Thanks John, that is exactly what I mean and what I am afraid of. Btw, our mail server got already an abuse warning due to this behaviour. Hopefully spammers do not know and do not try to exploit this potential vulnerability.
I try to patch the source code of autorespond but I am not a C coder, just a sysadmin, perl and bash are my two main weapons :) If someone has already a patch for it, I would appreciate that. Regards, Peter On Wed, 11 Mar 2009 04:48:27 -0400, John Simpson <[email protected]> wrote: > On 2009-03-09, at 1912, Matt Brookings wrote: >> Lendvai Péter wrote: >>> Since autorespond sends back per default the original message as >>> well, it >>> can be used as a spam relay. >> >> The autorespond package most frequently used with qmailadmin will only >> respond to a certain source a given number of times. > > yes, and if a spammer sends 100,000 messages to the autoresponder > address, all with different forged "From" addresses, autorespond sees > them all as dfferent "sources", and will very happily respond to all > 100,000 targets... one time each. > > >>> If there is a way to change this behaviour in a working system >>> please let >>> me know. > > what i've done on my own server is to not allow autoresponders at all. > > # cd ~vpopmail/bin > # for d in `./vdominfo -n | grep -v 'alias of'` ; do ./vmoddomlimits - > R 0 $d ; done > > > if that's not an option... i'm looking at the source code for > autorespond-2.0.5, and it looks like it does have a way to NOT include > the message, by adding a "0" parameter after the directory name. > > of course, whoever added that functionality to autorespond, didn't add > any mention of it to the man page, and didn't make it the default > behaviour of the program, thereby ensuring that nobody would be > protected by the new functionality unless they actually read the > source and knew that it was there to begin with, AND manually edited > every .qmail-{mailbox} file created by qmailadmin (or whatever other > management front-end they may be using.) > > >>> When I am not wrong, this could be handled as: >>> - feature request (ability to turn off appending the >>> original mail to the vacation reply) >>> - security vulnerability report. > > i would call it both- a potential security vulnerability, and a very > strong feature request. > > qmailadmin needs to offer a checkbox in the "vacation message" area > which causes the original message to be included with the response... > have that checkbox be turned OFF by default, and explicitly add a "0" > or "1" to the end of the command line it writes to the .qmail- > {mailbox} file. > > and "autorespond" needs to have "do not include the original message > with the response" as the default behaviour. > > > ---------------------------------------------------------------- > | John M. Simpson --- KG4ZOW --- Programmer At Large | > | http://www.jms1.net/ <[email protected]> | > ---------------------------------------------------------------- > | http://video.google.com/videoplay?docid=-1656880303867390173 | > ---------------------------------------------------------------- -- Lendvai Péter Mérnök-informatikus 1048 Budapest, Külső Szilágyi út 110. Tel.: 20/5450912 !DSPAM:49b7914b32681109267318!
