Sunday, March 30, 2014

Setting up email

Where The Spam Comes From

  Recently I read a piece from eSet (makers of NOD32).  They claimed that there were 10,000 hacked Linux machines sending out spam and malware.  Could this be the hackers I originally dubbed PeskySpammer and renamed PerniciousMalware that put in 500+ spam per day in one of my email boxes plus occasional malware I asked myself?  No, it cannot be that because you can see yourself that the majority of the IPv4 addresses used are in DSL and cable IP blocks.  You don't believe me?  Here you go:

Public PeskySpammer folder
Originating IPs
Left 0 Pad Filled Originating IPs

  Just look them up in whois.  I stopped keeping records of these about six months ago.  But if you ever wanted proof of what was sending the spam and malware all you had to do is seize the machines at the sending IP addresses.  On the machines which would be running Microsoft Windows you would find specially crafted SMTP engines that only send email.  How do they get around where it was sent from?  They pretend it was sent from some place else.  That is how I first got them.  They were pretending to send from ficititious users at my domain.  It took me over a year to get email admins to learn NOT to boomerang messages to me.  Evidently thinking has gone out of style. Whether the hackers realized that Yahoo and other domains have email set up wrong from a practical point of view but probably correctly from the old RFC is unknown.  It does argue that things need to change and immediately.  There will be more on that in a moment.

Are The Linux Machines Hacked?

  Probably.  But which would you want to send spam from?  A tiny number of Linux boxes (10,000 is tiny) which you can easily map out the IP addresses and take them out of the loop with blocks at major IMSPs (Internet Mail Service Providers)?  Or do you want a huge flotilla of Windows boxes where the machines sending spam come and go regularly in such a way that a preventitive measure based on the originating IP address is almost useless?  The infected Windows machine route will win hands down.  But lets probe the weaknesses of Linux.  The very first one for me is actually not security.  Because of that stupid X-Windows DB I am almost always staring at 640X480 at install time.  Gone are the days of hacking the X Config file and being on with my business.  But I work from Linux and it is a compromize.  Maybe OpenBSD would be a better choice.
   Linux systems have so much software that is hacked into place and the software changes so furiously that it is almost impossible to eradicate problems.  This is especially true for the servers.  But my two machines named GandalfTW and Sauron aren't servers and they eye each other suspiciouly.  They will allow a hello and are you there (ICMP ping) and that is about it.  I don't even let one do print server duty and instead rely on the JetDirect card in the old HP printer to handle things.  Getting that configured took a lot of work.  Yes, it has an old parallel printer interface.  But with this much complexity I have this nagging feeling I have too many holes in my systems.  Blowing down the protection of IPv4 with IPv6 (no NAT, no firewall) doesn't help.  But I do have two routers in place.
   But then I hear that there is an SSL bug in Macintosh, iPhone, and iPad.  I can remember Apple taking over six months to fix a simple problem several years back.  Did they really fix the iPhone in 2-7 days and Macintosh in less than two weeks?  Unbelieveable.  Then the boom was lowered.  Many versions of Linux also had an SSL security flaw.  At least some Linux distors do make use of OpenPGP signing to make the downloads trusted or not.  But is my kernel the real deal or did the NSA hack a SHA1 certificate and give me a modified kernel?  I am paranoid.  I am paranoid enough or too paranoid?
   But the coup-de-grace was when kernel.org was hacked and they sat there saying how super secure SHA1 was.  Pshaw.  I have malware with SHA1 and I know others do too where they hacked the SHA1.  Still, it is more likely that the certs were stolen as in this case:


But it is not Stuxnet!  The cert passed muster until the keys were revoked.  What am I saying?  There are ways around encryption.  But coming from SSL and hitting serious security stuff gives one the idea that SHA1 is powerful.  Not one serious AV company depends on SHA1.  They have shifted to SHA-256 years ago.  My OpenPGP keys have SHA-256 as the preferred Digest algorithm:

Cipher:  TwoFish, Camellia256, Camellia192, Camellia128, BlowFish, Cast5, 3DES.
Digest: SHA256, SHA512, SHA1, SHA384

I used to have 4096 paired RSA keys and SHA512.  It was fine with a dual core and quad core machine.  It was a little too much for older single core machines.  But I get 3DES whether I want it or not.  I don't want it.  Note that both BlowFish and Cast5 precede it and iPhone and Android systems can handle that.  SHA384 is non-standard so I have no choice but to bump SHA1 up in pecking priority.

But if a Linux system is truly hacked they can steal your keys unless you put in a symlink to a flash drive where your keys are really at and the hacker always hits it with your flash drive removed.  The key logger gets the pass-phrase.  But I doubt most Linux people ever police their shell startup files.  I do look at my shell startup files which have been altered considerably by me;  FREQUENTLY!  I told you I was paranoid.  But what do you expect of somebody that has now handled well over 12,000 Windows malware.

So is it too much to ask that  Linux people shift from SHA1 to SHA256?  I don't think so.  The less services you run the less vulnerable you are.  That is the way it has been forever.

Lest Windows People Snort

  Windows did not wait for IBM to add owner group and other things to the file system which is also used in the processes.  Back then it was called the HPFS and it became the NTFS.  But here is what would have happened if they had waited:


It isn't just limited to the file system.  Look at voodoo.txt.  If Target, Neiman Marcus, and others had used Linux instead of Windows in their POS terminals scraping would not have worked.  Try it!  The SourceBuffer is invariably out of your process's memory space.  The result?  A segnment violation.  No memory scraping here.  Where did all of those Siemens Nixdorf POS terminals go?  Why did they replace them with Windows?


How To Setup Email

   On to the main reason for this blog entry.  Because of the way that Yahoo (and other IMSPs) set up email I have over 500 spam per day in my mini honey-net.  I don't mind the malware except for those two days I got 500+ malware instead of spam each day.  But really, email should be set up like this as the first step in reducing spam:

1. There are only three email accounts that are extra but for anything other than those three email accounts, your email account, and any other created email accounts, anything sent to any other users than the ones enumerated should be tossed.  Bye, bye mini honey-net!

2. The other three extra users are abuse, postmaster, and webmaster.  Although it may seem nice to not put email for those into the master user's account in case of somebody hacking your computer what if your computer (as opposed to Yahoo's or other IWSP / IMSP) is compromized?

3. The number of domains for places like Yahoo are huge.  I would set it up with some sort of a self balancing binary tree for fast lookup.  For example, if you had a domain named qwerty.com with just master user named keyboard, here is what the users and email box (only one, keyboard@qwerty.com) would look like (email name then email box):

keyboard      keyboard@qwerty.com
abuse            keyboard@qwerty.com
postmaster   keyboard@qwerty.com
hostmaster   keyboard@qwerty.com

Only the emails for those four users at qwerty.com would be accepted and all of the messages for them would be put in the user keyboard@qwerty.com's email box.  Any emails sent to any other user at qwerty.com would be dropped like a hot scalding potato.  That means they would just be discarded.

Once that is done, all of my other comments apply.  But if Yahoo set it up this way I would get less than 2% of what I get now.  Their email servers would get a break.  The people that aren't involved in the spam and malware storm would finally see the odd behavior of their email vanish.  No?  Then look at my other points.  I am pretty sure qmail can do it.  It has the richest set of fillter options of any SMTP server.