On Wed, Apr 23, 2008 at 09:59:57AM +0200, Aiko Barz wrote: > On Mon, Apr 21, 2008 at 09:15:05PM -0700, Bubuk Gabrok wrote: > > Relay test 9 > > >>> RSET > > <<< 250 flushed > > >>> MAIL FROM:<[EMAIL PROTECTED]> > > <<< 250 ok > > >>> RCPT TO:<"securitytest%abuse.net"> > > <<< 250 ok > > Relay test result > > Hmmn, at first glance, host appeared to accept a > > message for relay. > > > > THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY. > > > > Some systems appear to accept relay mail, but then > > reject messages internally rather than delivering > > them, but you cannot tell at this point whether the > > message will be relayed or not. > > > > You cannot tell if it is really an open relay without > > sending a test message; this anonymous user test DID > > NOT send a test message. > > I tried to abuse my servers. And it didn't worked directly, but > the situation seems to be bad. > > My server interpreted <"securitytest%abuse.net"> as > <[EMAIL PROTECTED]> and bounced it back, > because this user does not exist. It shouldn't have taken it in > the first place, because I use RCPTCHECK. > > So, you can misuse qmail-ldap servers, but the aim would be > <[EMAIL PROTECTED]> in this case... >
Yes. securitytest%abuse.net is a local address because the @ is missing. RCPTCHECK will refuse to check these emails (which is stupid and should be fixed). You can enable BLOCKRELAYPROBE in the meantime to deny mails with % routes in them. -- :wq Claudio
