[prev in list] [next in list] [prev in thread] [next in thread] 

List:       james-user
Subject:    Re: my mail server is compromised!
From:       David Legg <david.legg () searchevent ! co ! uk>
Date:       2008-09-18 15:48:27
Message-ID: 48D2784B.4040308 () searchevent ! co ! uk
[Download RAW message or body]

Hi Marc,

>> Well, I'm no guru but I can tell you that, in all probability, your 
>> server has not been compromised - in the sense that someone has 
>> broken in and is merrily sending stuff in your name.
>>
> Thanks David for your reply and I hear what you are saying about 
> trust... But in the past James has always verified that only members 
> of a list server could send email to/through that list server. I have 
> noted a lot of attempts by spammers to impersonate me or another user, 
> when trying to send email to the list server but those attempts have 
> always failed in the past. What has changed and why should this check 
> now be failing.

Sorry, I didn't pick up on the fact that you were talking about a list.  
I've not implemented that myself so I don't have first hand knowledge.

That said, I've just been looking at the code.  I notice that the 
CommandListServProcessor class simply calls mail.getSender() to check 
that an incoming message is OK to post to the list.  According to the 
JavaDocs [1] this uses the MAIL FROM header of the email which as I 
discussed in my first email is easy to forge by a spammer.

So, all a spammer has to do to get his nastiness posted on your list is 
to send an email to your announce email address with a forged 'Mail 
From' header that matches that of someone in your list's list of allowed 
users.

That sounds to me like something a clever piece of spam technology could 
do.  For example, if any of your list's users has had an infected PC in 
which the user's address book was stolen then your announce email 
address and one or two of the list users addresses would be present.  
The laws of chance would then dictate that sooner or later the right 
combination got sent.

> My understanding of Bayesian filters is that they require some sort of 
> feedback to train them on what is junk and what is not. I can 
> understand how this is done in an email client but I couldn't 
> understand how it would be done on a server.. So I never bothered with 
> it...

The James Bayesian Analysis mailet does require you to feed it with ham 
and spam messages.  This is onerous at first but the effort quickly 
diminishes as the amount of spam lessens.  All you have to do is forward 
the offending or innocent email as an attachment (something which 
Thunderbird does automatically) to one of two special email addresses 
hosted by your server.

> Also I am using SMTP Auth which requires a password to send email via 
> the server, not simply SMTP.

SMTP Auth only requires a sender to be authorized if they are trying to 
send an email out from the server.  If an incoming email is destined for 
someone local to your server it isn't required (if it was then random 
people wouldn't be able to email you!).  I'm not sure but I would think 
people emailing your announce address would be treated as a local email 
and wouldn't need a password.

> Are you in fact telling me to enable the Bayesian filter and that is 
> my only hope?

I'm hoping someone else will chime in here, but I think you definitely 
need something to perform more rigorous checks.

Regards,
David Legg

[1] 
http://james.apache.org/server/2.3.1/apidocs/org/apache/mailet/Mail.html#getSender()

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]