On Wed, 11 Mar 2009 12:29:53 +0100, Simone Lazzaris <[email protected]> wrote: > On mercoledì 11 marzo 2009 11:24:02 Lendvai Péter wrote: >> Thanks John, that is exactly what I mean and what I am afraid of. Btw, >> our >> mail server got already an abuse warning due to this behaviour. Hopefully >> spammers do not know and do not try to exploit this potential >> vulnerability. >> >> I try to patch the source code of autorespond but I am not a C coder, >> just >> a sysadmin, perl and bash are my two main weapons :) >> >> If someone has already a patch for it, I would appreciate that. >> >> Regards, >> Peter >> >> On Wed, 11 Mar 2009 04:48:27 -0400, John Simpson <[email protected]> wrote: >> > On 2009-03-09, at 1912, Matt Brookings wrote: >> >> Lendvai Péter wrote: >> >>> Since autorespond sends back per default the original message as >> >>> well, it >> >>> can be used as a spam relay. >> >> >> >> The autorespond package most frequently used with qmailadmin will only >> >> respond to a certain source a given number of times. >> > >> > yes, and if a spammer sends 100,000 messages to the autoresponder >> > address, all with different forged "From" addresses, autorespond sees >> > them all as dfferent "sources", and will very happily respond to all >> > 100,000 targets... one time each. >> > >> >>> If there is a way to change this behaviour in a working system >> >>> please let >> >>> me know. >> > >> > what i've done on my own server is to not allow autoresponders at all. >> > >> > # cd ~vpopmail/bin >> > # for d in `./vdominfo -n | grep -v 'alias of'` ; do ./vmoddomlimits - >> > R 0 $d ; done >> > >> > >> > if that's not an option... i'm looking at the source code for >> > autorespond-2.0.5, and it looks like it does have a way to NOT include >> > the message, by adding a "0" parameter after the directory name. >> > >> > of course, whoever added that functionality to autorespond, didn't add >> > any mention of it to the man page, and didn't make it the default >> > behaviour of the program, thereby ensuring that nobody would be >> > protected by the new functionality unless they actually read the >> > source and knew that it was there to begin with, AND manually edited >> > every .qmail-{mailbox} file created by qmailadmin (or whatever other >> > management front-end they may be using.) >> > >> >>> When I am not wrong, this could be handled as: >> >>> - feature request (ability to turn off appending the >> >>> original mail to the vacation reply) >> >>> - security vulnerability report. >> > >> > i would call it both- a potential security vulnerability, and a very >> > strong feature request. >> > >> > qmailadmin needs to offer a checkbox in the "vacation message" area >> > which causes the original message to be included with the response... >> > have that checkbox be turned OFF by default, and explicitly add a "0" >> > or "1" to the end of the command line it writes to the .qmail- >> > {mailbox} file. >> > >> > and "autorespond" needs to have "do not include the original message >> > with the response" as the default behaviour. >> > >> > >> > ---------------------------------------------------------------- >> > >> > | John M. Simpson --- KG4ZOW --- Programmer At Large | >> > | http://www.jms1.net/ <[email protected]> | >> > >> > ---------------------------------------------------------------- >> > >> > | http://video.google.com/videoplay?docid=-1656880303867390173 | >> > >> > ---------------------------------------------------------------- > I've patched autorespond to NOT respond to spam messages, as recognised by > spamassassin. The patch is versy simple, and I've submitted to this list in > > the past. > > It works in our setup (qmailscanner + spamassassin + clamav) > > Here it comes again; I hope you'll appreciate.
Thank you Simone, you have just saved me from a night in insomnia :) Best regards, Peter Lendvai !DSPAM:49b7ac4332684651814457!
