Author: adamo

I am a Greek DevOps Engineer ranting about everything, from email to sports; to living in Athens, Greece.

HFrom: $>ruleset and some sendmail ranting

Due to a spam burst last night, I was forced to write a ruleset in the spirit of my previous post:

LOCAL_CONFIG:
HFrom: $>BlockFrom

LOCAL_RULESETS
R$* "NEWS Sensation" $*        $#discard $: discard
R$*        $#OK

Again since this is going straight into your .mc file, it is not advised to use this method frequently. Nice five-liner to stop a spam burst, right?

No! As I was applying this filter I thought that although most people think that sendmail‘s most serious trouble is its bug / security track record, its most serious problem is that decision rules on routing and filtering messages come from all over the place: text files like mailertable, virtusertable, genericstable, relay-domains, access, the sendmail.cf rulesets themselves like the example above and more importantly the milters, their defaults and their configuration files (if any).

Say for example that you do not want email directed to abuse@ to be filtered at all. Depending on your rules and how they are written, you may have to upgrade your rulesets, edit access and probably write an exception for every single milter that you are applying. One exception might need to be declared in five different places. Talk about complication and management nightmare! That is why I like running MIMEDefang: It gives me a Perl interpreter and the ability to implement most of the functionality of any other milter I wish to apply. Have I reached that point of being able to run only one milter? No, but I have set this as a goal. MIMEDefang is not my only choice to this path, j-chkmail seems like a good alternative.

However, I am not the only one who manages our global filters, and I want to make it easier for the other admins to add their own global filters in my absence. Oh how much easier it could have been if the libmilter API offered as a return value a variant of SMFIS_ACCEPT that would instruct sendmail to accept the message with no more milters applied to it. Currently SMFIS_ACCEPT instructs the current milter to accept the message. Which is why if you want to write a global whitelist exception, you may have to write it for all milters that are enabled.

Oh well, I think all I want and wish for is to minimize the number of files I have to edit in order to implement a certain policy (or have a tool that can read the policy from one place and edit n-files for me) and a change to the libmilter API (which I do not know whether it is trivial or not). Suggestions to switch to alternatives like Postfix, Qmail or even Exim are outside the scope of this rant. I prefer to take the “Sendmail Theory and Practice” route and write the whole .mc file by hand instead.

HSubject: and rulesets

This is a variation of the bat book‘s subject header checking trick. Assuming that you want to block messages based on the content of the Subject: header of an incoming message, you can place the following rules into your .mc file:

LOCAL_CONFIG
HSubject: $>BlockSubject

The above basically instructs sendmail to call ruleset BlockSubject with the value of the subject. On with the ruleset now:

LOCAL_RULESETS
SBlockSubject
# The next rule is broken in two for readability!
R$* test - block this message $*
        $#error $: "553 message blocked due to Subject: " $&{currHeader}
R$* Your new password $*        $#discard $: discard
R$* Casinoo $*        $#discard $: discard
R$*        $#OK

(You may want to change the $> operator with $>+. Read paragraph 25.5.1 of the fourth edition of the bat book for a discussion on the matter.)

The bat book prefers to put all the unacceptable subjects in an external database file (which is maintained much like aliases and virtusertable). I prefer keeping the list of the unacceptable subjects inside the .mc file for two reasons:

First, keeping them in a file outside the .mc makes the list grow faster. Editing the .mc to add yet another unacceptable subject makes one think whether to do so or not.

Second, although a subject that contains a certain phrase may be considered unacceptable, you might want to make an exception. For example one may decide to block all the Your new password messages except ISP name – Your new password message that your MIS sends to your users when they reset their password. This can easily be maintained in one place in the .mc file and is also self documented modem noise code:

R$* ISP - Your new password $*        $#OK
R$* Your new password $*        $#discard $: discard

Remember, do not copy-paste sendmail.mc code. The LHS and the RHS are tab separated. Copy-pasting converts tabs to spaces and your ruleset will not work.

on problem solving

(ή πως το γρήγορο hardware μας κάνει τεμπέληδες)

Διαβάζω στο Punk Rock Operations Research:

“Sometimes we rely on software too much and on good modeling too little. A IIE blog entry writes about blindly using software as a quick fix. When computing power wasn’t very powerful, making a tight, efficient formulation was necessary for finding optimal solutions.”

Πόσο αληθινό είναι αυτό. Πάει αργά η εφαρμογή;

– Φταίει ο server. Να πάρουμε καινούργιο για να πάει πιο γρήγορα.

Ενώ στην πραγματικότητα αυτό που φταίει είναι η ίδια η εφαρμογή η οποία δεν μπορεί να εκμεταλλευτεί ικανοποιητικά το υπάρχον hardware και άρα ούτε και το επόμενο. Το να προσθέτεις hardware στη λύση δεν μπορεί να είναι το πρώτο μέτρο- κυρίως γιατί είναι ημίμετρο. Είναι το τελευταίο χαρτί που μπορούμε να τραβήξουμε, όταν δεν μπορούμε να κάνουμε κάτι καλύτερο. Ακόμα θυμάμαι τη συμβουλή εταιρίας να αγοράσουμε το Zend για να “πάει πιο γρήγορα” η εφαρμογή που συντηρούσαν, ενώ ταυτόχρονα ο DBA μας ανακάλυπτε πως στη βάση δεν υπήρχε index πουθενά!

Θεωρία; Αυτά είναι για τους θεωρητικούς. Εμείς εδώ γράφουμε software που δουλεύει!

Αλήθεια;

(next)

MRG32k3a

While reading “The Skein Hash Function Family“, I saw that Skein can be used as a PRNG. This reminded me three things: First, of MIT AIM-36 “On the Effective Definition of Random Sequence“. Randomness can be so tricky.

Second, at the the WNS2 workshop where George Riley presented his tutorial on NS-3, he mentioned that they were using L’Ecuyer‘s MRG32k3a as their PRNG. MRG32k3a is described in “Good Parameter Sets for Combined Multiple Recursive Random Number Generators” and reference implementations are available. L’Ecuyer has also written an easy introduction to random numbers.

Third, and as a reminder to Panagiotis, this must be the weirdest book that a man can have on his library: A Million Random Digits with 100,000 Normal Deviates. I will order it some day.

Update: For true randomness visit random.org.

exit strategy

Ο manager της χρονιάς (κανονικά) δεν εγκαταλείπει στα δύσκολα. Αντίθετα κάθεται και αγωνίζεται να τα βγάλει πέρα. Φαίνεται όμως πως για μερικούς η επιτυχία έχει πατέρα τον manager και η αποτυχία τον κόσμο

Ούτε καν το Μάιο όπως υποσχέθηκε.

Internet Worm – 20th anniversary

It has been 20 years since the Morris Worm hit the Internet. David Alan Grier writes:

“Even though Morris had violated the network community’s standards, he found a fair amount of sympathy among his peers. “I don’t know of too many who want to see this kid rot away for the next few decades in a jail,” commented one computer scientist. The researchers acknowledged Morris as one of their own, an individual who had demonstrated bad judgment and seemed to be aware of his error.”

and some lines below he observes:

De Guzman found no sympathy from computer scientists, business students, or the computer industry. Even though he made a few statements about the freedom of the Internet, these ideas found no sympathetic ears in the US. Most network users were disappointed when de Guzman did not have to face prosecution on charges of disrupting the Internet.”

It only took ten years for the suits to take over the Internet and (with the help of spammers, virus writers and botnet herders) to change our mindset on people’s mistakes. Then again, Morris took down a research network, while De Guzman’s pet was released on a commercial platform…