[Spambayes] security of server ports

Meyer, Tony T.A.Meyer at massey.ac.nz
Sat Sep 20 00:58:53 EDT 2003


> As a security professional it is my duty to be paranoid. 
> Since spambayes (or more correctly its proxies) opens some
> listener sockets, it would be nice if (a) by default it
> only accepted connections from localhost on those sockets,
> refusing to serve any others, and nonetheless (b) issued a
> warning anytime it detected a connection request on those
> sockets from any other machine.

There's a feature request (and patch I think) for this open on
sourceforge.  It will presumably get integrated at some point (probably
by the time 1.1a1 is released).  Given that they are only proxies, there
doesn't seem to be much of a risk.

> Same thing for the local web server offering the 
> configuration interface.

The web server does only accept connections from localhost, by default.
With 1.0a6 you can use HTTP AUTH, if you like, or set a set/range of IPs
that are allowed to connect to it.

=Tony Meyer



More information about the Spambayes mailing list