perl-nocem

Christoph Biedl cbiedl at gmx.de
Sun May 14 12:05:12 UTC 2006


To resume a recent thread in news.software.nntp:

Russ Allbery wrote (in <87wtcvnf6g.fsf at windlord.stanford.edu>):

> perl-nocem may need some additional love as NoCeMs become more popular and
> more of the checking and verification options become relevant.

Actually, I was thinking about using nocem for a long time and now I find
that I'll need a method to bulk-cancel a given list of article on several
servers with the least required efforts. Obviously nocem will do that
perfectly and secure. No need to re-invent the wheel.

Looking at perl-nocem I find some thing that deserve improvement:

- "error" priority

Linux (or at least Sys::Syslog) does not support the "error" priority.
Therefore perl-nocem will die in case of an error, and without logging the
error message.

My instant patch is

--- OLD/control/perl-nocem.in   2006-05-14 00:17:08.000000000 +0200
+++ NEW/control/perl-nocem.in   2006-05-14 00:23:06.000000000 +0200
@@ -444,7 +444,9 @@
         print LOG "$lvl: $msg\n";
         return;
     }
-    syslog($lvl || 'notice', '%s', $msg);
+    $lvl ||= 'notice';
+    ($lvl eq 'error') && ($^O eq 'linux') && ($lvl = 'notice');
+    syslog($lvl, '%s', $msg);
 }

 sub hup_handler {


but I was glad if autoconf could take care of that in a useful way. As
an alternativ: Drop 'error' entirely.


- Doing the cancels

At the moment perl-nocem forks a 'ctlinnd cancel' for each article to be
cancelled which I consider rather expensive. No doubt a (in shell) "cat
list | grephistory -s | xargs sm -r" is much fast but this does not
block the Message-ID in the history if the article is not there yet. I'd
like to combine best of both worlds, probably using a "bulkcancel" helper
program that reads Message-IDs from stdin send sends them to innd via the
control channel. Is there something like that already available?


- Extensions

Obviously nocem processing may become subject of DoS attacks by flooding
the accordings groups with forged headers and faked signatures. I'd like
to propose an extension to counteract that threat by additionally checking
against headers that cannot set in a POSTed article while the legitimate
nocem sender can use his IHAVE connection for that.

For example the sender could set an "NNTP-Posting-Host: 172.19.1.2"
header in each article, and perl-nocem could easily check against that
prior to the expensive gpg stuff. nocem.ctl would contain that information
like in

sender at example.com:*:NNTP-Posting-Host:172.19.1.2

The IP number could be either the senders fixed IP or something in the
RfC-1918 space.


Other ideas what could be done with perl-nocem?

    Christoph


More information about the inn-workers mailing list