On moandei 11 Maaie 2009, CJ Fearnley wrote: > The Message-ID is the only guaranteed to be available on all systems > method (I've confirmed that sendmail, postfix, and exim all log Message-ID > by default) to ensure that site operators have access to the Authenticated > username who used or abused their system. So, I think SquirrelMail > should use the Message-ID to record the name of the Authenticated user > responsible for each e-mail. > > Frankly, I think the Severity level could be serious because the current > configuration of SquirrelMail means it is hit-and-miss for an admin of > a Default Debian SquirrelMail configuration to be able to effectively > police their systems from SPAMers.
I understand your concern, and indeed upstream is considering how to best add logging to a default installation of SquirrelMail. Due to the variety of underlying systems this is not a clear cut thing but requires some thought before it's implemented. That's why there are plugins that cater for logging in different flavours. SquirrelMail does store the information pertaining to who sent an email, namely in the email's headers. It is my experience that the vast majority of spamming incidents lead to significant numbers of complaints from the target, supplying the email headers with the proof you need. Still, your complaint does have merit and the issue is already under consideration with the SquirrelMail developers. For Debian specifically, we're considering if we can ship an appropriate logging plugin by default. regards, Thijs
signature.asc
Description: This is a digitally signed message part.
