Qmail backscatter spam
Posted Aug 31, 2006 8:18 UTC (Thu) by
copsewood (subscriber, #199)
Parent article:
A comparison of Mail Transfer Agents - Part One
Quote from: http://zgp.org/pipermail/linux-elitists/2005-November/011...
"I could nitpick a few things, but it's probably better to point out
qmail's biggest crime: backscatter spam. By deliberate design it will
accept all mail for its domains, doing no recipient validation in the
SMTP dialogue. Then if a user does not exist, a bounce is generated,
almost always spamming the mailbox of an innocent victim (forged
envelope sender.)"
I don't think DJB accepts this one as a security hole either. AFAIK, there
exist a growing number of sites which will blacklist a SMTP backscattering relay for the same reasons they will blacklist a promiscous one. So this unfixed vulnerability could have an increasingly detrimental effect on your ability to operate a viable mail service.
To be secure in this respect, email to a non-existent address within one of your domains should always be rejected and never bounced.
(
Log in to post comments)