[rt-users] permissions loophole?

Greg Boug gboug at unico.com.au
Mon Mar 31 02:05:22 EST 2003


It should be fairly trivial to write a wrapper that 
ensures that the email has the correct domain... As 
a first wild hack at a trivial mail filter:

#!/usr/bin/perl -w
use strict;
my @email = <STDIN>;
my $mailsent = 0;
foreach (@email) {
	 # We are only checking the header for a From field...
	last if (/^\n$/);
	if (/^From/) {
		my $emailOK = 0;
		# Insert code to grab and verify the email
		# address here. If email is OK, set $emailOK
		# to 1;
		if ($emailOK) {
			print foreach (@email);
			$mailsent = 1;
			last; # only want to send it once...
		}
	} 
}
if (!$mailsent) {
	# Do whatever you want with evil spam email here...
}

Then you could put in your aliases file:

rt-alias: "|/path/to/check | RT_COMMAND_HERE"

Should work without too much trouble... Biggest issue I can 
see with this method is that it might send a blank email through
to RT if no valid email address is found. If RT ignores blank
input (hopefully it does... I haven't tried it yet...) then you 
will be set... 

Advantage of doing it this way is if you want to have your
queues protected on a per-queue basis... 

In theory, you could also pass it through procmail and get that
to do your mail filtering... That would be another way to do it...
I'm not sure if procmail rules can be set up for email aliases... 
You would have to check that out more thoroughly... Would give 
you a lot more flexibility with what to do with spammers, etc. 
if you used procmail... Depending on how your email server is 
setup, it might be more efficient than doing it through RT... 

HTH

Greg


> -----Original Message-----
> From: rt-users-admin at lists.fsck.com 
> [mailto:rt-users-admin at lists.fsck.com] On Behalf Of David Vrtin
> Sent: Monday, 31 March 2003 4:46 PM
> To: James Lucas
> Cc: rt-users at lists.fsck.com
> Subject: Re: [rt-users] permissions loophole? 
> 
> 
> On Sat, 29 Mar 2003 22:54:33 GMT, "James Lucas" wrote:
> 
> > I have noticed one odd thing with the way it processes mail 
> (although 
> > it = may be my setup but I can't see where), if there is a 
> user on the 
> > = system, e.g. autocreated by opening a ticket, they can 
> reply to any 
> > = other ticket by simply changing the number in the subject of the 
> > message = and this reply will be forwarded onto the ticket 
> requestor.
> > 
> > This does not seem correct to me as it would allow a spammer to 
> > randomly = guess ticket numbers and then send mail to our customers 
> > using rt as the = relay.
> 
> I have same problem. We don't want RT to sent mail out of RT, 
> if the transaction 
> is originated via *Email*. 
> 
> I think, we need some patch??
> 
> 
> Best regards,
> David
> 
> _______________________________________________
> rt-users mailing list
> rt-users at lists.fsck.com 
> http://lists.fsck.com/mailman/listinfo/rt-> users
> 
> Have you 
> read the FAQ? The RT FAQ Manager lives at 
> http://fsck.com/rtfm
> 




More information about the rt-users mailing list