Goldfish and forged spam
Recently I had the goldfish autoresponder (vacation responses / email auto reply) setup for a user for about one week. Checking their inbox about half way through this time period revealed it having over 47,000 unread messages. What was happening is that spammers were sending email with forged headers. Have you ever received a spam message that apparently has been sent from yourself?
I suppose it can be accomplished via a variety of ways, however I was able to reproduce this particular issue via generating one of these tasty spam mails via the following (all internally of course… I am not a spammer):
and then issuing these commands:
mail from:<emailuser@example.com>
rcpt to:<emailuser@example.com>
data
From: <emailuser@example.com>
To: <emailuser@example.com>
Subject: testing a loop
Message text
.
quit
Notice the mail is being sent to the user… and from the user…
- The server would receive the email addressed to emailuser@example.com
- goldfish would parse the message and notice it needed to respond to… emailuser@example.com
- The mail was delivered
- Rinse, wash, repeat
The source of the message looked something like this:
Return-Path: <emailuser@example.com>
Delivered-To: emailuser@example.com
Received: from localhost (localhost [127.0.0.1]) by server.example.com (Postfix) with ESMTP id 923E9185F7 for <emailuser@example.com>; Thu, 4 Sep 2008 15:37:42 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at server.example.com
Received: from server.example.com ([127.0.0.1]) by localhost (server.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q3tScOaitRoS for <emailuser@example.com>; Thu, 4 Sep 2008 15:37:42 -0400 (EDT)
Received: from workstation.example.com (workstation.example.com [xx.xxx.xxx.xx]) by server.example.com (Postfix) with ESMTP id B89E1185EB for <emailuser@example.com>; Thu, 4 Sep 2008 15:37:25 -0400 (EDT)
From: <emailuser@example.com>
To: <emailuser@example.com>
Subject: testing a loop
Message-Id: <20080904193728.B89E1185EB@server.example.com>
Date: Thu, 4 Sep 2008 15:37:25 -0400 (EDT)
Message text
and to prevent goldfish from causing havoc on the particular inbox (or mitigating what was already done… and preventing future issues), I added the following PHP:
$addressCheck = substr($address,0,strlen($address)-1);
if ($addressCheck==$email)
{
$log->addLine("Email address from autoresponder table is the same as the intended recipient! Not sending the mail!");
break;
}
just before letting the mail being sent…
I love goldfish. It’s like a do it yourself autoresponder! Keep in mind, this code works on Version 002, patch level 1, but could very well not work on any future releases (there have been indications that a newer version is in the works). Maybe I will post a few more tweaks in upcoming posts if the latest stable stays around for much longer.
This entry was posted on Tuesday, September 9th, 2008 at 10:10 pm. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
December 2nd, 2008 at 5:57 pm
hey Karl,
this is totally unrelated to your article here. Just wanted to know your email address, and if you had a suggestion for an email client…
please get back to me when it suits.
—Jason
July 6th, 2009 at 9:46 am
Hello,
Thank you for mentioning the bug. I now have included your bugfix in the new version and it can be downloaded under http://www.remofritzsche.com/.
Thanks,
- Remo