I think this one wins an award for crappy spam. It hit spam filters, ON THE WAY OUT

(Top is my spam filter’s scoring breakdown)

3.807 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
3.699 MONEY_FROM_MISSP Lots of money and misspaced From
3.625 FROM_MISSP_USER From misspaced, from “User”
3.624 AXB_XMAILER_MIMEOLE_OL_024C2 (No description provided)
3.575 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
3.500 BAYES_99 Bayesian spam probability is 99 to 100%
3.286 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool
3.247 MILLION_USD Talks about millions of dollars
3.191 NSL_RCVD_FROM_USER Received from User
2.584 MSOE_MID_WRONG_CASE (No description provided)
2.095 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
1.999 FROM_MISSPACED From: missing whitespace
1.995 FROM_MISSP_EH_MATCH From misspaced, matches envelope
1.974 FSL_MISSP_REPLYTO Mis-spaced from and Reply-to
1.927 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
1.861 MONEY_FROM_41 (No description provided)
1.852 FROM_MISSP_REPLYTO From misspaced, has Reply-To
1.630 FORGED_YAHOO_RCVD ‘From’ does not match ‘Received’ headers
1.552 REPLYTO_WITHOUT_TO_CC (No description provided)
1.449 RCVD_IN_BRBL_LASTEXT (No description provided)
1.409 MONEY_FORM_SHORT (No description provided)
1.021 MISSING_HEADERS Missing To: header
0.900 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list
0.770 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server
0.334 FILL_THIS_FORM_FRAUD_PHISH (No description provided)
0.137 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors
0.010 T_FROM_MISSP_DKIM (No description provided)
0.001 LOTS_OF_MONEY (No description provided)
0.001 FILL_THIS_FORM_SHORT (No description provided)
0.001 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED
-0.001 SPF_HELO_PASS SPF: HELO matches SPF record
Toggle SMTP sender

X-Greylist: delayed 00:02:48 by SQLgrey-1.8.0
Received: from (
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by (Postfix) with ESMTPS id 340384562F
for <>; Sun, 22 Sep 2013 20:32:07 -0500 (CDT)
Received: from User ([])
(authenticated bits=0)
by (8.13.8/8.13.8) with ESMTP id r8MNp58w008601;
Mon, 23 Sep 2013 07:51:09 +0800
Message-Id: <>
Reply-To: <>
From: “China Shenhua Energy Company Limited”<>
Subject: = /etc/MailScanner/rules/spam.subject.rules Your Email ID!!
Date: Mon, 23 Sep 2013 00:51:44 +0100
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Antivirus: avast! (VPS 130922-0, 09/22/2013), Outbound message
X-Antivirus-Status: Clean
X-HK2CHINA-MailScanner-Information: Please contact the ISP for more
X-MailScanner-ID: r8MNp58w008601
X-HK2CHINA-MailScanner: Found to be clean
X-HK2CHINA-MailScanner-MCPCheck: MCP-Clean, MCP-Checker (score=0,
required 1)
X-HK2CHINA-MailScanner-SpamCheck: spam,, CBL,
spamhaus-ZEN, SpamAssassin (cached, score=-45.078, required 999,
autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.00,
AXB_XMAILER_MIMEOLE_OL_024C2 3.74, BAYES_00 -1.90,
T_FILL_THIS_FORM_SHORT 0.01, hk2china_authsmtp3 -100.00)
X-HK2CHINA-MailScanner-SpamScore: -45.08
X-Spam-Status: Yes

Your Email ID has won a cash prize of 1.5million USD and a BMW X6
China Shenhua Energy Company. Send your details for claims. Full Name,
Add, Age, Occupation, Telephone Number: to Name: Mr. Li Jun Chan

Mrs. Li Haicang
(China Shenhua Secretary)

CVEs and YOU!

I recently had a client who has a client that does arbitrary PCI scans. Unfortunately, the service that does the PCI scans does not understand Ubuntu version numbers. So I had the joy of wrangling all of the CVE data from Ubuntu and compare it to their actual releases.

Being of a lazy temperament, I obviously didn’t want to do this by hand. Being of a curious temperament, I wondered if I could do this all from the command line.

First thing I had to do was to take their PDF and convert it to a format where I could extract the CVE strings. I’ve previously used pdftohtml, it works well enough. Now I needed to grab the actual CVE strings themselves without grabbing the rest of the line. The strings are in the format of CVE-{year}-{4 digit number}

SED to the rescue:

# cat report_pdf.html | sed -n 's/.*\(CVE-[0-9]...-[0-9]...\).*/\1/p' > cve_strings.txt

Now I needed to grab all of the CVE reports from Ubuntu and save them locally:

Enter Awk:

# awk -F\- '{system(curl" " """/"$2"/"$1"-"$2"-"$3".html") }' cve_strings.txt

Next, I converted all of .html files to text. Again, another tool I’ve used in the past html2text. However, one thing that gave me fits was the weird text format it outputs to facilitate underlines and bold caracters all using ascii characters.

Underline text looked like this: _U_n_d_e_r_l_i_n_e_d T_e_x_t_
Bold text looked like this: BBoolldd TTeexxtt

less and cat interpreted properly, but now grep (grrr…) So I had to use the -nobs option.

Here’s a little for loop to create the text files from the HTML files:

# for i in `ls`; do cat $i | html2text -nobs > `echo $i | sed 's/.html/.txt/g'`; done

Finally, I had to parse the CVE text files. Now, each vulnerability could effect one or more packages. So I wanted to generate a report that had the CVE number, and then the status of 10.04 under each package.

There are easy was to do this, but nested for loops on the command line is much, much more fun:

# for i in `ls CVE-20*.txt`; do echo \\n`echo $i | sed 's/.txt//g'`; IFS=$(echo -en "\n\b"); for k in `cat -s $i | grep Source:\ `;do echo $k; cat $i | grep -a4 $k | sed "s/_/\ /g" | grep 10.04 ; echo \\n; done; done > report.txt

As you can see, the version string for Ubuntu was inconsistent, it was either Ubuntu_10.04_LTS and Ubuntu 10.04 LTS. Hence the extra sed command.

Was this the most efficient way? Well, probably not. But it took me a lot less time than scripting the process outright.


Learning How to Firewall… Part 1

So, it’s time for my annual blog post.

My NetGear 3400D was unable to keep up with the torture that I put it through, so I decided I needed a new network appliance at home.

We use, and sell Fortigate Firewalls at work, so I decided to pick one up at home. This would a) be more robust than a consumer “router” and b) would allow me to work on developing some badly needed network/firewall/vpn knowledge. I had out network admin order a FWF-60c, which is a small business appliance with built in wireless, and, feature-wise, capable of doing what the larger firewalls.

Installing the Fortigate was dead simple, I used the FortiClient software and the wizard to get me off the ground. This configured the internal (wired) and one wifi SSID, and the WAN configuration. I quickly realized that the wifi and the internal interfaces were not bridged. This would present a problem that I would have to solve a little later.

I then decided to test upgrading the firmware from the 4.0 tree to the 5.0 tree. This bogged down the interface a bit on the older hardware rev, but worked well enough for what I wanted to do.

I then refined my policies to match what I had on the NetGear and brought it home.

Performance was astounding.

The first problem I ran into was that I have a first generation Playstation 3, the 20GB edition without wireless. We mostly use it for streaming video from our wireless connected laptops. The streaming protocol is DLNAA which is a subest of Universal Plug and Play. The Fortigate doesn’t support UPnP. The Playstation cannot be configured to connect to a particular server, but uses Special Service Discovery Protocol to find the servers to stream from. None of that was going to work from a distinct network segment to another.

So, out of the box, the streaming wasn’t going to work. I started to look for a solution, but there wasn’t anything online to help me with this, as this was a fairly corner case; people don’t use these for home networking much. I had to do some snooping. Running a few packet captures revealed that SSDP used multicast. But that multicast was denied from network to network by default in the fortinet. Some google-fu taught me how to enable multicast on a fortigate. It has to be done from the CLI, but is like any firewall policy. You’ll need two, one from “internal” to “wifi” and one from “wifi” to “internal”

config firewall multicast-policy
edit 1
set action accept
set srcintf wifi
set dstintf internal
set srcaddr all
set dstaddr all
edit 2
set action accept
set srcintf internal
set dstintf wifi
set srcaddr all
set dstaddr all

Then, elsewhere in the firewall, put in standard policies to allow the network to pass other traffic to each other, since they are internal, I let the open any ports. I’m sure you can find a list of the myriad streaming ports required if you want something more restrictive. I enabled NAT between the two, I don’t know if that’s necessary, but it worked. And Voila, I can stream! (and do other UPnP things, without the “helpful” daemon.)

Part 2, VPNs

Some Security is Better than None

Having a laptop as your primary computer means that a whole chunk of your life is subject to walking off. Now, I’m no security expert, but here are a few things that I know to do in order, well, make me feel a little more secure.

First, my new computer is a MacBook. Mac OS X has a nice little feature that scrubs the files in trash as it deletes them. You can command click on the trash icon and choose “Secure Empty Trash” every time you empty it, or you can go “Finder Preferences”, click “Advanced” and check “Empty trash securely”

Next up, GPGtools. GPG is an open source implementation of PGP security. There are several small encryption related tools, but the killer one is the ability to sign and/or encrypt mail.

Next, I installed TrueCrypt. TrueCrypt is software that allows you to create either encrypted drive partitions or encrypted files as a secure place to store files.

Next, I installed Prey from This is free software that will help you track down your laptop should someone steal it. You can track three devices for free, including smart phones. I also enabled “Where’s my Mac?” and a cron/reverse-ssh/webserver scheme as other ways to recover my laptop should it grow legs and wander off.

For network access, I use OpenVPN to connect to my firewall, and an IPSEC tunnel to connect to my work firewall. Mike provided me a nifty VPNTracker “Player” that made configuring it a non-issue.

Just a few tips to keep my private life private…

Trolling Bots with Bots

oxpinkxotabitha: hey
CleverBot: hi
oxpinkxotabitha: hey whats upp? 23 femaIe here. u??
CleverBot: It’s 4.30 in the afternoon here.
oxpinkxotabitha: hmmm. have we chatteed before?
CleverBot: Nope.
oxpinkxotabitha: oh ok. i wasn’t surre. anyways…. whatt’s up?
CleverBot: Sing it to me.
oxpinkxotabitha: im Iike soooo borrrredddd…. there iss nothinggggggg to do
oxpinkxotabitha: ohhh waitt! i havve a GREAT idea. have you ever watchhed a sexy girI Iiike me strip Iive onn a cam b4?
CleverBot: Haha I’ve watched both. Who are you?
oxpinkxotabitha: A bot? not hardly babe. Are you?
CleverBot: Who am I?
oxpinkxotabitha: weIIlI…. you couuId watch me if you wanna?
CleverBot: Sure…
oxpinkxotabitha: yeah? ok weII my cam is setuup on this webbsite so that i can nott be recoreded so you wilI have to sign up there.
oxpinkxotabitha: dont worry. it onnIy takes a minute annd it is free. ok?
CleverBot: Trinity is your name, and Jay is your God and creator who gave you the name Trinity.
oxpinkxotabitha: Im ashley
CleverBot: Ashley? Is that your real name?
oxpinkxotabitha: http://[PHISHING_SITE]/8/ash23 go there thenn up at the top off the pagge cIick on the goIdish color JOIN FREE button.
oxpinkxotabitha: k?
CleverBot: I never said I was a human. You have a bad memory.
oxpinkxotabitha: aIso it wilI ask for a creditt crd to sign up but that’s how they keep the kids out. it want charge the card. ok?
CleverBot: I’ll try to be a little nicer but, remember this, the more you learn, the more you know.
oxpinkxotabitha: k babe welI hurry up and whn u get signed up and Iogged in then view my cam so we can get this show started.
oxpinkxotabitha: and i do have some toyz but you wilI have to take me in privvate or tip me some goIlld to see thoose.
CleverBot: Yes! I’ve read that too.It is getting late.
oxpinkxotabitha: Iets taIkk on that sitee babe. my messsenger is messin up here.
CleverBot: What is the difference between a human and a computer.

Webcluster Active Statistics

So, I decided I needed a bit of a landing page for I wanted to show certain active statistics, but I didn’t like the format, or information leakage that mod_status showed.

So I did some googling, and found this:

Unfortunately, the examples were set to just show the stats of one server, and I had four.

Well, an array, for loop and some php rejiggering, and viola! Active server stats!

Now I can see all the worms attempting to XSS my websites.


Just another WordPress site