> John's recipes are great tools; we recommend them. Only one problem: > Procmail does not work on NetNews. (If this exploit works in mail it > almost certainly works in news.... Scary thought.) > > --Brett Glass > I don't know if the exploit works with Usenet messages, but decent Usenet servers have filtering capabilities. INN had perl filtering hooks since at least 1995, and had easily modified code to analyze and reject messages based on headers since the beginning (1993.) In Usenet, generally most sites do not modify and sanitize messages, they just drop and reject them with just a message to the log, nothing else. Since propagating modified messages, for whatever reason, is never acceptable, it becomes a problem to sanitize: it would mean keeping additional special copies around. A full Usenet feed is on the order of 1E6 messages per day, and nearly all are binaries (UUEncoded) The John D. Hardin code looks solid, but might bog down a server if every Usenet message had to go through it. Personally, I don't think HTML (or binaries) belong on Usenet in the first place, so it's a simple policy to just drop posts containing HTML or UUencoding. :-) Seriously, the Hardin perl code will drop pretty easily into INN, although I haven't tried it myself. See README.perl_hook in the INN distribution and modify the procmail selector lines to the appropriate perl instead, and return a reject code instead of mangling and rewriting. Forrest J. Cavalier III, Mib Software, INN customization and consulting 'Pay-as-you-go' commercial support for INN: Only $64/hour! Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages: http://www.mibsoftware.com/innsup.htm
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:47:13 PDT