Hi,
I recently had a scan of my DSL-connected Linux box done by
http://www.dslreports.com. I was rather surprised to see that this service
reported my system was set up as an open e-mail relay. I quickly discovered
that it's not, really; the system just didn't know that qmail was checking local
recipients AFTER accepting the mail. I do still have a couple of concerns.
First, here's the relevant portion of the output of the test:
Test mail relay
To:<[EMAIL PROTECTED]> .. 553 sorry, that domain isn't in
my list of allowed rcpthosts (#5.7.1)
To:<[EMAIL PROTECTED]> .. 553 sorry, that domain isn't in my list of allowed
rcpthosts (#5.7.1)
To:<[EMAIL PROTECTED]@[151.203.46.57]> ..250 ok
To <root%XX.XX.com@[151.203.46.57]> ..250 ok
To <XX.XX.com!root@[151.203.46.57]> ..250 ok
I gather that the last three are notations allowed by some SMTP daemons for
relay, but that qmail doesn't recognize them as such, and so tries to interpret
them as usernames, which of course fails and causes a bounce message to go out,
but only AFTER accepting the message for attempted delivery. I have three
concerns about this behavior:
1) If the "from" address is also bogus, the bounce will bounce, and so I'll
get a notification of the bounce. This is fine if it's just an isolated
incident, but I'm concerned that if some spammer tried to do a mass
mailing through my system, I might be inundated with these messages. I
tried a test, and I see that I do at least get but a single message for
multiple recipients, but what if a spammer tries sending messages
individually, or a dozen or more messages, each to different groups?
2) If one open relay test misidentifies my system as having an open relay,
others might. I'd hate to get stuck on an anti-spam e-mail blacklist
because of a misidentification like this. (For a while, a former ISP
of mine used an over-eager anti-spam list that blocked mail from a
mailing list that was misidentified in a way similar to this.) Most
of my incoming mail should be coming through my ISP (grabbed via
fetchmail), so this shouldn't be a big problem even if it happens,
but some people do still seem to grab and use my "direct" address.
3) If the spammer places the recipient in the "from" field rather than
the "to" field, the system WOULD serve as an open relay of sorts,
albeit a very strange and undesirable one, since to the recipient,
the e-mail would seem to be a bounce from his/her own account. If
nothing else, a feature like this could make the target think that
his/her security had been compromised, and I'd rather not be a
party to such a prank. (Granted, such a message would be easily
forged via more direct means, but still....)
Anyhow, I realize that giving information "up front" on working usernames on the
system is probably at least a small security risk, so I'd rather not do that,
but is there some way to refuse deliveries to usernames that match some pattern
(like anything containing an "@", "%", or "!", to kill the specific examples
used in this particular test)?
--
Rod Smith
[EMAIL PROTECTED]
http://members.bellatlantic.net/~smithrod
Author of _Special Edition Using Corel WordPerfect 8 for Linux_, from Que
