[imp] hardening imp against spammers

Jon Lewis jlewis at lewis.org
Wed Jun 29 06:37:07 PDT 2005 

On Wed, 29 Jun 2005, Jan Schneider wrote:

> > /* impose limit on number of recipients */
> >     if (substr_count($recips,"@") > $conf['user']['max_recipients']) {
> >       Horde::raiseMessage(_("Too many recipients.  Try again with
> > fewer."), HORDE_ERROR);
> >       $get_sig = false;
> >       break;
> >     }
> > /* end impose limit on number of recipients */
>
> Beside that it's for a very special problem (that I currently have at a
> customer's site too, btw), no.

Shouldn't there be at least the option to configure such a limit?  This
really frustrated me because we have imp invoking qmail's sendmail, and
short of much more difficult hacks to qmail, there appears to be no other
way to limit the number of recipients.  Also, I wasn't quite working on
all cylinders this AM after spending a while trying to hack this into
qmail.  That patch should probably be:

/* impose limit on number of recipients */
     if ($conf['user']['max_recipients'] > 0 && substr_count($recips,"@")
> $conf['user']['max_recipients']) {
       Horde::raiseMessage(_("Too many recipients.  Try again with fewer."), HORDE_ERROR);
       $get_sig = false;
       break;
     }
/* end impose limit on number of recipients */

so that if max_recipients isn't set or is set to 0, you get the default
behavior of no limit rather than the breakage I assume would happen as
substr_count would be compared to 0 or undefined and likely be greater.

If we can't shake the Nigerians (they appear to have images of or at least
all the info including CVV2 codes for their stolen cards and are now using
open proxies to access our webmail...so we're having a real hard time
either stopping them from signing up or blocking them by IP from using
webmail), I suspect the next things we'll need are the DNSBL support I
mentioned (which I suspect is easy enough I might end up doing it), and
some form of per-user message rate limiting...i.e.  after sending X
messages in Y time, you're done.  That'd probably require a new SQL table
holding a key, username, and timestamp in each row so that compose.php
could then do a select and count up how many messages the user has sent
recently and decide if the current message can be sent.  I don't suppose
someone's already done something like this?

Another possibility is forcing the outgoing mail through spamassassin.

----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the imp mailing list