i submitted a patch to /n/sources/plan9/mail/lib/validateaddress which geoff put in. it turns out this patch is quite a bit more important than i thought. without it, upas is an open spam relay.
it works like this. spammer sends mail with a forged From: line and a To: line that mail -x will flag as an "Invalid address". the old script would not flag this for rejection and upas would send a failure notice to the sender, thus spamming the guy in the forged From: line. - erik
