security services were allowed to do anything like this – i.e. The state should have a monopoly on snooping. This is the same model used by the Gestapo, the KGB, the OVRA and the Stasi. It’s used in various countries in the modern world; there was no free press to hold the secret police and politicians to account.

Does this mean Blair and New Labour deserve to be lumped in with the dictatorial heads of police states? Probably not – they produced a large amount of stupid legislation in a hurry and I could well believe this was simple incompetence. However, it’s notable that politicians now are hardly lining up to condemn these totalitarian laws. Why would they? One of the major beneficiaries have been the politicians themselves, who like to have a protect “private life” outside the glare of publicity.

As a final note, watch for the Mirror – they were the subject of more complaints about illegal intercepts (by a long way) than The Sun, Screws or anyone else on Fleet Street (or Wapping). So far they’re being protected. If you think this is a conspiracy theory, check the complaints for yourself on the Ofcom web site. Don’t expect the news media to report it – not in their interests!

Infosec Europe 2011 – worrying trend

Every Infosec (the Information Security show in London) seems to have have a theme. It’s not planned, it just happens. Last year it was encrypted USB sticks; in 2009 it was firewalls. 2011 was the year of standards.

As usual there were plenty of security related companies touting for business. Most of them claimed to do everything from penetration testing to anti-virus. But the trend seemed to be related to security standards instead of the usual technological silver bullets. Some of the companies were touting their own standards, others offering courses so you could get a piece of paper to comply with a standard, and yet others provided people (with aforementioned paper) to tick boxes for you to prove that you met the standard.

This is bad news. Security has nothing to do with standards; proving security has nothing to do with ticking boxes. Security is moving towards an industry reminiscent of Total Quality Assurance in the1990’s.

One thing I heard a lot was “There is a shortage of 20,000 people in IT security” and the response appears to be to dumb-down enough such that you can put someone on a training course to qualify them as a box-ticker. The people hiring “professionals” such as this won’t care – they’ll have a set of ticked boxes and a certificate that proves that any security breach was “not their fault” as they met the relevant standard.

Let’s hope the industry returns to actual security in 2012 – I’ll might even find merit in the technological fixes.

Google Phishing Tackle

In the old days you really needed to be a bit technology-savvy to implement a good phishing scam. You need a way of sending out emails, a web site for them to link back to that wouldn’t be blacklisted and couldn’t be traced, plus the ability to create an HTML form to capture and record the results.

Bank phishing scam form created using Google Apps
Creating a phishing scam form with Google Apps is so easy

These inconvenient barriers to entry have been swept away by Google Apps.

A few days back I received a phishing scam email pointing to a form hosted by Google. Within a couple of minutes of its arrival an abuse report was filed with the Google Apps team. You’d might expect them to deal with such matters, but this still hadn’t been actioned two days later.

If you want to have a go, the process is simple. Get a Gmail account, go to Google Docs and select “Create New…Form” from on the left. You can set up a data capture form for anything you like in seconds, and call back later to see what people have entered.

Such a service is simply dangerous, and Google doesn’t appear to be taking this at all seriously. Given their “natural language technology” it shouldn’t be hard for them to spot anything looking like a phishing form so, I decided to see how easy it was and tried something blatant. This is the result:

No problem! Last time I checked the form was still there, although I haven’t asked strangers to fill it in.

Christmas Hackers 2010

 The 2010/2011 cybercrime season has been one of the most prolific I remember. There have been the usual script-kiddie attacks, wasting bandwidth. These largely consist of morons trying to guess passwords using an automated script, and they’re doomed to failure because no serious UNIX administrator would have left guessable passwords on proper accounts. And besides which they’re guessing system account names you only find on Windows or Linux.

What seems to be a bigger feature this year is compromised “web developer” software written in PHP. This is set up by designers, not systems people, and they really don’t understand security – hence they’re a soft target.

This year it appears that phpMyAdmin has been hit hard. This seems to be a vulnerability caused by poor installation (leaving the configuration pages up after use) and using a weak version of the code that was actually fixed a year ago. When I looked I found several copies of the old version, still active, and dating from the time when the web designer had initially commissioned the site.

The criminals appear to be using a mechanism that’s slightly different from the original exploit documentation, but is fairly obvious to any programmer looking a the setup.php script. It allows arbitary uploads to any directory that Apache has write access too.

The nature of the attacks has also been interesting. I’ve seen scripts dropping .htaccess files into all likely directories, redirecting accesses elsewhere using the mod_rewirte mechanism. This appears to intended as a simple DoS attack by overloading target servers (homelandsecurity.gov and fbi.gov being favourite targets).

That this is the work of script kiddies there is no doubt. They’ve left botnet scripts written in perl and python all over the place on honeypot machines. Needless to say this makes them really easy to decode and trace, and you can probably guess which part of the world they seem to be controlled from.

My advice to users of phpMyAdmin (a web based front end for administering mySQL) is to learn how to use SQL properly from the command line. If you can’t do that (or your hosting company won’t let you, which is a problem with low-cost web hosts), at least secure it properly. Upgrade to the latest version, keep it upgraded and remove it from the server when not in use. If you don’t want to remove it, at least drop a .htaccess file in the directory to disable it, or make it password protected.

chkrootkit finds bindshell infected on port 465

The current version of chkrootkit will throw up a warning that bindshell is INFECTED on port 465 in some circumstances when this is nothing to worry about. What it’s actually doing (in case you can’t read shell scripts, and why should you when there’s a perfectly good ‘C’ compiler available) is running netstat and filtering the output looking for ports that shouldn’t be being used. Port 465 is SMTP over SLL, and in my opinion should very definitely be used, but it is normally disabled by default.

As to whether this should worry you depends on whether you’re using secure SMTP, probably with sendmail. If you set up the server you should know this. If someone else set it up and you’re not too familiar with sendmail, the tell-tail line in the .mc file is DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl. Note the ‘s’ on the end of smtp.

Assuming you are using SMTPS, you can easily stop chkrootkit from printing an error (or returning an error code) simply by modifying the bindshell() subroutine to remove 465 from the list of ports to check. It’s on line 269 on the current, 0.49, version of the script.

I’m not so convinced that chkrootkit is any substitute for an experienced operator, but it’s out there, people use it and its better than nothing.

FBI hacks every VPN on the planet

Can VPN’s be trusted?

I got wind of an interesting rumour yesterday, passed to me by a fairly trustworthy source. I don’t normally comment on rumours until I’ve had a chance to check the facts for myself, but this looks like it’s going to spread.

Basically, the FBI paid certain developers working on the OpenBSD IPsec stack to and asked for back-doors or key leaking mechanisms to be added. This occurred in 2000/2001. Allegedly.

The code in question is open source and is likely to have been incorporated in various forms in a lot of systems, including VPN and secure networking infrastructure.

Whilst I have names of the developers in question and the development company concerned, it wouldn’t be fair to mention them publicly, at least until such code is found. If you’re using the IPsec stack in anything might want to take a good look at the code, just in case.

However, if the code has been there for nearly ten years in open source software, how come no one has noticed it before?

Error 0x8002007 installing Security Essentials

Good one this! If you’re trying to install Microsoft Security Essentials and it crashes out with Error 0x8002007, clicking on the Help link doesn’t really help.

If you read the technet blurb it relates to the Windows Update service not working, and if you believe this you’re going to waste a lot of time trying to repair it. I did. But the solution was really simple.

If you’re using Windows XP the Microsoft site will give you the Vista/Windows 7 version by default! Hunt around for the Windows XP 32-bit version, download that and it’ll probably work. Just don’t click the “Download Now” button because it doesn’t check which one you need – or give you the choice.

Some genuis programmers at Microsoft didn’t bother to check the version number as soon as start to run the installer. I wonder why not.

The one you get by default is:

mssefullinstall-x86fre-en-us-vista-win7

The one you probably want is:

mssefullinstall-x86fre-en-us-xp

Google is innocent (ish)

So Google’s streetview cars have been driving around harvesting people’s email passwords have they? Well this is probably true. Let’s sue/fine/regulate them!

Actually, let’s not. They haven’t done anything wrong. What Google’s surveying vehicles did was record the wireless Ethernet radio activity as they went along, to get an idea of where the WIFI hotspots are. This is a really useful thing for someone to have done – there’s no other way to find out what’s really where than by doing a ground-level survey.

In order to determine what kind of service they’re receiving you need to record a bit of the traffic for analysis. If it’s a private service, this traffic will be encrypted so it really doesn’t matter a jot – they’d be mostly recording gibberish. If it’s an open, public service they’d get the clear text of whatever happened to be transmitted at the time if the luser’s weren’t using application-layer encryption. If some technological dunderhead decides to do a radio broadcast of his unencrypted passwords, Google (and anyone else in the vicinity) will end up receiving that too.

Look at it another way – if someone wrote their password on a big sign and stuck it in the front of their house, anyone walking down the road couldn’t help but capture it. Are the pedestrians doing something wrong, or is the owner of the house an idiot?

It’s no good the idiots bleating on about Google. That won’t give them brains. It might, however, give them some of Google’s money and this could be the real motive.

The Information Commissioner, Christopher Graham, has come up with some surprising statements about Google. But on review, they’re only surprising to someone understanding the technical issues here. Does this mean Graham is a technological klutz? It’s one theory – at times it seems like everyone the government appoints to deal with technology requires this as a qualification. However I think it’s far more likely a case of bowing to media/political pressure on the subject and wishing to be seen to be doing something about it.

Then, last Friday, Google signed an undertaking with the Information Commissioner’s Office to train their staff that they mustn’t do naughty things (just in case they were ever tempted). In return for this the ICO promises to leave them alone. Read it for yourself – it’s only three pages long.

http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Notices/google_inc_undertaking.ashx

What’s sad about the whole affair is that the ICO is, first and foremost, a political/media driven entity even if there are some level heads at work behind the scenes. But what a waste of time and money…

Oliver Drage makes mockery out of RIPA

Oliver Drage, suspected trader in child pornography, has just been sent down for refusing to disclose the password he’d used to encrypt his PC. This is an offence under RIPA (the Regulation of Investigatory Powers Act 2000). So if you’ve got something dodgy on your computer, you’ll get locked up whether or not the cops can decrypt it (or you’ve lost the password).

A spokesman for Lancashire police was pleased: “Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence.”

Really. Drage is going to gaol for sixteen weeks  (read “two months”) . How long would he have been locked up for if he’d given them the password so they could decrypt whatever it’s alleged he was hiding? Five years? Ten years? Lock up and throw away the key?

This is not what I call “taking it seriously”.

The penalties under RIPA for not disclosing passwords are far lower than the likely sentence assuming someone’s been up to anything of interest of the authorities in this way. They don’t take it seriously at all.