My limited understanding of unpatched qmail is that the modular architecture results in the
front end mail acceptance server not knowing that the backend mail delivery engine will find
the delivery address invalid, resulting in a bounce to a fake address in a spam. This might
have been considered acceptable MTA behaviour 10 years ago. The backscattering of spam is now
considered in the same light as operating any other unsecured promiscuous spam relay. The fact
that DJB doesn't classify this as a security bug combined with his source distribution policy
means that those installing qmail have to make sure they apply the appropriate patches before
installation, and we know that many inexperienced mail admins won't.
Offering a prize for anyone who finds a security hole based on the opinion of the author
strikes me as the kind of hubris which a more competent programmer would not display; the
assumption that something is perfect will alway interfere with security if the definition of
the latter involves taking into consideration a changing operating environment and changing
I am sure, in connection with the technical aspects of his approach to coding for correctness,
that we all have a lot to learn from DJB, but in this particular aspect of his behaviour I
think he could have done better.