On mercoledì 11 marzo 2009 11:24:02 Lendvai Péter wrote: > Thanks John, that is exactly what I mean and what I am afraid of. Btw, our > mail server got already an abuse warning due to this behaviour. Hopefully > spammers do not know and do not try to exploit this potential > vulnerability. > > I try to patch the source code of autorespond but I am not a C coder, just > a sysadmin, perl and bash are my two main weapons :) > > If someone has already a patch for it, I would appreciate that. > > Regards, > Peter > > On Wed, 11 Mar 2009 04:48:27 -0400, John Simpson <[email protected]> wrote: > > On 2009-03-09, at 1912, Matt Brookings wrote: > >> Lendvai Péter wrote: > >>> Since autorespond sends back per default the original message as > >>> well, it > >>> can be used as a spam relay. > >> > >> The autorespond package most frequently used with qmailadmin will only > >> respond to a certain source a given number of times. > > > > yes, and if a spammer sends 100,000 messages to the autoresponder > > address, all with different forged "From" addresses, autorespond sees > > them all as dfferent "sources", and will very happily respond to all > > 100,000 targets... one time each. > > > >>> If there is a way to change this behaviour in a working system > >>> please let > >>> me know. > > > > what i've done on my own server is to not allow autoresponders at all. > > > > # cd ~vpopmail/bin > > # for d in `./vdominfo -n | grep -v 'alias of'` ; do ./vmoddomlimits - > > R 0 $d ; done > > > > > > if that's not an option... i'm looking at the source code for > > autorespond-2.0.5, and it looks like it does have a way to NOT include > > the message, by adding a "0" parameter after the directory name. > > > > of course, whoever added that functionality to autorespond, didn't add > > any mention of it to the man page, and didn't make it the default > > behaviour of the program, thereby ensuring that nobody would be > > protected by the new functionality unless they actually read the > > source and knew that it was there to begin with, AND manually edited > > every .qmail-{mailbox} file created by qmailadmin (or whatever other > > management front-end they may be using.) > > > >>> When I am not wrong, this could be handled as: > >>> - feature request (ability to turn off appending the > >>> original mail to the vacation reply) > >>> - security vulnerability report. > > > > i would call it both- a potential security vulnerability, and a very > > strong feature request. > > > > qmailadmin needs to offer a checkbox in the "vacation message" area > > which causes the original message to be included with the response... > > have that checkbox be turned OFF by default, and explicitly add a "0" > > or "1" to the end of the command line it writes to the .qmail- > > {mailbox} file. > > > > and "autorespond" needs to have "do not include the original message > > with the response" as the default behaviour. > > > > > > ---------------------------------------------------------------- > > > > | John M. Simpson --- KG4ZOW --- Programmer At Large | > > | http://www.jms1.net/ <[email protected]> | > > > > ---------------------------------------------------------------- > > > > | http://video.google.com/videoplay?docid=-1656880303867390173 | > > > > ---------------------------------------------------------------- I've patched autorespond to NOT respond to spam messages, as recognised by spamassassin. The patch is versy simple, and I've submitted to this list in the past.
It works in our setup (qmailscanner + spamassassin + clamav) Here it comes again; I hope you'll appreciate. -- Simone Lazzaris INTERACTIVE NETWORK SRL Via Roggia Vignola 9, 24047 Treviglio (BG) tel : +39 0363.302820 fax : +39 0363.304352 web : http://www.interactive.eu email : [email protected]
--- autorespond-2.0.4-orig/autorespond.c 2003-08-25 18:11:58.000000000 +0200
+++ autorespond-2.0.4/autorespond.c 2007-02-14 14:53:00.000000000 +0100
@@ -640,7 +640,8 @@
}
if ( inspect_headers("precedence", "junk" ) != (char *)NULL ||
inspect_headers("precedence", "bulk" ) != (char *)NULL ||
- inspect_headers("precedence", "list" ) != (char *)NULL )
+ inspect_headers("precedence", "list" ) != (char *)NULL ||
+ inspect_headers("X-Spam-Status", "Yes," ) != (char *)NULL )
{
fprintf(stderr,"AUTORESPOND: Junk mail received.\n");
_exit(100);
signature.asc
Description: This is a digitally signed message part.
!DSPAM:49b7a0bc32681750612889!
