Hi Marc,
Well, I'm no guru but I can tell you that, in all probability, your
server has not been compromised - in the sense that someone has
broken in and is merrily sending stuff in your name.
Thanks David for your reply and I hear what you are saying about
trust... But in the past James has always verified that only members
of a list server could send email to/through that list server. I have
noted a lot of attempts by spammers to impersonate me or another user,
when trying to send email to the list server but those attempts have
always failed in the past. What has changed and why should this check
now be failing.
Sorry, I didn't pick up on the fact that you were talking about a list.
I've not implemented that myself so I don't have first hand knowledge.
That said, I've just been looking at the code. I notice that the
CommandListServProcessor class simply calls mail.getSender() to check
that an incoming message is OK to post to the list. According to the
JavaDocs [1] this uses the MAIL FROM header of the email which as I
discussed in my first email is easy to forge by a spammer.
So, all a spammer has to do to get his nastiness posted on your list is
to send an email to your announce email address with a forged 'Mail
From' header that matches that of someone in your list's list of allowed
users.
That sounds to me like something a clever piece of spam technology could
do. For example, if any of your list's users has had an infected PC in
which the user's address book was stolen then your announce email
address and one or two of the list users addresses would be present.
The laws of chance would then dictate that sooner or later the right
combination got sent.
My understanding of Bayesian filters is that they require some sort of
feedback to train them on what is junk and what is not. I can
understand how this is done in an email client but I couldn't
understand how it would be done on a server.. So I never bothered with
it...
The James Bayesian Analysis mailet does require you to feed it with ham
and spam messages. This is onerous at first but the effort quickly
diminishes as the amount of spam lessens. All you have to do is forward
the offending or innocent email as an attachment (something which
Thunderbird does automatically) to one of two special email addresses
hosted by your server.
Also I am using SMTP Auth which requires a password to send email via
the server, not simply SMTP.
SMTP Auth only requires a sender to be authorized if they are trying to
send an email out from the server. If an incoming email is destined for
someone local to your server it isn't required (if it was then random
people wouldn't be able to email you!). I'm not sure but I would think
people emailing your announce address would be treated as a local email
and wouldn't need a password.
Are you in fact telling me to enable the Bayesian filter and that is
my only hope?
I'm hoping someone else will chime in here, but I think you definitely
need something to perform more rigorous checks.
Regards,
David Legg
[1]
http://james.apache.org/server/2.3.1/apidocs/org/apache/mailet/Mail.html#getSender()
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
