Simple Mail Transfer Protocol Security

The main purpose for this site is (was?) my E-mail Security Site(SSI version)  E-mail Security Site(Frames version).

Can't get enough of my rants? You'll be happy to know that: I Blog (or is that iBlog?).


FOR FSCK'S SAKE, STOP DOING THIS!!!
query-source port 53;
query-source-v6 port 53;

Want to know what that says?  It says "HI, I AM AN IDIOT WHO READ A "HOW-TO SETUP BIND" GUIDE BY ANOTHER IDIOT WHO ALSO DID NOT UNDERSTAND DNS OR INTERNET SECURITY."  Newsflash: Leaving these settings in your named.conf will guarantee that your nameserver is vulnerable to poisoning, no matter how many patches you apply.  Go check your named.conf right now to make sure your stupidity isn't showing.

PS: If you are one of those idiots responsible for writing such a guide, please fix it (preferably by deleting it, since you're too dumb to be telling other people what to do), then rid the world of your ignorance.
In similar news, people are really, really, really, really dumb.  Apparently a bunch of idiot two-bit web developers, clueless bloggers, and other security-illiterate morons have decided that Firefox3 properly warning people about dangerous websites is wrong.  I'll write up a full debunking when I get the chance, but for now ponder this thought: What's worse, knowing any information you send to a particular site won't be protected (and therefor being able to make an informed decision on whether you want to send it), or being LIED to and told your information is safe, when it's really not?

Wow, I finally put new content up on my site!

The fastest way I've found to generate X509 certificates.
I can't stand how incredibly frustrating it is just to generate certificates and sign them.  After wasting the better part of a week on a particularly maddening problem that ultimately was caused by self-signed certs, I got motivated to save other people all the trouble that I went through.  Click the link above and never spend hours bashing your head on your desk due to certificates again (just remember that you need to export the cacert.pem and import it as a "trusted root" into whatever system needs to validate the certs you sign).

On a related note, the Keychain password for the X509Anchors keychain in OS X is 'X509Anchors' (no quotes).  Would it be nice if Apple documented this?  Yeah... It would also be nice if someone gave me a Ferrari.

Tool for discovering SSL/TLS ciphers supported by a secure site
I couldn't find any simple tools to audit the ciphers supported by a remote site, so I wrote my own.

How to net boot your way to new PROM on a SPARC box (AKA how to flash your PROM w/o Solaris).

How to install Nessus on OS X
In case anyone else is frustrated by:
    libtool: warning: cannot infer operation mode from `/usr/bin/gcc-4.0'
click the above link for the solution.  I can't take credit, just helping publicize it (the fix probably applies generally to a lot of other Macports).

* * * * * * * * * * * * * * * * * * * * *

NOTICE: I AM NOT SENDING YOU SPAM!

I guess it was only a matter of time, but someone thought it would be funny to spoof my domain in a Joe Job attack.  If you would have turned SPF on for your e-mail servers, you wouldn't have accepted the crap in the first place.  Don't want to get spam that looks like it's from me?  Go configure your e-mail servers to do an SPF lookup!

The e-mail you're receiving is a poorly spoofed fraud.  Look at the received headers:
Received: from msx-sg6-10.hinet.net (msx-sg6-10.hinet.net [168.95.5.179]) by ms3.hinet.net (8.8.8/8.8.8) with ESMTP id TAA03008; Tue, 30 Jan 2007 19:07:57 +0800 (CST)
Received: from xp-0606f976184e.chello.pl (chello087206195030.chello.pl [87.206.195.30]) by msx-sg6-10.hinet.net (8.8.8/8.8.8) with ESMTP id TAA02384; Tue, 30 Jan 2007 19:07:49 +0800 (CST) <-- HMMM, HOW DID THIS GET IN HERE???
Received: from 64.81.243.137 (HELO am-heh.smtps.net) by ms3.hinet.net with esmtp (82O01*N8=, .87,)

* * * * * * * * * * * * * * * * * * * * *

I written an article on Why Vista Needs to Fail in response to the blatantly anti-consumer power-play by Microsoft in their Vista OS.

Cyveillance are evil-doers, but their haters are idiots.  So after reading a little bit more and discovering that these guys are in bed with the MPAA/RIAA I decided to finally blackhole them on my firewall.  I was trying to discover a definitive list of their IP addresses but unfortunately everything I found on the net was egregiously in error.  Apparently people are so enraged by Cyveillance that they completely forget any notion of subnetting and totally lapse on how to perform accurate whois lookups.  If anyone out there actually does understand these concepts and has an accurate list of Cyveillance IP addresses, please e-mail me at .  In particular, if someone could explain how to query rwhois.cognetco.com for Org-Name I would be eternally greatful (I can find netblock owners by IP, but not by the owner's name).

Random Stuff I Found Interesting for Some Reason

"I would buy a Mac today if I was not working at Microsoft." -- Jim Allchin, Co-President, Platforms & Services Division.
Fortunately, most of us do not work for Microsoft :)  So what are you waiting for?  Take the advice of a Microsoft executive and go buy a Mac

Due to the spectacular failure of yet another IBM DeskStar (AKA DeathStar) drive, this site was offline for about two years.
Thanks to Apple, the Mac Mini, and especially Internet Archive it is now back on-line!!!


This site © copyright 2003-2008 Brian Keefer.  Opinions expressed on this site are my own and do not reflect those of my employer.