Goldfish and forged spam

Wednesday, 10 September 2008

Recently I had the goldfish autoresponder (vacation responses / email auto reply) setup for a user for about one week. Checking their inbox about half way through this time period revealed it having over 47,000 unread messages. What was happening is that spammers were sending email with forged headers. Have you ever received a spam message that apparently has been sent from yourself?

I suppose it can be accomplished via a variety of ways, however I was able to reproduce this particular issue via generating one of these tasty spam mails via the following (all internally of course… I am not a spammer):

telnet smtp.example.com 25

and then issuing these commands:

ehlo workstation.example.com
mail from:
rcpt to:
Subject: testing a loop
Message text

Notice the mail is being sent to the user… and from the user…

  1. The server would receive the email addressed to emailuser@example.com
  2. goldfish would parse the message and notice it needed to respond to… emailuser@example.com
  3. The mail was delivered
  4. Rinse, wash, repeat

The source of the message looked something like this:

root@server:/var/local/vmail/example.com/emailuser# cat new/1220557062.P6882Q0M652544.server,S=1082
Delivered-To: emailuser@example.com
Received: from localhost (localhost []) by server.example.com (Postfix) with ESMTP id 923E9185F7 for ; Thu, 4 Sep 2008 15:37:42 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at server.example.com
Received: from server.example.com ([]) by localhost (server.example.com []) (amavisd-new, port 10024) with ESMTP id q3tScOaitRoS for ; Thu, 4 Sep 2008 15:37:42 -0400 (EDT)
Received: from workstation.example.com (workstation.example.com [xx.xxx.xxx.xx]) by server.example.com (Postfix) with ESMTP id B89E1185EB for ; Thu, 4 Sep 2008 15:37:25 -0400 (EDT)
Subject: testing a loop
Date: Thu, 4 Sep 2008 15:37:25 -0400 (EDT)
Message text

and to prevent goldfish from causing havoc on the particular inbox (or mitigating what was already done… and preventing future issues), I added the following PHP:

//strip the line break from $address for checks
$addressCheck = substr($address,0,strlen($address)-1);
if ($addressCheck==$email) {
  $log->addLine("Email address from autoresponder table  
    is the same as the intended recipient! Not sending the 

just before letting the mail being sent…

mail($address, $subject, $message, $headers);

I love goldfish. It’s like a do it yourself autoresponder! Keep in mind, this code works on Version 002, patch level 1, but could very well not work on any future releases (there have been indications that a newer version is in the works). Maybe I will post a few more tweaks in upcoming posts if the latest stable stays around for much longer.




Web Apps Web Enabled Applications Corporate Sites Personal Sites
Preferences Dark Theme Light Theme Notifications
Social GitHub LinkedIn RSS Feed Icon