> Shortly after I sent my request to bugtraq, I got an idea to look around > on my local Linux mirror and found "talkd+antiflash+hatemail.tar.gz" > which basicly filters out flashes and then sends automatic 'hatemail' to > root@remote.site Be careful - the hatemail feature has a security hole. Apply this patch: --- process.c.orig Mon Jan 16 06:07:52 1995 +++ process.c Tue Apr 25 13:04:58 1995 @@ -167,8 +167,10 @@ char sys_buf[150]; caller_host=hp->h_name; +#if 0 /* security problem */ sprintf(sys_buf,"/etc/flash.mail %s",caller_host); system(sys_buf); +#endif } else caller_host="unknown"; You can see two problems here: sprintf() and system(). Guess what happens if the DNS name is too long or contains some command in back quotes... > However, I ran into problems compiling it on our HP9000's, Linux > apparently has a '<protocols/talkd.h>' in it's system includes. Yes, it has. Mail me if you need a copy. Regards, -- Marek Michalkiewicz <marekm@i17linuxa.ists.pwr.wroc.pl>