On Sat, May 09, 2009 at 10:43:41PM +0200, Thijs Kinkhorst wrote: > Hi, > > On sneon 9 Maaie 2009, CJ Fearnley wrote: > > If a user of squirrelmail sends spam, for example, or, in general, > > if the admin needs to find out who the sender of a particular e-mail > > logged by the MTA is, then the current version provides insufficient > > data (etch did better but was suboptimal as well). The "SquirrelMail > > authenticated user" is included in the Received header. However, most > > MTAs do not log the Received header. So a squirrelmail admin will > > have no means to determine which of their users sent an e-mail that > > is registered in the local exim, postfix, sendmail logs. Therefore, > > I submit that it is essential that squirrelmail log the authenticated > > user in the Message-ID as well since most MTAs do log the Message-ID. > > Thanks for your message. > > I agree that logging can be important but it's quite dependent on the > environment what and how things should be logged. In many situations the > Received header information is satisfactory. There are other avenues for > other requirements: install one of the logger plugins that are available, or > use authenticated SMTP. > > There are plans to integrate logging more closely in SquirrelMail, but given > e.g. the plugins that are available I do not see it as a bug but merely as a > feature request. > > The patch you supplied may work indeed, but it not acceptable upstream. We've > tried to get such information out of the message ID, because some sites > explicitly *don't* want username info leaked in that ID. > > > cheers, > Thijs
True, one can and should be able to arrange alternative logging methods using SquirrelMail plugins, authenticated SMTP, etc. But, I expect Debian systems to provide effective default behavior for default configurations. Yes in a default Debian SquirrelMail installation it is almost impossible to determine which account to close due to SPAM abuse. On Saturday I wasted half a day trying to figure out which user sent spam through SquirrelMail. I was able to find the Message-ID of dozens of spams, but I had already piped that list into xargs exim4 -Mrm, so I did not have the Authenticated user in the Received header. I assumed I could figure out which user had committed the crime without reading the spams in the queue. Instead, I had to wait until the SPAMer sent another batch so that I could peak at a message in the queue to see the Received header. Frustrating. Why should admins using default SquirrelMail configurations have to configure alternative logging mechanisms to fight abuse of their systems? If that is your opinion, please write some BOLDFACE warnings in Debian.README. Currently, that document (which I did consult) gives no advice about how to configure the system to address the common use case of supporting admins who want to be able to police the authenticated SquirrelMail users who use their system to send vile SPAM. AND, I discovered that the information necessary to police my systems is NOT LOGGED by default (in Etch the IP address was logged which was inefficient, but at least actionable. In Lenny nothing of actionable use is logged)!!! So, at minimum, there is a serious documentation deficiency. I read SquirrelMail bug tracker #847107 about the Message-ID leaking of private data such as the IP address. This is DIFFERENT from $username or the Authenticated username. If upstream wanted to protect disclosing the Authenticated username, they would not put it in the Recieved header!!!! I conclude that upstream wanted to protect the IP address of the sender, not the Authenticated username which I think everyone realizes must be disclosed to support policing SPAMer abuse of SquirrelMail. The Message-ID is the only guaranteed to be available on all systems method (I've confirmed that sendmail, postfix, and exim all log Message-ID by default) to ensure that site operators have access to the Authenticated username who used or abused their system. So, I think SquirrelMail should use the Message-ID to record the name of the Authenticated user responsible for each e-mail. Frankly, I think the Severity level could be serious because the current configuration of SquirrelMail means it is hit-and-miss for an admin of a Default Debian SquirrelMail configuration to be able to effectively police their systems from SPAMers. -- CJ Fearnley | LinuxForce Inc. c...@linuxforce.net | President & CEO http://www.LinuxForce.net | Remote Systems Management Solutions -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org