headers
Matthias Andree | 1 May 2004 01:31
Picon
Picon

Re: Howto force AUTH on a leafnode server

Xavier Maillard schrieb am 2004-04-30:

> I am new at leafnode which is really cool.
> 
> I  have  a  question,  is  there  any  possibility  to  allow  users  to
> authenticate against my NNTP server ?

leafnode-2, which has not yet been officially released, supports a local
file in user:encryptedpassword format for authentication or PAM. PAM has
been reported not to work with system accounts (unix_chkpwd problems as
it seems) but anything that does not require root privileges to access
some file should be fine.

http://home.pages.de/~mandree/leafnode/beta/

Leafnode-1 cannot authenticate users, a possible solution to that
problem would be to install an SSL wrapper with strict certificate
validation and let the user authenticate with his certificate, or write
an authentication wrapper that refuses any command until authenticated.

--

-- 
Matthias Andree

Encrypted mail welcome: my GnuPG key ID is 0x052E7D95
Permalink | Reply | 0 comments |
headers
Mark | 1 May 2004 13:42
Picon

filtering spam articles using the "from" field

There is a lot of spam lately that has names in the "from" field such as

jamiescot@...
deanmartin@...
peterreid@...

The name and address always changes, however the last part of the 
address is always .shawcable.net.

Is there any way to create a leafnode filter that will reject all posts 
based on the .shawcable.net.

Example headers, (I have removed the subject lines so this email clears 
my smtp filters)

 From - Fri Apr 23 07:18:23 2004
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Path: pd7tw1no!pd7cy2so!shaw.ca!pd7tw2no.POSTED!53ab2750!not-for-mail
Message-ID: <wO8ic.235731$Ig.216728@...>
From: peterreid@...
Newsgroups: 
alt.os.linux.mandrake,alt.os.linux.slackware,alt.os.linux.storm,alt.os.linux.suse,alt.os.linux.turbolinux,alt.os.macos,alt.os.macos.fight-back-for-the-mac,alt.os.multics,alt.os.nachos
Date: Fri, 23 Apr 2004 13:24:44 GMT
Lines: 4
X-Trace-PostClient-IP: 24.87.150.136
NNTP-Posting-Host: 64.59.144.74
X-Complaints-To: abuse@...
X-Trace: pd7tw2no 1082726684 64.59.144.74 (Fri, 23 Apr 2004 07:24:44 MDT)
NNTP-Posting-Date: Fri, 23 Apr 2004 07:24:44 MDT
(Continue reading)

Permalink | Reply | 9 comments |
headers
Ray Abbitt | 1 May 2004 16:58

Re: filtering spam articles using the "from" field

On Sat, 1 May 2004, Mark wrote:

> There is a lot of spam lately that has names in the "from" field such as
> 
> jamiescot@...
> deanmartin@...
> peterreid@...
> 
> Is there any way to create a leafnode filter that will reject all posts 
> based on the .shawcable.net.

It's actually fairly easy, but you may want to reconsider just a bit. 
I believe you will find that a lot of legitimate posts in your spool 
from users  <at> xx.shawcable.net since shaw is one of the bigger cable 
connectivity providers in Canada.
The following filter will work:

pattern = ^From:.*shawcable.net
action = kill

But from glancing at your example, you would probably gain a lot more
with less damage by rejecting articles that are excessively
crossposted. There is no legitimate reason that I can think of for
anything to be crossposted to all of those groups (in fact it looks
like troll sign rather than spam). Note that it is more effective to
use a filter that looks for excessive commas (,) in the Newsgroups:
header than it is to use the maxcrosspost directive.)

For example:
(Continue reading)

Permalink | Reply | 8 comments |
headers
Mark | 1 May 2004 18:03
Picon

Re: filtering spam articles using the "from" field

Ray Abbitt wrote:
> On Sat, 1 May 2004, Mark wrote:
> 
> 
>>There is a lot of spam lately that has names in the "from" field such as
>>
>>jamiescot@...
>>deanmartin@...
>>peterreid@...
>>
>>Is there any way to create a leafnode filter that will reject all posts 
>>based on the .shawcable.net.
> 
> 
> It's actually fairly easy, but you may want to reconsider just a bit. 
> I believe you will find that a lot of legitimate posts in your spool 
> from users  <at> xx.shawcable.net since shaw is one of the bigger cable 
> connectivity providers in Canada.

If you use Shaw as your cable ISP (as I do) the headers will show
Path: pd7tw1no!pd7cy1no!shaw.ca!pd7tw1no.POSTED!53ab2750!not-for-mail

Shawcable.net is not a legit posting host for email nor usenet. The 
"from" name is being munged to make it appear that the post is coming 
from a shawcable.net subscriber....that does not exist.
For instance, if I did not munge my "from" address it would be mark@...

Take a look here for the spam associated with shawcable.net
http://groups.google.ca/groups?q=shawcable.net&ie=UTF-8&oe=UTF-8&hl=en
(Continue reading)

Permalink | Reply | 0 comments |
headers
Laurence | 1 May 2004 18:09

Re: filtering spam articles using the "from" field

Ray Abbitt wrote:
>
> It's actually fairly easy, but you may want to reconsider just a bit.
> I believe you will find that a lot of legitimate posts in your spool
> from users  <at> xx.shawcable.net since shaw is one of the bigger cable
> connectivity providers in Canada.

I agree!  Maybe a filter or two on one of the 'Posting-Host' type headers
would be better.

> The following filter will work:
>
> pattern = ^From:.*shawcable.net
> action = kill

When did that change?  I thought the syntax for that was just a single line
in /etc/leafnode/filters:

^From:.*shawcable.net

(From http://leafnode.sourceforge.net/doc_en/applyfilter.8.html )

I knocked up a couple of small shell scripts to help with filters:

This one tests the effect of a possible filter before enabling it for real:

--- grepng ---
echo $*
for ff in `ls /var/spool/news/interesting.groups/` ;
 do echo $ff;
(Continue reading)

Permalink | Reply | 6 comments |
headers
Mark | 1 May 2004 18:22
Picon

Re: filtering spam articles using the "from" field

Laurence wrote:
> Ray Abbitt wrote:
> 
>>It's actually fairly easy, but you may want to reconsider just a bit.
>>I believe you will find that a lot of legitimate posts in your spool
>>from users  <at> xx.shawcable.net since shaw is one of the bigger cable
>>connectivity providers in Canada.
> 
> 
> I agree!  Maybe a filter or two on one of the 'Posting-Host' type headers
> would be better.
> 
> 
>>The following filter will work:
>>
>>pattern = ^From:.*shawcable.net
>>action = kill
> 
> 
> When did that change?  I thought the syntax for that was just a single line
> in /etc/leafnode/filters:
> 
> ^From:.*shawcable.net

You are correct...all my other filters follow this syntax

Mark
Permalink | Reply | 4 comments |
headers
Ray Abbitt | 1 May 2004 19:52

Re: filtering spam articles using the "from" field

On Sat, 1 May 2004, Mark wrote:

> Laurence wrote:
> > Ray Abbitt wrote:
> > 
> >>pattern = ^From:.*shawcable.net
> >>action = kill
> > 
> > When did that change?  I thought the syntax for that was just a single line
> > in /etc/leafnode/filters:
> > 
> > ^From:.*shawcable.net
> 
> You are correct...all my other filters follow this syntax
> 
Is this by any chance a 1.x 2.x difference? I'm running Leafnode-2 
betas.

-ray
Permalink | Reply | 3 comments |
headers
Mark | 1 May 2004 20:30
Picon

Re: filtering spam articles using the "from" field

Ray Abbitt wrote:

>>>>pattern = ^From:.*shawcable.net
>>>>action = kill
>>>
>>>When did that change?  I thought the syntax for that was just a single line
>>>in /etc/leafnode/filters:
>>>
>>>^From:.*shawcable.net
>>
>>You are correct...all my other filters follow this syntax
>>
> 
> Is this by any chance a 1.x 2.x difference? I'm running Leafnode-2 
> betas.
> 
> -ray

I am running leafnode-1.9.43
Time to update... as I see the newest version is 1.9.52

Mark
Permalink | Reply | 2 comments |
headers
Matthias Andree | 1 May 2004 20:38
Picon
Picon

Re: filtering spam articles using the "from" field

Laurence schrieb am 2004-05-01:

> Ray Abbitt wrote:
> >
> > It's actually fairly easy, but you may want to reconsider just a bit.
> > I believe you will find that a lot of legitimate posts in your spool
> > from users  <at> xx.shawcable.net since shaw is one of the bigger cable
> > connectivity providers in Canada.
> 
> I agree!  Maybe a filter or two on one of the 'Posting-Host' type headers
> would be better.
> 
> > The following filter will work:
> >
> > pattern = ^From:.*shawcable.net
> > action = kill
> 
> When did that change?  I thought the syntax for that was just a single line

Between leafnode-1 (single-line PCRE) and leafnode-2.

>    do grep -q "$*" /var/spool/news/$ngname/$mm && grep Subject:

pcregrep ships with PCRE and is closer to what leafnode will use.

--

-- 
Matthias Andree

Encrypted mail welcome: my GnuPG key ID is 0x052E7D95
(Continue reading)

Permalink | Reply | 0 comments |
headers
Matthias Andree | 1 May 2004 20:40
Picon
Picon

Re: filtering spam articles using the "from" field

Mark schrieb am 2004-05-01:

> I am running leafnode-1.9.43
> Time to update... as I see the newest version is 1.9.52

Better avoid that version if you have servers that need authentication
and go for 1.9.53.rc5, http://home.pages.de/~mandree/leafnode/ - or wait
for the real 1.9.53, in a couple of days.

1.9.53 is due out soon, I'm awaiting feedback on a texpire patch.

--

-- 
Matthias Andree

Encrypted mail welcome: my GnuPG key ID is 0x052E7D95
Permalink | Reply | 0 comments |

Gmane