On Fri, 6 Feb 2004, Ken Murchison wrote:
I just committed this change to CVS. It seems to work just fine with Mozilla, Outlook and Pine.
It also gave me the opportunity to cleanup the handling of netnews specific headers (Path, Xref) and to actually append the post addresses to the Reply-To header (previously I was just adding another To: header).
Excellent! Thanks!
Well, I just found a problem with this. It also may have been a problem with the To: header as well.
Any article which gets posted to Cyrus nntpd will have the post address added to the Reply-To header, and this address will be present in the article when it is transferred to the outside news peer.
The problem occurs when the spammers harvest this address and then start sending junk/viruses to the post address. In my case my virus scanner catches and strips the virus, and continues to deliver the message to the intended recipient (the newsgroup via lmtp2nntp) which then gets propagated up the tree. The end result is that I have been sending virus notifications to comp.mail.imap for the past day or so (until Rob notified me).
Obviously, I have to configure my MTA so that it only accepts mail to the post addresses from internal/auth'd clients, but nntpd should probably also cleanse the article of the post address.
Thoughts?
-- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
