On 2009-03-09, at 1912, Matt Brookings wrote:
Lendvai Péter wrote:Since autorespond sends back per default the original message as well, itcan be used as a spam relay.The autorespond package most frequently used with qmailadmin will only respond to a certain source a given number of times.
yes, and if a spammer sends 100,000 messages to the autoresponder address, all with different forged "From" addresses, autorespond sees them all as dfferent "sources", and will very happily respond to all 100,000 targets... one time each.
If there is a way to change this behaviour in a working system please letme know.
what i've done on my own server is to not allow autoresponders at all. # cd ~vpopmail/bin# for d in `./vdominfo -n | grep -v 'alias of'` ; do ./vmoddomlimits - R 0 $d ; done
if that's not an option... i'm looking at the source code for autorespond-2.0.5, and it looks like it does have a way to NOT include the message, by adding a "0" parameter after the directory name.
of course, whoever added that functionality to autorespond, didn't add any mention of it to the man page, and didn't make it the default behaviour of the program, thereby ensuring that nobody would be protected by the new functionality unless they actually read the source and knew that it was there to begin with, AND manually edited every .qmail-{mailbox} file created by qmailadmin (or whatever other management front-end they may be using.)
When I am not wrong, this could be handled as: - feature request (ability to turn off appending the original mail to the vacation reply) - security vulnerability report.
i would call it both- a potential security vulnerability, and a very strong feature request.
qmailadmin needs to offer a checkbox in the "vacation message" area which causes the original message to be included with the response... have that checkbox be turned OFF by default, and explicitly add a "0" or "1" to the end of the command line it writes to the .qmail- {mailbox} file.
and "autorespond" needs to have "do not include the original message with the response" as the default behaviour.
---------------------------------------------------------------- | John M. Simpson --- KG4ZOW --- Programmer At Large | | http://www.jms1.net/ <[email protected]> | ---------------------------------------------------------------- | http://video.google.com/videoplay?docid=-1656880303867390173 | ----------------------------------------------------------------
PGP.sig
Description: This is a digitally signed message part
!DSPAM:49b77ae432681042087405!
