On 4/30/2013 2:41 AM, Philipp Kern wrote:
On Tue, Apr 30, 2013 at 02:32:59AM -0700, Ted Mittelstaedt wrote:
Here is a transcript of me spamming myself with your script. Notice
that your script does NO error checking. I transmitted the mail
message from the Internet Partners public mailserver with my Gmail
address forged as the senders address and your script happily delivered
it to my Gmail address.
I hope this adequately demonstrates the potential for abuse. If
not, imagine if I was a malevolent attacker who wanted to fill up
someone's Gmailbox with thousands of "Congratulations from v6net.ru"
mail messages.
Sure, but that's also possible by the spammer connecting directly to
your mail-in or by using any other autoresponder on the net.
We aren't talking some opt-in mailing list that could possibly
argue that they had a reason to allow a reply to a 3rd party.
There is no reason that a proper autoresponder setup for the purpose
of testing (that the OP stated) should allow what I did.
Now it's
possible that they did not implement throttling like sane autoresponders
do, but that's not what you wrote.
Even if it did implement throttling that is not an excuse to allow a
3rd party relay unless it's needed. And in this case it's not needed.
Even though gmail.com does have SPF records set they have a neutral
catch-all. Sender policies also do not say that everything has to be
DKIM-signed so I'm not sure at what kind of checking you are pointing
at.
It's technically not an open relay in any case.
I didn't say it was. I said that it could be abused to stuff up
someone's e-mail box. That implied a lack of throttling of course. I
assumed that if the OP was ignoring the sender's IP that they would
not have implemented throttling either.
I know we're all excited about IPv6 but the problem is that way too
many people are implementing it without any firewalling, or filtering
or anything. Please don't think that the spammers are stupid.
I'm not sure how this relates to the problem at hand, except for
pushing the filtering agenda.
Oh good Lord. So, reasonable mail filtering is now an 'agenda'? Since
when did mail filtering become undesirable?
Please publicly post the IP address of a mailserver YOU administer that
is NOT filtered and allows unthrottled autoresponses. And for extra
credit, why don't you open it for open relaying, too?
Do I really have to explain why it's not polite to walk out into the
middle of a crowd in the city and take off all your clothes? (well, for
most people to do that, that is - I can think of a few exceptions)
Ted
Kind regards
Philipp Kern
