[rt-users] Potential mail loop vulnerability in RT-Extensions-CommandByMail ?

Jesse Vincent jesse at bestpractical.com
Fri Apr 11 20:02:05 EDT 2008

On Apr 11, 2008, at 7:26 PM, Maurice Chung wrote:
> Hello fellow RT users,
> We recently installed the CommandByMail perl module, and our  
> developers were happy, as it would cut down on their workflow time  
> (rather than going to the web tool).
> However, a little over a day later, we suddenly got hit with what  
> ended up being over 100k emails - which seemed to be bounces sent by  
> our RT box to our mailing lists box, to our main mail server box,  
> then back over to our RT box, which should have stopped forwarding  
> the bounce mail, but it instead kept on going and we ended up with  
> all these bounce emails:

Can you send the full, unedited headers of one of these?

> <snip>
> ----- Forwarded Message -----
> From: rt at company.com
> To: it at company.com
> Sent: Friday, April 11, 2008 1:38:36 PM (GMT-0800) America/Los_Angeles
> Subject: RT Bounce: RT Bounce: RT Bounce: RT Bounce: RT Bounce: RT  
> Bounce: RT Bounce: RT Bounce: RT Bounce: [req2  #145481] RT  Bounce:  
> RT  Bounce:  RT  Bounce:  RT  Bounce: RT Bounce: [req2  #145481] RT   
> Bounce: RT   Bounce: RT  Bounce: RT  Bounce: RT Bounce: RT   Bounce:  
> RT   Bounce: [req2 #145481]     AutoReply:  RE:   April 79%  OFF
> RT thinks this message may be a bounce
> </snip>
> I read on a blog that had some info on how to configure the  
> CommandByMail (on cpan the install instructions were actually a  
> broken link), a comment in passing about people being able to spoof  
> emails once the CommandByMail is used; not sure if that might be  
> related, but we ultimately think that we may have been getting mail  
> bomb attempts, which didn't come to light until we installed this  
> module and it allowed those through.
> Or perhaps something else is going on? Anyone encountered something  
> similar, or have an idea? I tried several searches on Google but  
> came up snake eyes.
> Currently we have mitigated the problem by REJECT'ing from the  
> bounced senders (lighttpd at company.com, and <>), and also backing out  
> the pm.
> Thanks in advance everyone.
> maurice
> ------------------------------------------------------------------
> Maurice Chung
> JrSysAdmin
> iParadigms, LLC - developers of Turnitin and iThenticate
> 1624 Franklin Street, 7th Floor
> Oakland, CA 94612
> p +1.510.287.9720 x309
> f +1.510.444.1952
> e maurice at iparadigms.com
> iParadigms, LLC is committed to developing standard-setting,
> internet-based tools that protect intellectual property, promote
> academic and corporate integrity, and improve overall client
> productivity.
> The information contained in this message may be privileged and
> confidential and protected from disclosure. If the reader of this
> message is not the intended recipient, or an employee or agent
> responsible for delivering this message to the intended recipient, you
> are hereby notified that any dissemination, distribution or copying of
> this communication is strictly prohibited. If you have received this
> communication in error, please notify the sender immediately by
> replying to the message and deleting it from your computer.
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20080411/8abff7f4/attachment.sig>

More information about the rt-users mailing list