Bugtraq mailing list archives
Re: autoresponder program could be tricked by spamers to send unsolicitedmail to victim's address (fwd)
From: Rodent of Unusual Size <Ken.Coar () Golux Com>
Date: Fri, 11 Jan 2002 07:48:52 -0500
Someone forwarded me:
Date: Fri, 11 Jan 2002 13:51:55 +1100 From: user () compulabs dhs org To: bugtraq () securityfocus com Subject: autoresponder program could be tricked by spamers to send unsolicited mail to victim's address Autoresponder program http://meepzor.com/packages/autoresponder/
I am the author of this package. I will look into this.
could be tricked by spamers to send unsolicited mail to victim's address if option reply with copy of original message attached to response is enabled in autoresponder's configuration.
Nothing is without risk. Security always costs something -- usually convenience. The short answer to this for the time being is "don't do that"; in other words, don't use that option for now.
Program does not have any sort of restriction on number of responses to one email address during any period of time.
That is a known restriction, and listed in the TODO file. It shouldn't come as a surprise.
I could not get in contact with developer of this program despite we have sent warning to webmaster of web site hosting web page of autoresponder.
Um, I regard this as almost complete bollocks. AFAIK, I have never received any mail from dhs.org until to-day, when you thoughtfully sent me notification (at Fri, 12 Jan 2001 12:14:19 +1100) less than two hours before posting this to bugtraq (at Fri, 11 Jan 2002 13:51:55 +1100). Not to my own account, not to the clearly-documented autoresponder package support address, and not to the Webmaster address until a few hours ago (which was hardly the best choice, but you lucked out this time :-). So while I appreciate the notification of the problem, and will look into it at the earliest opportunity, I'm more than a little irritated that you acted so irresponsibly -- sending a message in what could be (and was) late at night, and following it up with a 'I didn't get a response' posting to bugtraq less than two hours later (still late at night where I am). I don't care for the incorrect insinuation that I am not responsive to security reports. Of course, the next worse thing would have been to just send it to bugtraq and never to me at all. I don't follow bugtraq, so perhaps someone will inform me privately whether or not it is appropriate for me to follow up to it with a summary or 'fixed' posting. -- #ken P-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ "All right everyone! Step away from the glowing hamburger!"
Current thread:
- Re: autoresponder program could be tricked by spamers to send unsolicitedmail to victim's address (fwd) Rodent of Unusual Size (Jan 11)