Enterprise Unix Roundup — Anti-Spam Warriors Get New Weapon

by Michael Hall

Does Unix MTA mainstay sendmail carry enough weight to make DomainKeys a viable standard for catching domain-spoofing spammers? If WebDAV is part of your production environment, cadaver provides a way to get at those shares with command line comfort.

Main   Open Source Silly Season   In Other News    Security Roundup   Tips of the Trade

Yahoo! put a new arrow in the quivers of anti-spam admins everywhere this week when it submitted a draft of its proposed DomainKeys specification to the Internet Engineering Task Force (IETF).

DomainKeys offers a way to force spammers who forge domain names to expose themselves as rogues by forcing their mail servers to prove they are whom they claim to be. It does this by signing each piece of mail that leaves the server with a unique cryptographic key. DomainKeys will be largely transparent to end users; it simply pays attention to the "From" field in a mail message so slimy phishers can't scam end users out of their credit card numbers.

Unix MTA mainstay sendmail is also in its corner. While this granddaddy of MTAs loses a bit of ground each year, it is still considered a venerable market leader. Another egg in DomainKeys' basket is a project is already under way that will allow any MTA or MUA developer a chance to support DomainKeys.

There is a competitor of sorts to Yahoo!'s initiative: the Sender Policy Framework (SPF). SPF has the advantage of fitting neatly into the existing DNS framework and claims several thousand conformant hosts already. And, to add to its appeal, it isn't under the shadow of potential royalties or other patent-related snags. Further, processing SPF-authenticated mail is less computationally taxing. DomainKeys requires each message be signed, then authenticated on the receiving end. Some people maintain that a "processor tax" might be a good thing, if it makes mass mailing less computationally cheap. That, however, begs the question of why we should be penalizing legitimate bulk mailers (e.g., mailing lists, opt-in mailings, and newsletters) with a processor tax when they haven't done anything wrong.

The disadvantage of SPF is that it breaks forwarding unless another layer is added to it. Even then, admins in the field report problems with forwarding through multiple relays. Additionally, although concerns about patents and royalties are well-founded (and the cause of occasional and bloody campaigns in standards bodies), Yahoo! has agreed to play nice by granting a royalty-free, nonexclusive license to anyone who wants to implement DomainKeys.

So what do we do?

Right now, it doesn't matter because Yahoo!'s draft submittal is a first step in what will hopefully be a contentious and vigorous competition between these two approaches. There's no reason they can't be used in tandem as a way to erect a no-man's land against which even the most craftily concocted phishing scam or herbal viagra come-on will founder. In the meantime, we'll go back to our Bayesian filters, user education, and other anti-spam tricks, glad at least that a protocol crafted in more innocent times is finally getting the attention it needs to deal with a much more disagreeable 'net.

Open Source Silly Season

We can always tell it's a slow week when something SCO's done earns a thoughtful and appreciative nod (the company released a product ... that you can use ... to do things), and we get more than a paragraph or two into stuff from the advocacy press.

So what was silly this week?

Mainly a press release from Australia titled "Open Source Users Unaffected by Sasser Worm — The Internet Keeps Going Despite Flawed Proprietary Software."

"The 'Sasser' worm," crows the release, "is ... one in a long line that exploits well-documented vulnerabilities or design flaws within Windows and its apps. Other operating systems such as Linux, Unix, and Mac OS X do not experience this constant series of security problems."

Why don't they?

Well, the press release doesn't go into that, except to note that some of them are open source (except when, as with OS X, they aren't, exactly).

It is to laugh. Rather, it would be to laugh if it were not to cry. Part of our job at the Roundup is to look out for security updates in the Unix world, Linux included. Suffice to say, we see more than our share of bugs tagged "remote exploit," "privilege escalation," and "root vulnerability." You don't have to count many to realize that reductionism to "open source good, Windows bad" is a hopelessly blinkered way to look at the world. Linux advocates would do well to save the energy spent crowing for tending their systems.

We're well aware of our tendency to go on about the whole "don't get cocky just because Windows gets all the malware attention," but that's only because pride has a nasty habit of going before the fall. Much of the credibility open source developers have earned during the past few years could be easily undone by the wrong exploit at the wrong time.

>> To Other News
>> To Security Roundup
>> To Tips of the Trade

Main    Open Source Silly Season   In Other News   Security Roundup   Tips of the Trade

In Other News

» So what did SCO do that's so good? It released Vintela Authentication 2.2. The product replaces SCO Authentication 2.1 for Active Directory and centralizes secure authentication within Microsoft's Active Directory. The product is available for SCO OpenServer, HP-UX, Solaris (8 & 9), and Unixware.

» Oh! SCO was also named to the Software Development Times 100. SCO said it was proud to be recognized. SD Times said the nod went to SCO for inspiring "fear, uncertainty, and doubt" in the computer industry. Maybe next year it will be for selling stuff people can use. Baby steps.

» Novell is pushing its Linux offerings, hard. The company is offering NetWare users free copies of SUSE Linux Enterprise Server 8 and Novell Nterprise Linux Services 1.0 as a way to build familiarity and comfort with its upcoming Open Enterprise Server. The offer is limited to customers with active Novell upgrades or maintenance agreements and provides the same license terms as the customer's existing agreement.

» Continuing its efforts to show it's serious about Solaris x86, Sun announced a dozen new OEM partners that will provide the OS on systems ranging from embedded telecom gear to notebooks and supercomputers. According to Sun, it has doubled the hardware compatibility list for Solaris x86 in the past six months. Will it all make a difference? We've been watching Sun dither on the Solaris/Linux question for a few years now, so it seems fair to take a wait-and-see approach regarding its recently rekindled enthusiasm for its once-neglected product.

» If you want to get a handle on IBM's Unix offerings, there's no better place to start than the Hardware Today IBM Server Snapshot.

Security Roundup

  • Apple's OS X has a hole that could be used to run malicious code by causing users to visit a Web site that exploits a bug in the operating system's HTML-rendering component. Apple says it's addressing the bug, but some of the most useful information we've found on dealing with it was on an enthusiast site that shows how to patch the bug in the meantime. It also provides a link to a disturbing proof of concept page that launches a terminal and runs a shell command. (Remember our recent tip on how to embed shell scripts in AppleScript? This flaw puts the full power of the Unix command line in the hands of someone willing to write a malicious AppleScript and embed it in a Web page. It will run with just the privileges of the user executing it, but that might be quite enough to ruin your day.)
  • A bug in CVS is the focus of patches from several vendors: Slackware, Red Hat (1,2), OpenPKG, Mandrake, FreeBSD, SUSE, and Debian.
  • Another revision control tool, subversion, is also the subject of patches from OpenPKG and Red Hat (1, 2).

Tips of the Trade

If you have Web servers with a large community of designers working on them, there's a decent chance you've got WebDAV running on a few of them. WebDAV is a protocol that allows users to treat Web servers like remote filesystems. Support for it exists in OS X (where it can be used to mount network drive-like shares or upload iCal calendars for sharing with others) and Windows (where it's referred to as "Web Folders").

WebDAV is a useful way to bridge the gap between more common network filesystem protocols, like SMB/Samba or NFS, and less simple options like, FTP or SCP, because it's well-adapted to presenting an integrated tool for users (they just open folders on their desktop, same as they would for a local file). WebDAV is particularly well-suited for an enterprise that has a distributed work force or remote servers and doesn't want to go to the hassle of working out the challenges of network file systems over the wider Internet. WebDAV also works with SSL-enabled Web servers, making it a slightly more secure proposition in terms of data security.

Information on WebDAV is found at webdav.org, where there's also a page providing some information on implementing it in Apache. A ServerWatch tutorial about implementing WebDAV on Apache is also available.

If you have WebDAV in use and would to integrate it into your broader scripting environment, one tool to consider is cadaver. Cadaver is a command line program that handles a wide array of WebDAV operations, including copying, moving, and (important in development environments) locking files.

The best way to learn it is to by using it: Get a copy, install it, and run it. The basic command line syntax looks like this:

cadaver http://your.server.com/your/WebDAV

cadaver prompts for a user name and password, then plops the user into a largely FTP-like environment. Much of the help for cadaver is available by typing help. Just don't count on the man page or the traditional --help switch to do much good for cadaver.

You might be wondering how to script in a situation like the one cadaver provides. Well, that's why we told you about expect a few months ago.

>> To Main
>> To Open Source Silly Season

This article was originally published on Thursday May 20th 2004
Mobile Site | Full Site