Fake Received: used by spammers – new tactic

Actually, this isn’t a new tactic at all. There was a lot of this going on in the 1990s and early 2000s, but I haven’t seen such widespread use of fake Received headers for a while now. As mail is no longer relayed, what’s the point? And yet, it’s coming again. Take this recent example:

Received: from host101-187-static.229-95-b.business.telecomitalia.it (host101-187-static.229-95-b.business.telecomitalia.it [95.229.187.101])
by real-mail-server.example.com (8.14.4/8.14.4) with ESMTP id t8NAOpJS007947;
Wed, 23 Sep 2015 11:24:57 +0100 (BST)
(envelope-from name-up-name@a-genuine-domain.com)
Received: from remacdmzma03.rbs.com (mail09.rbs.com [155.136.80.33]) by mail.example.com (Postfix) with ESMTP id B849451943 for made-up-name@example.com; Wed, 23 Sep 2015 11:22:43 GMT)
Message-ID: <XZ95O517.6281609@rbs.co.uk>
Date: Wed, 23 Sep 2015 11:22:43 GMT
Thread-Topic: Emailing: bankfl.emt
Thread-Index: made-up-name@example.com
From: "RBS" <secure.message@rbs.co.uk>
To: made-up-name@example.com
MIME-Version: 1.0
To: made-up-name@example.com
Subject: Bankline ROI - Password Re-activation Form
Content-Type: multipart/mixed;
boundary="----------------_=_NextPart_001_01CF5EDB.A2094B20"
This is a multi-part message in MIME format.
------------------_=_NextPart_001_01CF5EDB.A2094B20
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit


Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form.

… etc …

Obviously the above has been re-written to use example.com, and the made-up-name was something random. The rest of the header is as it was. They’re obviously trying to convince you that your mail servers have already seen this  this message, so it must be okay. This is such a dumb trick – does any spam filter bother to even look at earlier headers? Are they hoping that Bayesian analysis will score the incorrectly guessed mail server as particularly hammy?

But what’s doing this, and why? Is there a new spambot in town, or is there a new spam filter that’s susceptible to such a dumb trick?

As it stands, this was sent from a blacklisted IP address and the SPF fails for RBS anyway, and the English it was written by a virtual English illiterate. For what it’s worth, the payload was malware in a ZIP.

 

Tomorrow, Apple will break iZettle ApplePay readers with iOS update

I just heard from iZettle about a rather unfortunate feature of the iOS 9.0 upgrade that Apple will be dumping on its fanbois tomorrow: it doesn’t work. No, I mean it really doesn’t work. There’s a bug that stops it pairing with some Bluetooth devices, including iZettle card readers.

If you’re the kind who has to have the latest iPhone or fondleslab then you’re going to have it set to auto-update. Bad luck. Will you take a cheque?

Always download software updates. HM Government says.

image

I saw a poster on the tube. A cartoon cat held a smartphone showing a message “Your whole life is in here. Is it secure?” With a software update button below it. Interesting, I thought. Was someone selling protection from rogue software updates? As everyone knows, these have a habit of ruining your day. No. It was part of a government campaign. To back up your data, especially before updating software perhaps? No!
It was actually encouraging lusers to the install updated software over the Internet as often as possible. So you can now blame HMG for what Windows 10 has done to your PC or Apple does to your iPhone next week.
Don’t laugh, it’s your taxes paying the bill.

People are very wrong about Jeremy Corbyn

Jeremy Corbyn Global Justice NowI was speaking to a Conservative party activist of my acquaintance a couple of weeks ago. He was rubbing his hands with the thought of Jeremy Corbyn being the new front-runner to lead the Labour party. Listening to the comment on Sky News this morning, it’s now being considered a foregone conclusion, with supporters of the other three candidates putting on a brave face and deflecting questions along the lines of “Will Labour ever be electable with Corbyn in charge”?

Early on in the campaign, Tony Blair put the problem rather well – if the public had rejected Ed Milliband’s Labour party because it was too left-wing, why would they prefer an even more left-wing party lead by Corbyn?

They’re all missing the point (no surprise where Blair is concerned). Given the right circumstances the British Public will definitely vote for a left-wing nut job with a deluded grasp of economics and a track record of courting publicity using international untouchables. London voted for Ken Livingstone. Twice. In spite of the consequences. Not because they approved of his policies (or even understood them), but because he was likeable, and because he was the person most likely to annoy the incumbent government in Westminster at the time.

Jeremy Corbyn has a very good chance of winning the Labour Leadership for the same reasons as Livingstone managed to cling on to power. Whilst I disagree with his economics, foreign policy and most of the other stuff he espouses, I get the feeling he’s a nice guy personally – I’d prefer to spend my time with him than any of his New Labour opponents.

Will this be enough to carry him to the job of Prime Minister in 2020? Flying in the face of the rest of the world, it seems, I have to say its possible. This is not a good thing. It might be fun, but the matter is too serious.

Labour’s enemies stuffing ballots with £3 votes should be very careful what they wish for.

GMail can’t send to sendmail

Gmail Fail

What’s happening with Google? Their Internet engineering used to be spot on. They’re generally a bunch of clever guys, and they follow standards and their stuff just works. Or did. Lately their halo has been getting a bit tarnished, and problems with GMail are a good case in point.

It all started quietly around a month ago on the 6th August. About a week later, people started complaining that users sending mail to them from GMail were getting bounce messages. It looks like Google had rolled out a broken software update, but they’re keeping a low profile on the subject.

After a great deal of investigation it appeared that their new MTA was attempting to make a STARTTLS connection when delivering mail on port 25. STARTTLS is a mechanism that allows encryption on a standard unencrypted channel. Basically, the sender tries a STARTTLS command and if the receiver supports it, returns a reply of “okay” and the remainder of the connection is encrypted using TLS. unfortunately Google’s implementation, which had been working for years, is now broken. The GMail lusers got a bounce back a week later that said it couldn’t negotiate a STARTTLS connection. No further explanation has been forthcoming. STARTTLS should work, and if it doesn’t GMail should try again without using it, but doesn’t.

On the servers I’ve examined there is no problem with STARTTLS. Other MTAs are continuing to use it. All certificate diagnostics pass. Presumably Google has changed the specification as to what kind of TLS/SSL its going to work with, as, presumably, it’s not happy working with all types. Not all servers have this problem. But Google isn’t telling anyone what they’ve done, at least not so far. Working out what’s wrong with their new specification using trial and error takes a while, and I have yet to find a combination that works. And besides, it’s not Google’s place to tell recipients what kind of encryption they should be using, especially when the default state is unencrypted.

Google does offer a troubleshooter but it doesn’t cover this eventuality. There is an option to report other problems, but to date I’ve had no response.

So what’s the solution? The only method I’ve found that works is to disable STARTTLS on Port 25. This means that Google can’t try and fail, and go in to sulk mode. And here’s the bit you’ve probably been waiting for: how to do it.

Assuming you have an access DB configured for sendmail, (the norm) you need to add an extra line somewhere and makemap it:


srv_features: S

On FreeBSD this file is /etc/mail/access and you can make it active using make run from the /etc/mail directory. But you probably knew that.

The srv_features stuff basically tells sendmail which services to advertise as being available. STARTTLS is option ‘S’, with a lower-case letter meaning “advertise it”, and an upper-case meaning “don’t advertise it”. This over-rides defaults, and all we want to do here is stop advertising STARTTLS. If it’s not advertised, Google doesn’t try using it (at least for now).

You might want to read this sendmail documentation for more information in the normal Sendmail easy-to-understand(!) format. If that doesn’t do it for you, look at section 5.1.4.15 of the manual, available in PDF here.

Now Google may defend this state of affairs by saying that they’re implementing something odd with STARTTLS for “security reasons”. There may even be some justification in this. If I knew what they’d changed I might be able to comment on that, but I can’t. However, even if this was the case, they’d be wrong in principle. Since the dawn of Internet email we’ve had RFCs telling us how things should work. You can’t just change the way you do things and expect everyone else to change to suit you, however large you are. And it’s possible that what Google has done is RFC compliant, even if it is bonkers. There are unspecified aspects in RFCs, and some grey areas. However, anyone who’s been around for long enough will know that Sendmail is the de-facto MTA. If you have an argument about the interpretation of an RFC, you can settle it by asking the question “Does it work with sendmail?” If it doesn’t, it’s your problem.

And while we’re at it, it’s really good of Google to stop anyone reading your email while it’s in transit (could they be thinking of the NSA here?) After all, you don’t want email sent through GMail to be readable by anyone until they’re delivered, do you? The only snag is that they are still being read and analysed, by Google. Of course. Email is never secure unless you have end-to-end encryption, and by definition, you can’t get this with a webmail service.

Static IP addresses for network printers

I had a call a couple of days ago from a company planning to sell some networked printers to a user site I oversee. The first I heard about it was a form from the supplier asking a few questions about the network; questions that suggested they expect to find a Microsoft small office plug and play kind of LAN. Time to get on the blower.

The question that worried me most was their demand for a static IP address, subnet mask and so on. Not happening; everything is on DHCP and managed centrally, for good reason. Kit like printers needs to auto-configure to the correct subnet depending on where it’s plugged in, and users will expect it to work. So why is anyone thinking of hard configuring the IP address at the printer?

The simple answer is that it’s the easy way, and in the bad old days, it was the norm. It may even be necessary on a network controlled by a crude domestic router with a DHCP server that can be configured to either be “on” or “off”. If you’re using from a Windows PC you need to set up a virtual printer port, and to do this you must supply the IP address of the physical printer, so just set a static one and plug this in when the driver configurations asks for it. Simple. If you’re Fred in a Shed, with two PCs and one shared printer.

If you’re playing with the big boys, you’re creating a world of pain by hard configuring printers, as you have to manually reconfigure each printer and EVERY PC in the company when you move it around on the LAN.

So what should you be doing instead? If your company (and/or its budget) is large enough you can get a point+click print server to manage the whole lot. I’ve found these a bit vendor-specific, and only really do it if you have a Wizard that understands all your printers and the LAN. Otherwise you’re going to have to get your hands dirty anyway. So for a SME, with a savvie IT guy, there are two simple approaches that achieve the results you need without the fuss: NetBIOS and DNS. Leave the network printers stand-alone, as nature intended.

The easy option with Windows PCs is to use the NetBIOS name. Most fancy printers have one, and it’s usually programmable if you dig around in the menus. It can sometimes be hard to recognise as it defaults to something akin to gibberish. You also have to enable NetBIOS on the printer if necessary, although in my experience most enable every protocol they know about by default. Once done, just use the NetBIOS name instead of he IP address in the virtual printer driver and you’re away – nothing more to do. The down side is that not everything understands NetBIOS/SMB/CFIS, although most UNIX systems can resolve them using SAMBA if necessary. And to be honest, Microsoft’s self-configuring peer-to-peer networking has always been a bit hit and miss. (Luser: “I can’t see xxxx!”)

A more complete solution is to use DNS. This obviously means you’re going to need a local DNS server, and also a proper DHCP server. If you want to get clever, have the DHCP server update the DNS with the host name associated with the IP addresses it’s just given out. This works in theory, but good luck in practice. However, there’s an easier way that is almost as good.

All you need to do is configure the DHCP server to issue fixed IP addresses when it gets a request from the MAC addresses of each of your printers. On GUI based DHCP servers this is often called “Bind IP to MAC” or similar. On dhcpd you just need a specific entry in the config file, such as:

host bigprinter1 {
hardware ethernet 11:22:33:44:55:66;
fixed-address 192.168.1.123;
}

Okay, this is giving it a fixed address, but all the fixed addresses are found in one file, along with the other network configuration stuff, and you don’t need to trail around to each printer (or even visit the site) to change it. And besides, this is never referenced in the printer or any of the workstations; they use a symbolic name.

To achieve this you need to add an A record for the printer at this address in your DNS zone file. e.g.:

bigprinter1 A 192.168.1.123

You don’t even need to use on-site DNS if you have a reliable Internet connection (or your domestic router has a caching DNS relay). Just go to the easy peasy web configuration thingy for your outside-hosted domain and add it. The fact that its a local, non-routing IP address won’t matter – people outside the building just won’t get what they’re expecting if they try to use it, but they shouldn’t be doing this anyway.

As a final point, it’s safer to make sure the NetBIOS name and the DNS hostname match, but its not essential.

Whichever method you use for the name lookup, just plug the NetBIOS name or DNS hostname in to the printer driver instead of a fixed IP address and you’ll never have to physically mess with the printer again – wherever the users choose to plug it in.

Problems receiving mail from GMail – STARTTLS is a bad idea

Gmail Fail

Note: You may wish to read this follow-up article, which contains a solution.

A couple of weeks ago, users started complaining that people using GMAIL (and possibly iCloud) were having their emails bounced back to them from my servers. This is odd – most complaints on the Internet are from users of dodgy hosting companies having their mail rejected by GMail as likely spam. But I haven’t blacklisted Google, and all other mail is working, so they must have been mistaken.

But as soon as I could, I tried it for myself. And sure enough, a bounce came back. The relevent bit is:

Technical details of temporary failure:
TLS Negotiation failed: generic::failed_precondition:
               starttls error (0): protocol error

On fishing around in Sendmail logs, I found evidence that this has been going on all over the place:

sm-mta[84848]: STARTTLS=server, error: accept failed=-1, SSL_error=1, 
               errno=0, retry=-1, relay=mail-qg0-f50.google.com [209.85.192.50]
sm-mta[84848]: STARTTLS=server: 84848:error:1408A0C1:SSL
               routines:SSL3_GET_CLIENT_HELLO:no shared cipher:/usr/src/secure
               /lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:1073:
sm-mta[84848]: t7QJXCPI084848: mail-qg0-f50.google.com [209.85.192.50] did
               not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Oh my! The STARTTLS stuff isn’t working because there’s no shared cypher! Hang on a minute, there isn’t supposed to be. Who told Google they could use STARTTLS on port 25. It’d be neat if it worked, but it’s not configured – at least not with a certificate from a public CA. It actually works just fine if you are cool with self-signed (private) certificates. So what is Google playing at?

In the wake of Edward Snowden, people have started worrying about this kind of thing, so companies like Google are trying to be seen doing something about it, and encrypting mail might seem like a good idea. Unfortunately STARTTLS is a bad idea. The rationale behind STARTTLS was to add encryption to a previously unencrypted port’s traffic. If the sender issued a STARTTLS as part of the protocol it could switch in to TLS mode if it knew how; otherwise it would just work as normal. The IETF was very keen on this in the late 1990’s as an easy fix, citing all sorts of iffy reasons, generally to do with having two ports; one standard and one encrypted. They thought it would be confusing, requiring different URLs and not allow for opportunistic automatic encryption of the kind Google seems to be attempting.

As far as I’m concerned, this is rubbish. Having clearly defined encrypted and unencrypted ports means you know where you are. It either is or it isn’t. If you say something must be encrypted, turn off the unencrypted port. STARTTLS allows a fall-back to plain text if you specify the clear text port; and if you have a man-in-the-middle you’ll never know that the STARTTLS was stripped from the negotiations. It opens up a vulnerability that need not be there, all for the sake of saving a port. And time is on my side in this argument. Since 1999 the implementation of encrypted ports has really taken off, with https, smtps (in spite of 465 being rescinded), imaps – you name it – all servers and clients support it and you know where you are.

So what’s this sudden clamouring for the insecure STARTTLS? Naivety on the part of the large internet companies, or a plot to make people think their email traffic is now safe from snoopers when its not?

I’ve reported this problem and I await an answer from Google, but my best guess is that they’re speculatively using STARTTLS, and then barfing and throwing their toys from the pram when it doesn’t work because the verify can’t be done. Having thought about it, I’m okay with the idea of trying STARTTLS as long as you don’t mind about the CA used for the certificate; and if you can’t negotiate a TLS link, go back to plain text. In many ways it’d be better to use the well known port 465 for TLS, and if it can’t be opened, go to plain text on 25. Except there’s no guarantee that port 465 is on the same server as port 25, and it’s normally configured to require SASL authentication. As everyone knows, apart from Google it seems, assumption is the mother of all foul-ups.

Encryption is a good idea, but making assumptions about Port 25 being anything other that straight SMTP is asking for trouble.

 

Docker on FreeBSD

Docker is available on FreeBSD. Yeah! Er. Hang on a minute – what’s the point.

People are talking about Docker a lot in the Linux world. It’s a system that allows a configured piece of software, together with all its ancillaries, to be in its own closed environment on any machine you choose. It’s not a VM – no emulation required. Well not much. It’s much more efficient that running multiple kernels on a hypervisor (as VirtualBox or VMWare).

But isn’t this one of the things Jails are for? Well, yes. It’s a kind of poor-man’s jail system for the poor deprived Linux users. Solaris and FreeBSD have been doing this kind of things for years with kernel support (i.e. out-of-the box and lot more efficiently).

So why should anyone be interested that FreeBSD also has Docker? Well, one of the things the Docker community has together is preconfigured applications you can just download and run. Given what a PITA it can be getting something running on a Linux box, which lacks a UNIX-like base system you can rely on, this does make sense. And running these pre-configured server applications on FreeBSD may be of interest, especially if you lack the in-house expertise to set them up yourself. But it won’t be all plain sailing. You need FreeBSD 11 (not yet released) to do it, together with the 64-bit Linux emulation library.

This does kind-of make sense. Stuff that’s currently Linux-only may be easier to deal with – I’m thinking Oracle here.

Spam from WH Smith?

Whoever next? We’ve intercepted a load of spam sent by French company EmailVision on behalf of WH Smith to honeypot addresses – i.e. definitely not opt-in and definitely not legal in the UK. EmailVision is getting quite a reputation for this kind of thing, with PayDay loan spam and suchlike. W H Smith – I’m surprised at you! Or perhaps I’m not.

Windows 10 – just say no

I’ve had a lot of people ask me about Windows 10. Here’s the simple answer: No thanks.

Apparently it’s a bit faster than Windows 7 on the same hardware, although I’m not convinced people who say this have tested it scientifically. In other words, it may have been faster as a clean install compared with a crufty old Windows 7 installation, and in theory it could have been written to be fundamentally faster, but actually writing code that’s more efficient that previous versions isn’t really Microsoft’s style. Although the new web browser (Edge) is promising. But will it still be faster when it fully functional (i.e. supports HTML5 and suchlike properly).

That’s the good bit. Everything else is bad compared to Windows 7. Compared to Windows 8, yes, it’s better. That’s from a user’s perspective. From my perspective, it’s a big “no thanks” to the added spyware, telling Redmond exactly what you’re up to all the time and the enforced software updates, that I have an nasty suspicion are going to end up mandatory even on the business (Pro) version. Basically I don’t see what Microsoft has done to restore any trust I once had in them.

If you’ve got Windows 7, stick with it. If you’re on Windows 8 it’s swings and roundabouts but you might want to take a serious look at a Linux instead.

Unfortunately, because this is Microsoft, there’s a good chance that we’ll all be forced to use Windows 10 whether we like it or not. They had the sense to keep Windows 7 for serious users when they rebelled against Windows 8; I somehow see them fighting hard to force the issue when it comes to Windows 10.