Re: autoresponder program could be tricked by spamers to send unsolicitedmail to victim's address (fwd)

From: Rodent of Unusual Size (Ken.Coarat_private)
Date: Mon Feb 04 2002 - 02:58:44 PST

Next message: sjat_private: "RE: new advisory"

Previous message: Alexander Poizner: "RE: NetScreen ScreenOS 2.6 Subject to Trust Interface DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

History: This issue was originally reported to BUGTRAQ on
Friday 11 January 2002.  I originally sent this response
four days later, on Tuesday 15 January 2002, and again on
Monday 21 January 2002, but it didn't get moderated through.
Since this was originally sent, additional fixes have been
made and the current package version is 1.15.2, not 1.15.0
as mentioned below.  See the ChangeLog on the site for details.

--------------------
Rodent of Unusual Size wrote:
> 
> > Date: Fri, 11 Jan 2002 13:51:55 +1100
> > To: bugtraqat_private
> > Subject: autoresponder program could be tricked by spamers to send
> >     unsolicited mail to victim's address
> >
> > Autoresponder program
> > http://meepzor.com/packages/autoresponder/
> > could be tricked by spamers to send unsolicited mail to
> > victim's address if option reply with copy of original
> > message attached to response is enabled in autoresponder's
> > configuration.

I have addressed this by adding two new bits of anti-spam
functionality to the package:

1/ ability to ignore blind messages (i.e., any that don't include
   our address in the To: or Cc: line)
2/ add history tracking feature

The purpose of the first should be self-evident.  The history
capability, if enabled, will record the time of the last autoresponse
to each address, and ignore future messages until a threshold number
of seconds (specified by the run-time --ignore-interval option)
have passed.

Neither of these are enabled by default, for the simple reason
that user input (email address, database location) is required.
In addition, the history function needs a CPAN module that earlier
versions of autoresponder did not.  (You don't need that module
if you don't use the history capability.)

This is all in release 1.15.0, now available from
<URL:http://MeepZor.Com/packages/autoresponder/>.

An announcement to Freshmeat and the package interest list is
coming next.

Thanks for your attention and support!
-- 
#ken	P-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist      http://Apache-Server.Com/

"Millenium hand and shrimp!"

Next message: sjat_private: "RE: new advisory"
Previous message: Alexander Poizner: "RE: NetScreen ScreenOS 2.6 Subject to Trust Interface DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 08:13:35 PST