DCN Sendmail Upgrade
Progress Report

On January 26, 1997 a new version of sendmail was installed on wheel.dcn.davis.ca.us. In addition to closing some well-known security holes, the new version allows for some additional validity checks on e-mail that it processes. Among these are:

Background

The previous version of sendmail had no way to validate the source and destination of the e-mail it processed, and would process e-mail from anywhere to anywhere. Moreover, the e-mail header on messages sent from wheel automatically included wheel as the sending host if none was specified. So that if someone in Timbucktu sent a message to the president with a return address of <DirtyWord>, it would appear to the president as haveing come from [email protected]. And since that previous version os sendmail did not make any effort to validate the sender nor the sender's IP address, wheel became a tempting target for e-mail abusers who wanted to cover their tracks. The problem became much worse in November, 1996, when that vulnerability was advertised, and wheel was included in a list of such hosts posted in a mail-bombers' USENET newsgroup, on web pages, and was even included in the distribution of a popular mailbomb program called KABOOM. During November, December, and January, wheel processed hundreds and sometimes thousands of bogus e-mail messages per day.

You can get an idea of what we're up against by taking a look at

http://main.succeed.net/~bbuster/hacking/email/
a rather blatant promotion for mail bombs.

DCN received several complaints about the e-mail bombs, and avoided litigation only because we were able to demonstrate that the messages did not originate from within DCN and that we would make every effort to track down the culprits and close the security hole. In several cases we were, with the help of the Postmasters and System Managers of the sites from which the messages originated, able to track down the miscreants; and several subscribers to commercial ISP's and several high-school and college students lost their accounts.

Results

Since the initialtion of the new sendmail, the e-mail bombs have stopped, or at least they no longer pass through wheel. (See examples below.) There was some anticipated inconvenience for DCN users who do not use the DCN modem pool, but dial into other ISP's for their Internet access, and still want to use wheel as their SMTP server. In nearly every case, we were able to accomodate these DCN'ers either by adding their site to the list of "approved e-mail relays" or by reconfiguring their e-mail client software to use the SMTP server provided by their ISP.

To give you an idea of the scope of the problem, and the effectiveness of the solution, here are four excepts from the e-mail logs on wheel, showing all the traffic that was neither to nor from a DCN-related site.

Before:
January 21, 1997
January 25, 1997
After:
January 29, 1997
February 2, 1997


[email protected]