[irc.git] / software / !RELEASES / ircservices / achurch.org / services / lists / ircservices-coding / 2002 / 001482.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [IRCServices Coding] A few things...
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:ircservices-coding%40ircservices.za.net?Subject=%5BIRCServices%20Coding%5D%20A%20few%20things...&In-Reply-To=">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="001498.html">
   <LINK REL="Next"  HREF="001483.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[IRCServices Coding] A few things...</H1>
    <B>Dylan v.d Merwe</B> 
    <A HREF="mailto:ircservices-coding%40ircservices.za.net?Subject=%5BIRCServices%20Coding%5D%20A%20few%20things...&In-Reply-To="
       TITLE="[IRCServices Coding] A few things...">dylanvdm at icon.co.za
       </A><BR>
    <I>Fri Sep 20 11:30:58 PDT 2002</I>
    <P><UL>
        <LI>Previous message: <A HREF="001498.html">[IRCServices Coding] Memoserv Forward
</A></li>
        <LI>Next message: <A HREF="001483.html">[IRCServices Coding] A few things...
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#1482">[ date ]</a>
              <a href="thread.html#1482">[ thread ]</a>
              <a href="subject.html#1482">[ subject ]</a>
              <a href="author.html#1482">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Yes I guess hackers could mess around with this BUT...

#         nickserv/mail-auth  [OPTIONAL; RECOMMENDED for large networks]
#             Allows verification of E-mail addresses for nicknames by
#             sending an authorization code to the address given in the
#             REGISTER or SET EMAIL command and disallowing identification
#             for the nick until the user sends the authorization code to
#             NickServ with the AUTH command.

#         nickserv/sendpass  [OPTIONAL]
#             Provides a SENDPASS command which allows users to have
#             NickServ send their nickname password to the E-mail address
#             they have registered for the nickname.
#             NOTE: This module requires the &quot;nickserv/mail-auth&quot; module.

#         chanserv/sendpass  [OPTIONAL]
#             Provides a SENDPASS command which allows channel founders to
#             have ChanServ send the password for a channel to the E-mail
#             address they have registered for their nickname.
#             NOTE: This module requires the &quot;nickserv/mail-auth&quot; module.

If you read the above it says that they all require the nickserv/mail-auth
module.
This is understandable because how can you be sure that you are sending this
email to a valid email address? Though I must say newbies hardly use
features like SENDPASS if they don't know what it does (you do get idjits of
course).
Newbies will also be inclined to use a valid email address anyway. Advanced
users will more
likely use this feature after they come back from holiday or if their mind
truly has been elsewhere and they forget their password. It is common sense
(to normal people) that a situation may arise that you might forget your
password, which is a good reason why you should specify a valid email
address from the beginning.

I really really really think this should be discussed because I would find
it much easier if you didn't need to authenticate your passwords first. It
is also the network's responsibility to make sure that they give adequate
notification that a *valid* email address should be used.

Not forgetting about abuse of this feature, there is:

    # NSSendauthDelay &lt;time&gt;  [RECOMMENDED]
    #     Sets the minimum length of time between consecutive uses of the
    #     SENDAUTH command for the same nick group.  If not specified, this
    #     restriction is disabled.
    #
    #     WARNING: Not setting NSSendauthDelay, or setting it too low, will
    #              allow users to abuse this command to send large
    #              quantities of mail (mailbombs) to arbitrary users!

    NSSendauthDelay 1d

    # CSSendpassDelay &lt;time&gt;  [RECOMMENDED]
    #     Sets the period of time which must elapse between SENDPASS
    #     commands for the same channel.  If not specified, the SENDPASS
    #     command may be used at any time.
    #
    #     NOTE: Since users can only send passwords to nicks they have
    #           identified for, the potential for E-mail attacks via this
    #           command is minimal; however, setting this limit too low (or
    #           not setting it at all) can allow users to slow down
    #           Services through frequent SENDPASS requests.

    CSSendpassDelay 12h


I think that the SENDPASS option available in NickServ and ChanServ is very
helpful as it will save CSops a workout. I was a CSop for some time on a big
network and getting people's passwords (which were quite funny) becomes
irritating when there are other things to do.

I also hope that the
* services.shadownet.za.net changed topic to 'blah blah (nick)'
will be changed to ChanServ as it really does make it look neater.

Yusuf Iskenderoglu said:
&quot;No, AFAIK at least Unreal does not allow ChanServ set the TOPIC that
way.&quot;

Yusuf it does. Well I'm not sure about the 3.1 series but the 3.2 definitely
does. I have checked this feature on another services package (which I
didn't like) and when I typed /chanserv topic #chan &lt;topic&gt;, ChanServ set
the topic as I suggested and not the name of the services server. As I said
it's
not some huge problem but it would look nicer - like adding blonde streaks
into a sexy brunettes hair :-)

And thanks for your opinions on the proxy scanner. I must admit I haven't
used BOPM but will soon.

Ty

D.

----- Original Message -----
From: &quot;Panagiotis Kefalidis&quot; &lt;<A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices-coding">pkef at hnioxos.ee.auth.gr</A>&gt;
To: &lt;<A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices-coding">ircservices-coding at ircservices.za.net</A>&gt;
Sent: Friday, September 20, 2002 1:50 PM
Subject: Re: AW: [IRCServices Coding] A few things...


&gt;<i>
</I>&gt;<i>
</I>&gt;<i> On Fri, 20 Sep 2002, Yusuf Iskenderoglu wrote:
</I>&gt;<i>
</I>&gt;<i> &gt;
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; Hello;
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; &gt;&gt; How will you ensure that the email is correct ? If it is not
</I>&gt;<i> &gt; &gt;&gt; Authenticated ? Users could have set <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices-coding">a at b.c.de</A> as email.
</I>&gt;<i> &gt; &gt;I think we don't care about the email they've set.To set a
</I>&gt;<i> &gt; &gt;valid mail is for their own good in case they forget their
</I>&gt;<i> &gt; &gt;password.I believe just a notice while running the register
</I>&gt;<i> &gt; &gt;proccess,about setting a valid email,is enough. (:
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; It looks as if you have never run sendmail. And have never had
</I>&gt;<i> &gt; To kill 500 sendmail processes trying to time out due to wrong
</I>&gt;<i> &gt; Email addresses, when attackers think they are cleverer.
</I>&gt;<i> I did,but to be honest,i'ven't thought about that(attackers).We can add a
</I>&gt;<i> limit to the SENDPASS command to prevent attackers doing this.I mean, in
</I>case
&gt;<i> there is an email set,adding a limit to the user preventing him to use
</I>&gt;<i> the SENDPASS more than 1 time per hour or sth like that, would be
</I>&gt;<i> nice/enough to prevent abuse.
</I>&gt;<i>
</I>&gt;<i> Whatever i've written above is not what i believe as being right.
</I>&gt;<i> My personal opinion is that the most safe way is FIRST authenticate
</I>&gt;<i> the email and then anything else.That's to prevent abuse from attackers
</I>&gt;<i> or any other kind of attack to services or the machine running them
</I>&gt;<i> itself,as yusuf mentioned in his reply.
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> &gt; Please do consider that there are users without root-rights
</I>&gt;<i> &gt; Who also run services, and they cannot modify sendmail settings.
</I>&gt;<i> &gt;
</I>&gt;<i> That's true. :|
</I>&gt;<i> &gt; As of this, a new command a la DENYMAIL add|del|list to prevent
</I>&gt;<i> &gt; Certain email addresses from being used at registration processes
</I>&gt;<i> &gt; Would moreover be fine.
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; SCNR.
</I>&gt;<i> &gt; Yusuf
</I>&gt;<i> &gt;
</I>&gt;<i> Regards,
</I>&gt;<i> Gizm0.-
</I>&gt;<i>
</I>&gt;<i> ------------------------------------------------------------------
</I>&gt;<i> To unsubscribe or change your subscription options, visit:
</I>&gt;<i> <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices-coding">http://www.ircservices.za.net/mailman/listinfo/ircservices-coding</A>
</I>&gt;<i>
</I>


</PRE>

<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="001498.html">[IRCServices Coding] Memoserv Forward
</A></li>
	<LI>Next message: <A HREF="001483.html">[IRCServices Coding] A few things...
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#1482">[ date ]</a>
              <a href="thread.html#1482">[ thread ]</a>
              <a href="subject.html#1482">[ subject ]</a>
              <a href="author.html#1482">[ author ]</a>
         </LI>
       </UL>

</body></html>
Commit	Line	Data
3bd189cb JR	1	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
	2	<HTML>
	3	<HEAD>
	4	<TITLE> [IRCServices Coding] A few things...
	5	</TITLE>
	6	<LINK REL="Index" HREF="index.html" >
	7	<LINK REL="made" HREF="mailto:ircservices-coding%40ircservices.za.net?Subject=%5BIRCServices%20Coding%5D%20A%20few%20things...&In-Reply-To=">
	8	<META NAME="robots" CONTENT="index,nofollow">
	9	<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
	10	<LINK REL="Previous" HREF="001498.html">
	11	<LINK REL="Next" HREF="001483.html">
	12	</HEAD>
	13	<BODY BGCOLOR="#ffffff">
	14	<H1>[IRCServices Coding] A few things...</H1>
	15	<B>Dylan v.d Merwe</B>
	16	<A HREF="mailto:ircservices-coding%40ircservices.za.net?Subject=%5BIRCServices%20Coding%5D%20A%20few%20things...&In-Reply-To="
	17	TITLE="[IRCServices Coding] A few things...">dylanvdm at icon.co.za
	18	</A><BR>
	19	<I>Fri Sep 20 11:30:58 PDT 2002</I>
	20	<P><UL>
	21	<LI>Previous message: <A HREF="001498.html">[IRCServices Coding] Memoserv Forward
	22	</A></li>
	23	<LI>Next message: <A HREF="001483.html">[IRCServices Coding] A few things...
	24	</A></li>
	25	<LI> <B>Messages sorted by:</B>
	26	<a href="date.html#1482">[ date ]</a>
	27	<a href="thread.html#1482">[ thread ]</a>
	28	<a href="subject.html#1482">[ subject ]</a>
	29	<a href="author.html#1482">[ author ]</a>
	30	</LI>
	31	</UL>
	32	<HR>
	33	<!--beginarticle-->
	34	<PRE>Yes I guess hackers could mess around with this BUT...
	35
	36	# nickserv/mail-auth [OPTIONAL; RECOMMENDED for large networks]
	37	# Allows verification of E-mail addresses for nicknames by
	38	# sending an authorization code to the address given in the
	39	# REGISTER or SET EMAIL command and disallowing identification
	40	# for the nick until the user sends the authorization code to
	41	# NickServ with the AUTH command.
	42
	43	# nickserv/sendpass [OPTIONAL]
	44	# Provides a SENDPASS command which allows users to have
	45	# NickServ send their nickname password to the E-mail address
	46	# they have registered for the nickname.
	47	# NOTE: This module requires the "nickserv/mail-auth" module.
	48
	49	# chanserv/sendpass [OPTIONAL]
	50	# Provides a SENDPASS command which allows channel founders to
	51	# have ChanServ send the password for a channel to the E-mail
	52	# address they have registered for their nickname.
	53	# NOTE: This module requires the "nickserv/mail-auth" module.
	54
	55	If you read the above it says that they all require the nickserv/mail-auth
	56	module.
	57	This is understandable because how can you be sure that you are sending this
	58	email to a valid email address? Though I must say newbies hardly use
	59	features like SENDPASS if they don't know what it does (you do get idjits of
	60	course).
	61	Newbies will also be inclined to use a valid email address anyway. Advanced
	62	users will more
	63	likely use this feature after they come back from holiday or if their mind
	64	truly has been elsewhere and they forget their password. It is common sense
65	(to normal people) that a situation may arise that you might forget your
66	password, which is a good reason why you should specify a valid email
67	address from the beginning.
68
69	I really really really think this should be discussed because I would find
70	it much easier if you didn't need to authenticate your passwords first. It
71	is also the network's responsibility to make sure that they give adequate
72	notification that a valid email address should be used.
73
74	Not forgetting about abuse of this feature, there is:
75
76	# NSSendauthDelay <time> [RECOMMENDED]
77	# Sets the minimum length of time between consecutive uses of the
78	# SENDAUTH command for the same nick group. If not specified, this
79	# restriction is disabled.
80	#
81	# WARNING: Not setting NSSendauthDelay, or setting it too low, will
82	# allow users to abuse this command to send large
83	# quantities of mail (mailbombs) to arbitrary users!
84
85	NSSendauthDelay 1d
86
87	# CSSendpassDelay <time> [RECOMMENDED]
88	# Sets the period of time which must elapse between SENDPASS
89	# commands for the same channel. If not specified, the SENDPASS
90	# command may be used at any time.
91	#
92	# NOTE: Since users can only send passwords to nicks they have
93	# identified for, the potential for E-mail attacks via this
94	# command is minimal; however, setting this limit too low (or
95	# not setting it at all) can allow users to slow down
96	# Services through frequent SENDPASS requests.
97
98	CSSendpassDelay 12h
99
100
101	I think that the SENDPASS option available in NickServ and ChanServ is very
102	helpful as it will save CSops a workout. I was a CSop for some time on a big
103	network and getting people's passwords (which were quite funny) becomes
104	irritating when there are other things to do.
105
106	I also hope that the
107	* services.shadownet.za.net changed topic to 'blah blah (nick)'
108	will be changed to ChanServ as it really does make it look neater.
109
110	Yusuf Iskenderoglu said:
111	"No, AFAIK at least Unreal does not allow ChanServ set the TOPIC that
112	way."
113
114	Yusuf it does. Well I'm not sure about the 3.1 series but the 3.2 definitely
115	does. I have checked this feature on another services package (which I
116	didn't like) and when I typed /chanserv topic #chan <topic>, ChanServ set
117	the topic as I suggested and not the name of the services server. As I said
118	it's
119	not some huge problem but it would look nicer - like adding blonde streaks
120	into a sexy brunettes hair :-)
121
122	And thanks for your opinions on the proxy scanner. I must admit I haven't
123	used BOPM but will soon.
124
125	Ty
126
127	D.
128
129	----- Original Message -----
130	From: "Panagiotis Kefalidis" <<A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices-coding">pkef at hnioxos.ee.auth.gr</A>>
131	To: <<A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices-coding">ircservices-coding at ircservices.za.net</A>>
132	Sent: Friday, September 20, 2002 1:50 PM
133	Subject: Re: AW: [IRCServices Coding] A few things...
134
135
136	><i>
137	</I>><i>
138	</I>><i> On Fri, 20 Sep 2002, Yusuf Iskenderoglu wrote:
139	</I>><i>
140	</I>><i> >
141	</I>><i> >
142	</I>><i> > Hello;
143	</I>><i> >
144	</I>><i> > >> How will you ensure that the email is correct ? If it is not
145	</I>><i> > >> Authenticated ? Users could have set <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices-coding">a at b.c.de</A> as email.
146	</I>><i> > >I think we don't care about the email they've set.To set a
147	</I>><i> > >valid mail is for their own good in case they forget their
148	</I>><i> > >password.I believe just a notice while running the register
149	</I>><i> > >proccess,about setting a valid email,is enough. (:
150	</I>><i> >
151	</I>><i> > It looks as if you have never run sendmail. And have never had
152	</I>><i> > To kill 500 sendmail processes trying to time out due to wrong
153	</I>><i> > Email addresses, when attackers think they are cleverer.
154	</I>><i> I did,but to be honest,i'ven't thought about that(attackers).We can add a
155	</I>><i> limit to the SENDPASS command to prevent attackers doing this.I mean, in
156	</I>case
157	><i> there is an email set,adding a limit to the user preventing him to use
158	</I>><i> the SENDPASS more than 1 time per hour or sth like that, would be
159	</I>><i> nice/enough to prevent abuse.
160	</I>><i>
161	</I>><i> Whatever i've written above is not what i believe as being right.
162	</I>><i> My personal opinion is that the most safe way is FIRST authenticate
163	</I>><i> the email and then anything else.That's to prevent abuse from attackers
164	</I>><i> or any other kind of attack to services or the machine running them
165	</I>><i> itself,as yusuf mentioned in his reply.
166	</I>><i>
167	</I>><i>
168	</I>><i> > Please do consider that there are users without root-rights
169	</I>><i> > Who also run services, and they cannot modify sendmail settings.
170	</I>><i> >
171	</I>><i> That's true. :\|
172	</I>><i> > As of this, a new command a la DENYMAIL add\|del\|list to prevent
173	</I>><i> > Certain email addresses from being used at registration processes
174	</I>><i> > Would moreover be fine.
175	</I>><i> >
176	</I>><i> > SCNR.
177	</I>><i> > Yusuf
178	</I>><i> >
179	</I>><i> Regards,
180	</I>><i> Gizm0.-
181	</I>><i>
182	</I>><i> ------------------------------------------------------------------
183	</I>><i> To unsubscribe or change your subscription options, visit:
184	</I>><i> <A HREF="http://www.ircservices.za.net/mailman/listinfo/ircservices-coding">http://www.ircservices.za.net/mailman/listinfo/ircservices-coding</A>
185	</I>><i>
186	</I>
187
188
189
190	</PRE>
191
192	<!--endarticle-->
193	<HR>
194	<P><UL>
195	<!--threads-->
196	<LI>Previous message: <A HREF="001498.html">[IRCServices Coding] Memoserv Forward
197	</A></li>
198	<LI>Next message: <A HREF="001483.html">[IRCServices Coding] A few things...
199	</A></li>
200	<LI> <B>Messages sorted by:</B>
201	<a href="date.html#1482">[ date ]</a>
202	<a href="thread.html#1482">[ thread ]</a>
203	<a href="subject.html#1482">[ subject ]</a>
204	<a href="author.html#1482">[ author ]</a>
205	</LI>
206	</UL>
207
208	</body></html>