Goldfish and forged spam
Wednesday, 10 September 2008
Recently I had the goldfish autoresponder (vacation responses / email auto reply) setup for a user for about one week. Checking their inbox about half way through this time period revealed it having over 47,000 unread messages. What was happening is that spammers were sending email with forged headers. Have you ever received a spam message that apparently has been sent from yourself?
I suppose it can be accomplished via a variety of ways, however I was able to reproduce this particular issue via generating one of these tasty spam mails via the following (all internally of course… I am not a spammer):
telnet smtp.example.com 25
and then issuing these commands:
ehlo workstation.example.com mail from: rcpt to: data From: To: Subject: testing a loop Message text . quit
Notice the mail is being sent to the user… and from the user…
- The server would receive the email addressed to emailuser@example.com
- goldfish would parse the message and notice it needed to respond to… emailuser@example.com
- The mail was delivered
- Rinse, wash, repeat
The source of the message looked something like this:
root@server:/var/local/vmail/example.com/emailuser# cat new/1220557062.P6882Q0M652544.server,S=1082 Return-Path: Delivered-To: emailuser@example.com Received: from localhost (localhost [127.0.0.1]) by server.example.com (Postfix) with ESMTP id 923E9185F7 for ; Thu, 4 Sep 2008 15:37:42 -0400 (EDT) X-Virus-Scanned: Debian amavisd-new at server.example.com Received: from server.example.com ([127.0.0.1]) by localhost (server.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q3tScOaitRoS for ; Thu, 4 Sep 2008 15:37:42 -0400 (EDT) Received: from workstation.example.com (workstation.example.com [xx.xxx.xxx.xx]) by server.example.com (Postfix) with ESMTP id B89E1185EB for ; Thu, 4 Sep 2008 15:37:25 -0400 (EDT) From: To: Subject: testing a loop Message-Id: Date: Thu, 4 Sep 2008 15:37:25 -0400 (EDT) Message text
and to prevent goldfish from causing havoc on the particular inbox (or mitigating what was already done… and preventing future issues), I added the following PHP:
//strip the line break from $address for checks $addressCheck = substr($address,0,strlen($address)-1); if ($addressCheck==$email) { $log->addLine("Email address from autoresponder table is the same as the intended recipient! Not sending the mail!" ); break; }
just before letting the mail being sent…
mail($address, $subject, $message, $headers);
I love goldfish. It’s like a do it yourself autoresponder! Keep in mind, this code works on Version 002, patch level 1, but could very well not work on any future releases (there have been indications that a newer version is in the works). Maybe I will post a few more tweaks in upcoming posts if the latest stable stays around for much longer.