On Sat, 27 Sep 2008 13:56:58 +0200, Diego d'Ambra wrote: > To me it seems that plugin DNSBL is using Net::DNS bgsend/bgread, but > is not checking the id of the reply received. > > If true this means that an attacker can white- or blacklist any email
Thinking more about this - since we don't do any "dnswl" type stuff, it doesn't seem that relevant. All the attacker can do is blacklist more emails, which given the timings surely he can only blacklist his own emails? Just a thought - wondering if this really needs to be fixed. Matt.