Re: autoresponder program could be tricked by spamers to send unsolicitedmail to victim's address (fwd)

[Rodent of Unusual Size <Ken.Coar () Golux Com>]

Someone forwarded me:
> Date: Fri, 11 Jan 2002 13:51:55 +1100
> From: user () compulabs dhs org
> To: bugtraq () securityfocus com
> Subject: autoresponder program could be tricked by spamers to send
>     unsolicited mail to victim's address
>
> Autoresponder program
> http://meepzor.com/packages/autoresponder/

I am the author of this package.  I will look into this.

> could be tricked by spamers to send unsolicited mail to
> victim's address if option reply with copy of original
> message attached to response is enabled in autoresponder's
> configuration.

Nothing is without risk.  Security always costs something --
usually convenience.  The short answer to this for the
time being is "don't do that"; in other words, don't use
that option for now.

> Program does not have any sort of restriction on number of
> responses to one email address during any period of time.

That is a known restriction, and listed in the TODO file.
It shouldn't come as a surprise.

> I could not get in contact with developer of this program
> despite we have sent warning to webmaster of web site hosting
> web page of autoresponder.

Um, I regard this as almost complete bollocks.  AFAIK, I have never
received any mail from dhs.org until to-day, when you thoughtfully
sent me notification (at Fri, 12 Jan 2001 12:14:19 +1100) less
than two hours before posting this to bugtraq (at Fri, 11 Jan 2002
13:51:55 +1100).  Not to my own account, not to the clearly-documented
autoresponder package support address, and not to the Webmaster
address until a few hours ago (which was hardly the best choice,
but you lucked out this time :-).

So while I appreciate the notification of the problem, and will
look into it at the earliest opportunity, I'm more than a little
irritated that you acted so irresponsibly -- sending a message
in what could be (and was) late at night, and following it up
with a 'I didn't get a response' posting to bugtraq less than two
hours later (still late at night where I am).  I don't care for
the incorrect insinuation that I am not responsive to security
reports.  Of course, the next worse thing would have been to just
send it to bugtraq and never to me at all.

I don't follow bugtraq, so perhaps someone will inform me
privately whether or not it is appropriate for me to follow
up to it with a summary or 'fixed' posting.
-- 
#ken    P-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist      http://Apache-Server.Com/

"All right everyone!  Step away from the glowing hamburger!"