[qmailadmin] [SPAM] Re: [qmailadmin] Patching qmailadmin to compare username and passwords
In data domenica 3 giugno 2012 21:25:51, Adam Lyle ha scritto:
Greetings,
I'll start by saying that I am not a C programmer, but I have been
looking through the source code trying to get this functionality to
work. Here's my end goal.
The username is converted to lowercase
The password is converted to lowercase
They are compared and if the same or similar an error is generated.
Now, I know that this is similar to the trivial passwords check, but
there is a difference that I will explain.
I have patched qmailamin 1.2.15 to use the cracklib patch, and that is
working well. I enabled trivial password checking and that works,
mostly. I have been able to still get by a weak combination using the
following:
username: TestWeak1
password: TestWeak1
What I believe is happening is that qmailadmin is converting the
username to lowercase at some point but leaving the password
unaltered. When it does the strstr compare it doesn't match, so it
passes the combination as being good.
I tried cobbling this together:
GetValue(TmpCGI,Newu, newu=, tolower(Newu));
GetValue(TmpCGI,Password1, password1=, tolower(Password1));
if ( strstr(Newu,Password1) !=NULL ) {
snprintf (StatusMessage, Bad username and password combination,
to similar - %s\n, html_text[175]);
adduser();
vclose();
exit(0);
}
But while that compiles without an error, qmailadmin fails when I try
to add a new user.
I've tried searching various C programming pages, but without a solid
frame of reference I am just taking stabs in the dark.
Does anyone have a way to include this functionality??
Thanks,
-Adam
Watch better! The tolower function only changes to lowercase a char, not a
string. What you need to do is build a function that iterates through the
string and changes ALL the chars to lowercase.
Anyway, I posted some time ago a patch to check that the password is not a
subset of the username; it doesn't convert both to lowercase (or uppercase,
for that matter) to do the check, so it doesn't do EXACTLY what are you trying
to do, but if you are interested I can repost it.
--
Simone Lazzaris | Responsabile aree Datacenter e VoIP
Interactive Network srl | via Roggia Vignola 9, 24047 Treviglio (BG)
Tel. 0363 1970352 | Fax 0363.1971971 | www.interactive.eu
Avviso di riservatezza
Questo messaggio ed ogni file allegato sono confidenziali e si intendono
riservati ai soli destinatari. Se ha ricevuto questo messaggio per errore, per
cortesia avvisi subito il mittente e distrugga l'originale ed ogni copia della
comunicazione, ai sensi delle vigenti norme di legge relative al trattamento
dei dati personali. Il titolare del trattamento dei dati ha adottato opportune
policies in conformità con quanto previsto dal Provv. del Garante della
Privacy del 1° Marzo 2007; pertanto si precisa che questo messaggio ha natura
non personale e le relative risposte potranno quindi essere conosciute e/o
visualizzate nell'organizzazione di appartenenza del mittente. L’utilizzo, la
diffusione, distribuzione e/o copiatura del documento trasmesso da parte di
qualsiasi soggetto diverso dal destinatario è proibita, ai sensi dell’art. 616
c.p., del vigente D. Lgs. n. 196/2003 e delle successive modificazioni.
logo2_interactive.png
signature.asc
Description: This is a digitally signed message part.
!DSPAM:4fcc68b434201518716893!
Re: [qmailadmin] autorespond as a spamrelay
On mercoledì 11 marzo 2009 11:24:02 Lendvai Péter wrote:
Thanks John, that is exactly what I mean and what I am afraid of. Btw, our
mail server got already an abuse warning due to this behaviour. Hopefully
spammers do not know and do not try to exploit this potential
vulnerability.
I try to patch the source code of autorespond but I am not a C coder, just
a sysadmin, perl and bash are my two main weapons :)
If someone has already a patch for it, I would appreciate that.
Regards,
Peter
On Wed, 11 Mar 2009 04:48:27 -0400, John Simpson j...@jms1.net wrote:
On 2009-03-09, at 1912, Matt Brookings wrote:
Lendvai Péter wrote:
Since autorespond sends back per default the original message as
well, it
can be used as a spam relay.
The autorespond package most frequently used with qmailadmin will only
respond to a certain source a given number of times.
yes, and if a spammer sends 100,000 messages to the autoresponder
address, all with different forged From addresses, autorespond sees
them all as dfferent sources, and will very happily respond to all
100,000 targets... one time each.
If there is a way to change this behaviour in a working system
please let
me know.
what i've done on my own server is to not allow autoresponders at all.
# cd ~vpopmail/bin
# for d in `./vdominfo -n | grep -v 'alias of'` ; do ./vmoddomlimits -
R 0 $d ; done
if that's not an option... i'm looking at the source code for
autorespond-2.0.5, and it looks like it does have a way to NOT include
the message, by adding a 0 parameter after the directory name.
of course, whoever added that functionality to autorespond, didn't add
any mention of it to the man page, and didn't make it the default
behaviour of the program, thereby ensuring that nobody would be
protected by the new functionality unless they actually read the
source and knew that it was there to begin with, AND manually edited
every .qmail-{mailbox} file created by qmailadmin (or whatever other
management front-end they may be using.)
When I am not wrong, this could be handled as:
- feature request (ability to turn off appending the
original mail to the vacation reply)
- security vulnerability report.
i would call it both- a potential security vulnerability, and a very
strong feature request.
qmailadmin needs to offer a checkbox in the vacation message area
which causes the original message to be included with the response...
have that checkbox be turned OFF by default, and explicitly add a 0
or 1 to the end of the command line it writes to the .qmail-
{mailbox} file.
and autorespond needs to have do not include the original message
with the response as the default behaviour.
| John M. Simpson--- KG4ZOW ---Programmer At Large |
| http://www.jms1.net/ j...@jms1.net |
| http://video.google.com/videoplay?docid=-1656880303867390173 |
I've patched autorespond to NOT respond to spam messages, as recognised by
spamassassin. The patch is versy simple, and I've submitted to this list in
the past.
It works in our setup (qmailscanner + spamassassin + clamav)
Here it comes again; I hope you'll appreciate.
--
Simone Lazzaris
INTERACTIVE NETWORK SRL
Via Roggia Vignola 9, 24047 Treviglio (BG)
tel : +39 0363.302820
fax : +39 0363.304352
web : http://www.interactive.eu
email : s.lazza...@interactive.eu
--- autorespond-2.0.4-orig/autorespond.c 2003-08-25 18:11:58.0 +0200
+++ autorespond-2.0.4/autorespond.c 2007-02-14 14:53:00.0 +0100
@@ -640,7 +640,8 @@
}
if ( inspect_headers(precedence, junk ) != (char *)NULL ||
inspect_headers(precedence, bulk ) != (char *)NULL ||
- inspect_headers(precedence, list ) != (char *)NULL )
+ inspect_headers(precedence, list ) != (char *)NULL ||
+ inspect_headers(X-Spam-Status, Yes, ) != (char *)NULL )
{
fprintf(stderr,AUTORESPOND: Junk mail received.\n);
_exit(100);
signature.asc
Description: This is a digitally signed message part.
!DSPAM:49b7a0bc32681750612889!
Re: [qmailadmin] Patch for autorespond
Il Saturday 17 February 2007 02:05:52 Quinn Comendant ha scritto: On Wed, 14 Feb 2007 15:14:50 +0100, Simone Lazzaris wrote: Hi anybody/everybody I've patched autorespond (v2.0.4, but the patch also apply to 2.0.5) to detect spam messages tagged by spamassassin; this to avoid to respond to spam messages. Patch is: [...] Hey Simone I added this patch to my autorespond (v2.0.4) and it doesn't work. All messages are rejected, even if they're not spam. See below. Any ideas? Quinn Mmmh the patch try to find the string Yes in the header starting with X-Spam-Status. Your is X-Spam-Status: No, score=-2.6 required=0.1 tests=BAYES_00,DK_POLICY_SIGNSOME, DK_POLICY_TESTING,DK_SIGNED,DK_VERIFIED autolearn=ham version=3.1.7 Received: from unknown (HELO web31008.mail.mud.yahoo.com) (68.142.200.171) by mx.strangecode.com with SMTP; 17 Feb 2007 00:48:05 - Maybe it got confused because BAYES matches, as it ends with yes. I've looked at the code and it seems that it performs a case-unsensitive test, so this can be tha case. Lets try to search for yes, instead (note the trailing comma), as spamassassin uses always Yes, or No, You can modify the line number 644 adding the comma and see how it performs. -- Simone Lazzaris Interactive S.r.L.
[qmailadmin] Patch for autorespond
Hi anybody/everybody
I've patched autorespond (v2.0.4, but the patch also apply to 2.0.5) to detect
spam messages tagged by spamassassin; this to avoid to respond to spam
messages. Patch is:
--- autorespond-2.0.4-orig/autorespond.c2003-08-25 18:11:58.0
+0200
+++ autorespond-2.0.4/autorespond.c 2007-02-14 14:53:00.0 +0100
@@ -640,7 +640,8 @@
}
if ( inspect_headers(precedence, junk ) != (char *)NULL ||
inspect_headers(precedence, bulk ) != (char *)NULL ||
-inspect_headers(precedence, list ) != (char *)NULL )
+inspect_headers(precedence, list ) != (char *)NULL ||
+inspect_headers(X-Spam-Status, Yes ) != (char *)NULL )
{
fprintf(stderr,AUTORESPOND: Junk mail received.\n);
_exit(100);
It would be nice to have this integrated in autorespond.
--
Simone Lazzaris
Interactive S.r.L.
