| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Qmail backscatter spam
Qmail backscatter spam
Posted Aug 31, 2006 8:18 UTC (Thu) by copsewood (subscriber, #199)Parent article: A comparison of Mail Transfer Agents - Part One
Quote from: http://zgp.org/pipermail/linux-elitists/2005-November/011...
"I could nitpick a few things, but it's probably better to point out
qmail's biggest crime: backscatter spam. By deliberate design it will
accept all mail for its domains, doing no recipient validation in the
SMTP dialogue. Then if a user does not exist, a bounce is generated,
almost always spamming the mailbox of an innocent victim (forged
envelope sender.)"
I don't think DJB accepts this one as a security hole either. AFAIK, there
exist a growing number of sites which will blacklist a SMTP backscattering relay for the same reasons they will blacklist a promiscous one. So this unfixed vulnerability could have an increasingly detrimental effect on your ability to operate a viable mail service.
To be secure in this respect, email to a non-existent address within one of your domains should always be rejected and never bounced.
(Log in to post comments)
Qmail backscatter spam
Posted Aug 31, 2006 17:00 UTC (Thu) by RussNelson (guest, #27730) [Link]
The solution to this problem is not to enable dictionary attacks, but is instead to not reply to forged emails. If an ISP claims to not want backscatter spam, and yet isn't signing emails using DomainKeys, then their claim is not plausible.