Someone forwarded me: > > Date: Fri, 11 Jan 2002 13:51:55 +1100 > From: user@compulabs.dhs.org > To: bugtraq@securityfocus.com > Subject: autoresponder program could be tricked by spamers to send > unsolicited mail to victim's address > > Autoresponder program > http://meepzor.com/packages/autoresponder/ I am the author of this package. I will look into this. > could be tricked by spamers to send unsolicited mail to > victim's address if option reply with copy of original > message attached to response is enabled in autoresponder's > configuration. Nothing is without risk. Security always costs something -- usually convenience. The short answer to this for the time being is "don't do that"; in other words, don't use that option for now. > Program does not have any sort of restriction on number of > responses to one email address during any period of time. That is a known restriction, and listed in the TODO file. It shouldn't come as a surprise. > I could not get in contact with developer of this program > despite we have sent warning to webmaster of web site hosting > web page of autoresponder. Um, I regard this as almost complete bollocks. AFAIK, I have never received any mail from dhs.org until to-day, when you thoughtfully sent me notification (at Fri, 12 Jan 2001 12:14:19 +1100) less than two hours before posting this to bugtraq (at Fri, 11 Jan 2002 13:51:55 +1100). Not to my own account, not to the clearly-documented autoresponder package support address, and not to the Webmaster address until a few hours ago (which was hardly the best choice, but you lucked out this time :-). So while I appreciate the notification of the problem, and will look into it at the earliest opportunity, I'm more than a little irritated that you acted so irresponsibly -- sending a message in what could be (and was) late at night, and following it up with a 'I didn't get a response' posting to bugtraq less than two hours later (still late at night where I am). I don't care for the incorrect insinuation that I am not responsive to security reports. Of course, the next worse thing would have been to just send it to bugtraq and never to me at all. I don't follow bugtraq, so perhaps someone will inform me privately whether or not it is appropriate for me to follow up to it with a summary or 'fixed' posting. -- #ken P-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ "All right everyone! Step away from the glowing hamburger!"
