> they DO know about it. if they didn't, you wouldn't have been reported > for abuse. > > the problem isn't limited to that particular "autorespond" program, > either... any autoresponder or "vacation" message program which > includes the original message in the response can be hijacked by > spammers, and there are some spammers who actively search for them. i > see probes for "sales@", "info@", "help@", and other common > autoresponder names, in my logs all the time. (of course none of these > addresses exist, and i reject RCPT commands for non-existent > addresses, so no real damage is done- just wasted bandwidth and CPU > cycles.) >
You are right, but there are other mail systems with security-aware design, for example the m$ exchange, which does not include the original message in the autoreply. This could be expected from autorespond also. On this particular server, greylisting is used to separate the legitimate mail traffic fro the spam flow. This is why I got only one abuse report after years of operation. Anyway, autorespond should be patched and the deployment walkthroughs should this patch also mention. !DSPAM:49b845b332687844084212!
