[qmailadmin] [SPAM] Re: [qmailadmin] Patching qmailadmin to compare username and passwords
In data domenica 3 giugno 2012 21:25:51, Adam Lyle ha scritto: Greetings, I'll start by saying that I am not a C programmer, but I have been looking through the source code trying to get this functionality to work. Here's my end goal. The username is converted to lowercase The password is converted to lowercase They are compared and if the same or similar an error is generated. Now, I know that this is similar to the trivial passwords check, but there is a difference that I will explain. I have patched qmailamin 1.2.15 to use the cracklib patch, and that is working well. I enabled trivial password checking and that works, mostly. I have been able to still get by a weak combination using the following: username: TestWeak1 password: TestWeak1 What I believe is happening is that qmailadmin is converting the username to lowercase at some point but leaving the password unaltered. When it does the strstr compare it doesn't match, so it passes the combination as being good. I tried cobbling this together: GetValue(TmpCGI,Newu, newu=, tolower(Newu)); GetValue(TmpCGI,Password1, password1=, tolower(Password1)); if ( strstr(Newu,Password1) !=NULL ) { snprintf (StatusMessage, Bad username and password combination, to similar - %s\n, html_text[175]); adduser(); vclose(); exit(0); } But while that compiles without an error, qmailadmin fails when I try to add a new user. I've tried searching various C programming pages, but without a solid frame of reference I am just taking stabs in the dark. Does anyone have a way to include this functionality?? Thanks, -Adam Watch better! The tolower function only changes to lowercase a char, not a string. What you need to do is build a function that iterates through the string and changes ALL the chars to lowercase. Anyway, I posted some time ago a patch to check that the password is not a subset of the username; it doesn't convert both to lowercase (or uppercase, for that matter) to do the check, so it doesn't do EXACTLY what are you trying to do, but if you are interested I can repost it. -- Simone Lazzaris | Responsabile aree Datacenter e VoIP Interactive Network srl | via Roggia Vignola 9, 24047 Treviglio (BG) Tel. 0363 1970352 | Fax 0363.1971971 | www.interactive.eu Avviso di riservatezza Questo messaggio ed ogni file allegato sono confidenziali e si intendono riservati ai soli destinatari. Se ha ricevuto questo messaggio per errore, per cortesia avvisi subito il mittente e distrugga l'originale ed ogni copia della comunicazione, ai sensi delle vigenti norme di legge relative al trattamento dei dati personali. Il titolare del trattamento dei dati ha adottato opportune policies in conformità con quanto previsto dal Provv. del Garante della Privacy del 1° Marzo 2007; pertanto si precisa che questo messaggio ha natura non personale e le relative risposte potranno quindi essere conosciute e/o visualizzate nell'organizzazione di appartenenza del mittente. L’utilizzo, la diffusione, distribuzione e/o copiatura del documento trasmesso da parte di qualsiasi soggetto diverso dal destinatario è proibita, ai sensi dell’art. 616 c.p., del vigente D. Lgs. n. 196/2003 e delle successive modificazioni. logo2_interactive.png signature.asc Description: This is a digitally signed message part. !DSPAM:4fcc68b434201518716893!
Re: [qmailadmin] autorespond as a spamrelay
On mercoledì 11 marzo 2009 11:24:02 Lendvai Péter wrote: Thanks John, that is exactly what I mean and what I am afraid of. Btw, our mail server got already an abuse warning due to this behaviour. Hopefully spammers do not know and do not try to exploit this potential vulnerability. I try to patch the source code of autorespond but I am not a C coder, just a sysadmin, perl and bash are my two main weapons :) If someone has already a patch for it, I would appreciate that. Regards, Peter On Wed, 11 Mar 2009 04:48:27 -0400, John Simpson j...@jms1.net wrote: On 2009-03-09, at 1912, Matt Brookings wrote: Lendvai Péter wrote: Since autorespond sends back per default the original message as well, it can be used as a spam relay. The autorespond package most frequently used with qmailadmin will only respond to a certain source a given number of times. yes, and if a spammer sends 100,000 messages to the autoresponder address, all with different forged From addresses, autorespond sees them all as dfferent sources, and will very happily respond to all 100,000 targets... one time each. If there is a way to change this behaviour in a working system please let me know. what i've done on my own server is to not allow autoresponders at all. # cd ~vpopmail/bin # for d in `./vdominfo -n | grep -v 'alias of'` ; do ./vmoddomlimits - R 0 $d ; done if that's not an option... i'm looking at the source code for autorespond-2.0.5, and it looks like it does have a way to NOT include the message, by adding a 0 parameter after the directory name. of course, whoever added that functionality to autorespond, didn't add any mention of it to the man page, and didn't make it the default behaviour of the program, thereby ensuring that nobody would be protected by the new functionality unless they actually read the source and knew that it was there to begin with, AND manually edited every .qmail-{mailbox} file created by qmailadmin (or whatever other management front-end they may be using.) When I am not wrong, this could be handled as: - feature request (ability to turn off appending the original mail to the vacation reply) - security vulnerability report. i would call it both- a potential security vulnerability, and a very strong feature request. qmailadmin needs to offer a checkbox in the vacation message area which causes the original message to be included with the response... have that checkbox be turned OFF by default, and explicitly add a 0 or 1 to the end of the command line it writes to the .qmail- {mailbox} file. and autorespond needs to have do not include the original message with the response as the default behaviour. | John M. Simpson--- KG4ZOW ---Programmer At Large | | http://www.jms1.net/ j...@jms1.net | | http://video.google.com/videoplay?docid=-1656880303867390173 | I've patched autorespond to NOT respond to spam messages, as recognised by spamassassin. The patch is versy simple, and I've submitted to this list in the past. It works in our setup (qmailscanner + spamassassin + clamav) Here it comes again; I hope you'll appreciate. -- Simone Lazzaris INTERACTIVE NETWORK SRL Via Roggia Vignola 9, 24047 Treviglio (BG) tel : +39 0363.302820 fax : +39 0363.304352 web : http://www.interactive.eu email : s.lazza...@interactive.eu --- autorespond-2.0.4-orig/autorespond.c 2003-08-25 18:11:58.0 +0200 +++ autorespond-2.0.4/autorespond.c 2007-02-14 14:53:00.0 +0100 @@ -640,7 +640,8 @@ } if ( inspect_headers(precedence, junk ) != (char *)NULL || inspect_headers(precedence, bulk ) != (char *)NULL || - inspect_headers(precedence, list ) != (char *)NULL ) + inspect_headers(precedence, list ) != (char *)NULL || + inspect_headers(X-Spam-Status, Yes, ) != (char *)NULL ) { fprintf(stderr,AUTORESPOND: Junk mail received.\n); _exit(100); signature.asc Description: This is a digitally signed message part. !DSPAM:49b7a0bc32681750612889!
Re: [qmailadmin] Patch for autorespond
Il Saturday 17 February 2007 02:05:52 Quinn Comendant ha scritto: On Wed, 14 Feb 2007 15:14:50 +0100, Simone Lazzaris wrote: Hi anybody/everybody I've patched autorespond (v2.0.4, but the patch also apply to 2.0.5) to detect spam messages tagged by spamassassin; this to avoid to respond to spam messages. Patch is: [...] Hey Simone I added this patch to my autorespond (v2.0.4) and it doesn't work. All messages are rejected, even if they're not spam. See below. Any ideas? Quinn Mmmh the patch try to find the string Yes in the header starting with X-Spam-Status. Your is X-Spam-Status: No, score=-2.6 required=0.1 tests=BAYES_00,DK_POLICY_SIGNSOME, DK_POLICY_TESTING,DK_SIGNED,DK_VERIFIED autolearn=ham version=3.1.7 Received: from unknown (HELO web31008.mail.mud.yahoo.com) (68.142.200.171) by mx.strangecode.com with SMTP; 17 Feb 2007 00:48:05 - Maybe it got confused because BAYES matches, as it ends with yes. I've looked at the code and it seems that it performs a case-unsensitive test, so this can be tha case. Lets try to search for yes, instead (note the trailing comma), as spamassassin uses always Yes, or No, You can modify the line number 644 adding the comma and see how it performs. -- Simone Lazzaris Interactive S.r.L.
[qmailadmin] Patch for autorespond
Hi anybody/everybody I've patched autorespond (v2.0.4, but the patch also apply to 2.0.5) to detect spam messages tagged by spamassassin; this to avoid to respond to spam messages. Patch is: --- autorespond-2.0.4-orig/autorespond.c2003-08-25 18:11:58.0 +0200 +++ autorespond-2.0.4/autorespond.c 2007-02-14 14:53:00.0 +0100 @@ -640,7 +640,8 @@ } if ( inspect_headers(precedence, junk ) != (char *)NULL || inspect_headers(precedence, bulk ) != (char *)NULL || -inspect_headers(precedence, list ) != (char *)NULL ) +inspect_headers(precedence, list ) != (char *)NULL || +inspect_headers(X-Spam-Status, Yes ) != (char *)NULL ) { fprintf(stderr,AUTORESPOND: Junk mail received.\n); _exit(100); It would be nice to have this integrated in autorespond. -- Simone Lazzaris Interactive S.r.L.