https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7092
--- Comment #1 from Mark Martinec <[email protected]> --- Jerry, I very much appreciate your effort to analyze the spamc client program, to dig up this lack of verification issue, and to let us know about it! Don't know how often such setup is still in use nowadays: having clients connect over untrusted network to a central spamd server. Also there are probably easier ways to read people's mail or tamper with it within an organization. A common setup today is to run SpamAssassin tightly coupled with an MTA, communicating over a Unix socket or over a loopback interface. It would certainly be valuable to fix the problem, or just disable the feature if it turns out that few people still care about it. I hope somebody will jump in and address this potential man-in-the middle threat (I'm not volunteering). In the least, issuing a public notice may be in order. -- You are receiving this mail because: You are the assignee for the bug.
