[23820] in bugtraq
Re: autoresponder program could be tricked by spamers to send
daemon@ATHENA.MIT.EDU (Rodent of Unusual Size)
Fri Jan 11 18:16:20 2002
Message-ID: <3C3EDF34.FD1A73D6@Golux.Com>
Date: Fri, 11 Jan 2002 07:48:52 -0500
From: Rodent of Unusual Size <Ken.Coar@Golux.Com>
MIME-Version: 1.0
To: user@compulabs.dhs.org
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Someone forwarded me:
>
> Date: Fri, 11 Jan 2002 13:51:55 +1100
> From: user@compulabs.dhs.org
> To: bugtraq@securityfocus.com
> Subject: autoresponder program could be tricked by spamers to send
> unsolicited mail to victim's address
>
> Autoresponder program
> http://meepzor.com/packages/autoresponder/
I am the author of this package. I will look into this.
> could be tricked by spamers to send unsolicited mail to
> victim's address if option reply with copy of original
> message attached to response is enabled in autoresponder's
> configuration.
Nothing is without risk. Security always costs something --
usually convenience. The short answer to this for the
time being is "don't do that"; in other words, don't use
that option for now.
> Program does not have any sort of restriction on number of
> responses to one email address during any period of time.
That is a known restriction, and listed in the TODO file.
It shouldn't come as a surprise.
> I could not get in contact with developer of this program
> despite we have sent warning to webmaster of web site hosting
> web page of autoresponder.
Um, I regard this as almost complete bollocks. AFAIK, I have never
received any mail from dhs.org until to-day, when you thoughtfully
sent me notification (at Fri, 12 Jan 2001 12:14:19 +1100) less
than two hours before posting this to bugtraq (at Fri, 11 Jan 2002
13:51:55 +1100). Not to my own account, not to the clearly-documented
autoresponder package support address, and not to the Webmaster
address until a few hours ago (which was hardly the best choice,
but you lucked out this time :-).
So while I appreciate the notification of the problem, and will
look into it at the earliest opportunity, I'm more than a little
irritated that you acted so irresponsibly -- sending a message
in what could be (and was) late at night, and following it up
with a 'I didn't get a response' posting to bugtraq less than two
hours later (still late at night where I am). I don't care for
the incorrect insinuation that I am not responsive to security
reports. Of course, the next worse thing would have been to just
send it to bugtraq and never to me at all.
I don't follow bugtraq, so perhaps someone will inform me
privately whether or not it is appropriate for me to follow
up to it with a summary or 'fixed' posting.
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"All right everyone! Step away from the glowing hamburger!"
