We had a problem where users were receiving the output from `spam --help` as a
message to their inbox. I discovered this was caused when a message was
delivered to "-u...@example.com" (notice initial dash), which was passed to
spamc as:
\_ /usr/bin/spamdyke --config-file /etc/spamdyke.conf […]
\_ /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true
\_ /var/qmail/bin/simscan
\_ spamc -u -u...@example.com
It doesn't matter if the email address is provided as a quoted argument. Here's
a test from the command line:
{q@oak/0 ~} cat test.eml | spamc -u '-u...@example.com'
Error in argument 3, char 2: argument required for option u
SpamAssassin Client version 3.3.2
compiled with SSL support (OpenSSL 1.0.1e-fips 11 Feb 2013)
Usage: spamc [options] [-e command [args]] < message
[…]
An email address starting with a hyphen is valid according to RFCs, but in
researching this I found many mail systems (e.g., Postfix) reject these
addresses because of the danger of command-line-argument injection. It's also
annoying for users of qmail + simscan + spamc + using a catchall, who receive
the spamc usage message instead of the intended message.
The solution I found for qmail is just to block incoming (and outgoing) mail
containing an envelope recipient starting with a dash by adding the following
to /var/qmail/control/badmailto:
^-
That's it.
Here's an earlier thread I started on the spamassassin list when I first
discovered the problem: http://goo.gl/6vq6ps
--
Quinn Comendant
Strangecode, LLC
http://www.strangecode.com/
+1 530 636 2633 office
@com and @strangecode
