[rt-users] Potential mail loop vulnerability in RT-Extensions-CommandByMail ?
Maurice Chung
maurice at iparadigms.com
Fri Apr 11 19:26:06 EDT 2008
Hello fellow RT users,
We recently installed the CommandByMail perl module, and our developers were happy, as it would cut down on their workflow time (rather than going to the web tool).
However, a little over a day later, we suddenly got hit with what ended up being over 100k emails - which seemed to be bounces sent by our RT box to our mailing lists box, to our main mail server box, then back over to our RT box, which should have stopped forwarding the bounce mail, but it instead kept on going and we ended up with all these bounce emails:
<snip>
----- Forwarded Message -----
From: rt at company.com
To: it at company.com
Sent: Friday, April 11, 2008 1:38:36 PM (GMT-0800) America/Los_Angeles
Subject: RT Bounce: RT Bounce: RT Bounce: RT Bounce: RT Bounce: RT Bounce: RT Bounce: RT Bounce: RT Bounce: [req2 #145481] RT Bounce: RT Bounce: RT Bounce: RT Bounce: RT Bounce: [req2 #145481] RT Bounce: RT Bounce: RT Bounce: RT Bounce: RT Bounce: RT Bounce: RT Bounce: [req2 #145481] AutoReply: RE: April 79% OFF
RT thinks this message may be a bounce
</snip>
I read on a blog that had some info on how to configure the CommandByMail (on cpan the install instructions were actually a broken link), a comment in passing about people being able to spoof emails once the CommandByMail is used; not sure if that might be related, but we ultimately think that we may have been getting mail bomb attempts, which didn't come to light until we installed this module and it allowed those through.
Or perhaps something else is going on? Anyone encountered something similar, or have an idea? I tried several searches on Google but came up snake eyes.
Currently we have mitigated the problem by REJECT'ing from the bounced senders (lighttpd at company.com, and <>), and also backing out the pm.
Thanks in advance everyone.
maurice
------------------------------------------------------------------
Maurice Chung
JrSysAdmin
iParadigms, LLC - developers of Turnitin and iThenticate
1624 Franklin Street, 7th Floor
Oakland, CA 94612
p +1.510.287.9720 x309
f +1.510.444.1952
e maurice at iparadigms.com
iParadigms, LLC is committed to developing standard-setting,
internet-based tools that protect intellectual property, promote
academic and corporate integrity, and improve overall client
productivity.
The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of
this communication is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by
replying to the message and deleting it from your computer.
More information about the rt-users
mailing list