[imp] hardening imp against spammers

Chuck Hagenbuch chuck at horde.org
Wed Jun 29 11:52:28 PDT 2005 

Quoting Jon Lewis <jlewis at lewis.org>:

> Shouldn't there be at least the option to configure such a limit?

"Shouldn't" is a very, very loaded word. Please consider that you are 
dealing with volunteers, that no one may have hit this situation 
before, that no one may have thought of it, etc. And Jan _said_ that 
there wasn't a reason not to add it, and that he was seeing the same 
situation at a customer.

> Also, I wasn't quite working on all cylinders this AM after spending 
> a while trying to hack this into qmail.  That patch should probably 
> be:
>
> /* impose limit on number of recipients */
>     if ($conf['user']['max_recipients'] > 0 && substr_count($recips,"@")
>> $conf['user']['max_recipients']) {
>       Horde::raiseMessage(_("Too many recipients.  Try again with 
> fewer."), HORDE_ERROR);
>       $get_sig = false;
>       break;
>     }
> /* end impose limit on number of recipients */

I'd use !empty() to be even more forgiving. Otherwise, create an 
enhancment request on bugs.horde.org with an actual unified diff, 
including the changes to conf.xml, and we'll get it committed.

> webmail), I suspect the next things we'll need are the DNSBL support I
> mentioned (which I suspect is easy enough I might end up doing it), and

We could use this for lots of other aplications, too - Agora, Volos, 
etc. Would be a very useful contribution.

> some form of per-user message rate limiting...i.e.  after sending X
> messages in Y time, you're done.  That'd probably require a new SQL table
> holding a key, username, and timestamp in each row so that compose.php
> could then do a select and count up how many messages the user has sent
> recently and decide if the current message can be sent.  I don't suppose
> someone's already done something like this?

I haven't heard of it. That to me sounds like the kind of thing you're 
better off doing at the MTA level, instead of just in a web layer, 
though.

-chuck

-- 
"But she goes not abroad in search of monsters to destroy." - John 
Quincy Adams

More information about the imp mailing list