Solutions Newsletter - Summer 2006 - Volume 11 Issue 2

Process Software's Nigerian Email Scammer Research Makes Headlines

Process Software published its first in a series of articles documenting the infamous Nigerian email scam. The article includes how it works, who is behind it, and why it has been so successful at defrauding victims for over a decade. Several media outlets have contacted us for interviews on this fascinating subject. You can see us on a replay of a live TV interview on the Jim Pillsbury show along with several articles by going to http://www.process.com/precisemail/inthenews.html

Read the second in a series of articles on Exposing Nigerian Email Scammers

The second article in the series on Exposing Nigerian Email Scammers has just been posted to our website. In this article, see how a scammer known as Mr. Zakaharenko seeks our help with a 100 million dollar transaction. A Process Software engineer responded to this offer by impersonating a naïve email user hoping to receive personal financial gain. http://www.process.com/techsupport/Exposing_419_2.pdf

Process Software Roadmap Update

PMDF v6.3 is now shipping. The new release includes support for Integrity, Solaris 10, and LDAP authentication against Active Directory. Planning for the next release is currently under way.

PreciseMail Anti-Spam Gateway v2.4 will be released in the September timeframe. Beta testing will begin in late July. The following new features are planned for this release:

Reputation filter – PreciseMail proactively analyzes websites for pornographic, phishing, and drug content. The results of the analysis are used for email reputation filtering.
User action reports – These web based reports provide information on the number of users performing specific actions such as user logins, quarantine views, allow/block list updates, released messages, previewed messages, deleted messages, etc. These reports give administrators information on how PreciseMail is being used by their organization.
Web administrator interface enhancements – Administrators can create system wide allow/block lists using the web interface.
Clam AntiVirus support - PreciseMail Anti-Spam Gateway SMTP proxy integrates with Clam AntiVirus on UNIX platforms. Clam AntiVirus is an open source anti-virus filter which includes a flexible and scalable multi-threaded daemon. For more information about Clam AntiVirus, go to http://www.clamav.net/.
Quarantine notification enhancement – Administrators can customize any aspect of the email quarantine notification that is sent to users.
Performance improvements – The rules can be compiled to improve the performance for OpenVMS deployments.
Added support for allowing users to disable acknowledgment email from the PreciseMail email interface.
Modified the allow/block list pages so that clicking on any of the icons to go elsewhere results in a warning popup if you have changed the lists but have not saved.
Modified preference page navigation.

A beta sign-up form will be posted to our website as well as sent to the "pmas-announce" list in a few weeks.

MultiNet v5.2 will be released in Q1 2007. The beta test will begin in Q4 2006. The following new features are planned for this release:

BIND 9 server

Works with IPv6
Improves security including DNSSEC (signed zones) and TSIG (signed DNS requests)
Enhances protocol support for IXFR, DDNS, Notify, and EDNSO
Provides access control where one server can provide multiple views to different users
Improves standard conformance for over 25 RFCs
Improvements to server administration tools, including remote access via trusted keys

IPv6 - IPv6 will be implemented in the kernel, Telnet, FTP, BIND 9 server, and SSH. It includes support for a six to four interface (RFC 3056), which is a tunneling mechanism where IPv6 packets are encapsulated into IPv4 packets. This allows isolated IPv6 domains or hosts, attached to an IPv4 network which has no native IPv6 support, to communicate with other such IPv6 domains or hosts with minimal manual configuration.
IPSEC upgrade – A gateway interface has been added for VPN layer 3 tunneling support. IKE (or ISAKMP) functionality is also supported. IKE negotiates the IPSec security associations and generates the required key material for IPSec automatically.
Intrusion detection features – The development team is investigating ways to automatically detect and block access to ports and/or applications that are potentially under attack.
Kernel performance improvements
SSH upgrade

Logging for number of maximum password attempts
Compiled from an unaltered cryptographic source certified to comply with DoD (US Department of Defense) PKI
New SSH-CERTTOOL to create PKCS#10 certificate requests
Compatible with OpenSSH SCP
SSH CERTVIEW displays more certificate extensions

SSH for OpenVMS v2.3 and TCPware SSH new feature eco will be released in Q1 2007. The following new features are planned for this release:

Logging for number of maximum password attempts
Compiled from an unaltered cryptographic source certified to comply with Department of Defense PKI
New SSH-CERTTOOL to create PKCS#10 certificate requests
Compatible with OpenSSH SCP
SSH CERTVIEW displays more certificate extensions.

TCPware 5.8 will be released in Q2 2007. Beta is scheduled to begin in Q1 2007. The following new features are planned for this release:

BIND 9 server

Improves security including DNSSEC (signed zones) and TSIG (signed DNS requests)
Enhances protocol support for IXFR, DDNS, Notify, and EDNSO
Provides access control where one server can provide multiple views to different users
Improves standard conformance for over 25 RFCs
Improvements to server administration tools, including remote access via trusted keys

Intrusion detection - The development team is investigating ways to automatically detect and block access to ports and/or applications that are potentially under attack.
NTP v4.2 – This release replaces DES with MD5 and includes various bug fixes.
SSH upgrade as described in the TCPware SSH feature eco release.

VMS Authentication Module Now Supports LDAP

Process Software’s VMS Authentication Module provides an added layer of security for protecting mission critical applications running on OpenVMS. The first authentication method introduced several months ago was RSA SecurID Agent. Now organizations can access an LDAP database securely from their OpenVMS systems on Alpha v6.2 or higher, VAX v7.3 or higher, or Integrity v8.2 or higher. For a free trial, send an email with your requirements to sales@process.com or call (508)879-6994.

Process Software Website Enhancement Plans

Look for improvements and new services on our website in the coming months including RSS feed product announcements, discussion groups, and Podcasts. We will also be upgrading our technical support web pages with better navigation and search capabilities.

SSH Solutions Update

Process Software provides leading edge SSH solutions in TCPware, MultiNet, and SSH for OpenVMS. You will find updated information such as an SSH Feature comparison (vs. HP’s SSH solution on OpenVMS), a Quick Reference Guide, and a Technical Solution Overview at http://www.process.com/tcpip/sshsolutions.html

Survey Response - How customers use MultiNet and TCPware

In our last issue of the Solutions Newsletter, we asked you to complete a survey which included a question on which MultiNet and TCPware features you currently use. Here are the responses:

Events

OpenVMS Bootcamp, May 21-26, 2006 at the Sheraton Hotel in Nashua, NH.
HP Technology Forum 2006, September 18-20, Houston, TX. DSPP Partner Pavilion Booth D12.

Patch Corner

Check out the recommended patch list on our website. Here is a list for the past 60 days:

MultiNet v5.1
1. KERNEL-UPDATE-092 - Correct an error that can cause a system crash
Release date - May 11

2. SSH-030_A051 - Assorted fixes
Release date - June 2

MultiNet v5.0
ssh-060_A050 - Assorted fixes
Release date - June 2

MultiNet v4.4
ssh-120_a044 - Assorted fixes
Release date - June 2

TCPware v5.7-2
1. NETCP V572P010 - Correct IP-over-DECNET failure
Release date - April 20

2. SSH_V572P020 - Assorted fixes
Release date - June 2

TCPware v5.6-2
ssh_v562p090 - Assorted fixes
Release date - June 2

SSH for OpenVMS v2.2
SSHVMS-030_A022 - Assorted fixes
Release date - June 2

PMDF v6.3 - June 1
In an attempt to resolve the various issues that have been reported with PMDF V6.3 on VMS/Alpha with running out of quota and RMS-F-BUG, etc, we have rebuilt PMDF V6.3 for VMS/Alpha only with the UPCALLS flag turned off.

This kit is available on our ftp site. Please contact Process support for download instructions.

FAQs

PreciseMail Anti-Spam Gateway

Q. What ports need to be open for PreciseMail Anti-Spam Gateway to work?

A. Open TCP ports between 8050 and 8100 for outgoing access to updates.pmas.process.com

PMDF

Q. All of PMDF received mail needs to be archived for future retrieval in case of litigation? Is there any way to do that?

A. The MESSAGE-SAVE-COPY mapping table can be used to make copies of mail as it is removed from channels if you are running PMDF on OpenVMS, Solaris, or Tru64 UNIX. Customers can then run batch jobs nightly to ZIP and move it all off the system.

Q. Can I prevent the PMDF mail gateway from delivering mail to our exchange server while PMDF still receives incoming mail by stopping the dedicated channel or by some other means?

A. On VMS, you can do that by defining the logical PMDF_HOLD to specify the channel(s) you want to hold/stop:

 $ define/system/exec pmdf_hold channelname

On all platforms you can add the "slave" keyword to the channel that is delivering mail to Exchange.

Q. Is there a tool to trace a particular message in the PMDF mail log?

A. Use the LOG_CONDENSE utility. It scans the MAIL.LOG file, combining the two or more lines, which describe a single message into a single one-line summary.

You can find the LOG_CONDENSE utility in the PMDF System Manager's Guide, Chapter 32 (Monitoring).

SSH – MultiNet, TCPware, and SSH for OpenVMS

Q. I need to set up the SFTP2 transfer to work from a batch job. I'm not seeing an equivalent to the /PASSWORD qualifier that we were using with normal FTP and the documentation doesn't seem to speak to the issue. Is there a recommended methodology for supplying the password in batch mode?

A. Password authentication cannot be used by SSH, SFTP, or SCP when in batch mode. You will have to use a non-interactive authentication method, most likely public key authentication. To set up public key authentication you will need to create a key pair -

 $ multinet sshkeygen/ssh2/keys=[.ssh2]corbett/nopass
   Generating 1024-bit dsa key pair
   8 .oOo.oOo.ooO
   Key generated.
   1024-bit dsa, corbett@darth.process.com, Tue Apr 18 2006 12:48:50
   Private key saved to [.SSH2]CORBETT
   Public key saved to [.SSH2]CORBETT.pub

You can create an identification. file in the [.ssh2] directory, or edit the existing one and add an idkey line to it. This instructs the client to use the key specified during authentication -

 $ create [.ssh2]identification.
   idkey corbett
 <ctl-z>

Copy the public key to the server. I use scp in the example below -

 $ scp [.ssh2]corbett.pub "corbett@gondor.process.com::corbett.pub"
   Keyboard-interactive:
   Password:
   corbett.pub | 747B | 0.7 kB/s | TOC: 00:00:01 | 100%

You then have to configure the server to use the public key for authentication. If you are using our server you would put the .pub file in the user's [.ssh2] subdirectory and then add a key line to the [.ssh2]authorization. file like the following -

key corbett.pub

If it is a Unix server and is running an OpenSSH server then the key will have to be converted. Here is an example using SSH to convert the key that was just sent over and append it to the user's authorized_keys file -

 $ ssh "corbett@gondor.process.com" ssh-keygen -i -f corbett.pub >> .ssh/authorized_keys
   Keyboard-interactive:
   Password:
   Authentication successful.

The ssh-keygen command might be different depending on the version of the OpenSSH software. Check the man pages for the specific option to convert the key to the OpenSSH format. In the example above it is the -i option:

-i This option will read an unencrypted private (or public) key
file in SSH2-compatible format and print an OpenSSH compatible
private (or public) key to stdout. ssh-keygen also reads the
SECSSH Public Key File Format. This option allows importing
keys from several commercial SSH implementations.

Now you can use SSH, SFTP, or SCP commands without using a password -

 $ ssh "corbett@gondor.process.com" date
   Authentication successful.
   Tue Apr 18 14:47:40 EDT 2006

To use SFTP in a command procedure you will probably want to use the /batchfile= qualifier and put the SFTP commands in there. For example -

 $ create sftp.take
   get file.log
   rm file.log
 <Ctl-z>
   $ sftp/batch_file=sftp.take "corbett@gondor.process.com"
   sftp> get file.log
   file.log | 25B | 0.0 kB/s | TOC: 00:00:01 | 100%
   sftp> rm file.log
   sftp> exit

MultiNet

Q. How do I setup HOST BASED authentication so that any user can SSH without using a password? This is system based authentication rather than user based.

A. You should already have HOST keys on your system if SSH has been started and working.

1. On the client system you should have:

 "MULTINET_SSH2_HOSTKEY_DIR" = "MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2.HOSTKEYS]" 
   $   dir MULTINET_SSH2_HOSTKEY_DIR 
   Directory MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2.HOSTKEYS] 
   HOSTKEY.;1 HOSTKEY.PUB;1

These are your HOST keys.

2. Copy the public key (HOSTKEY.PUB) to the server and place it where the logical below points:

 "MULTINET_SSH2_KNOWNHOSTS_DIR" = "MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2.KNOWNHOSTS]" 
   $   dir MULTINET_SSH2_KNOWNHOSTS_DIR 
   Directory MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2.KNOWNHOSTS] 
   HOSTKEY.PUB;1

3. Make a copy of the public key (HOSTKEY.PUB) into the format of: clienthostname_domain_ssh-dss.pub. So in the case where my system name is NODENAME.PROCESS.COM you see the result below:

 $ dir MULTINET_SSH2_KNOWNHOSTS_DIR 
     Directory MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2.KNOWNHOSTS] 
     NODENAME_PROCESS_COM_SSH-DSS.PUB;1       HOSTKEY.PUB;1

4. On the server add HOSTBASED to your authentication methods into SSH2_DIR:SSHD2_CONFIG.:

AllowedAuthentications hostbased, publickey, password

5. On the server add the DNS name of the client to MULTINET:HOSTS.EQUIV:

 $ type hosts.equiv 
     nodename.process.com

Contacting Process Software

E-mail:
info@process.com - General information
sales@process.com - Sales
international@process.com - International Sales information
support@process.com - Technical Support
careers@process.com - Human Resources
webmaster@process.com - Webmaster

Phone/Fax/Address:
U.S.A./Canada - (800)722-7770

International - (508)879-6994

Fax - (508)879-0042

Mail:
959 Concord Street
Framingham, MA 01701-4682