[rt-users] fun with Klez

Vivek Khera khera at kcilink.com
Mon Aug 12 12:31:56 EDT 2002


Well, someone late friday night managed to send a copy of Klez (or
whatever mutation of the week Lookout! virus/worm is going around now)
with a From address of my postmaster@ address to my abuse@ address,
both of which feed into the abuse queue within RT.

What ensued was an all out war RT had with itself, managing to fill
50Mb worth of autoresponder messages into each of three staff members'
mailboxes.  Once the mailboxes were way over any sane limit, messages
started bouncing out the wazoo, and my RT mail server and office mail
server started fighting with each other until I noticed and killed it
off early sunday morning...


These are the scrips I have.  The admin cc's are the three staff
people's direct email addresses.

OnCreate NotifyAdminCcs with template Transaction 
OnCreate AutoreplyToRequestors with template Postmaster/Abuse Autoreply 
OnCorrespond NotifyAllWatchers with template Correspondence 
OnComment NotifyAdminCcsAsComment with template AdminComment 

The curious thing is that after the first autorespond message got sent
back to the queue itself, every subsequent one added one blank line to
the front of that message.  Thanks to NotifyAllWatchers and the fact
that the message was from "nobody", it notified the postmaster@
address, which then fed back into itself.  47,000+ messages later, all
heck broke loose ;-)

Is there some way to protect from this?  I see a function called
IsRTAddress, but is is documented as only having any purpose when
$ParseNewMessageForTicketCcs is true.  Can I make RT *never* send email
to any address identified by that function?




More information about the rt-users mailing list