Hi Kyle
1. Fixing the code is impossible :-( I already tried it, the developers
keep saying that they're code is sound and safe. I've shown logs and
statistics to the bosses of the company that owns the webapp, but the
only response I got was: "fix it" (they aren't making the connection
between the webapp and the spam emails). The only thing I can do to
prove my point is exploit the webapp in front of them, but I don't know
how to do that.
2. I currently don't have any suitable SMTP server that I can do 2 and
see 1 above about changing the code.
3. Once the OpenBSD firewall will be in place I'll probably go with
setting up rate limiting via sendmail, though I'd rather not run any
servers on the firewall.
TIA
Paolo
Kyle George wrote:
On Fri, 13 Apr 2007, Paolo Supino wrote:
The webapp does talk to a real mail server: on localhost (IIS6 SMTP
service). When a spammers abuses the webapp the email is actually sent
via the local mail server and not directly from the webapp to all the
mail servers on the Internet. Rate limiting isn't an option because
emails must be out the door within a very short time frame from the
moment a set of events is triggered in the webapp.
You could:
1) Make them fix the code
2) Uninstall the IIS SMTP service and make them change the code to send
through a trusted host that can rate limit, filter, etc.
3) http://support.microsoft.com/kb/308161, see "smart host"
(2) and (3) would let you configure an MTA to filter this mess. The
best option is for them to fix their code AND use (2) or (3). It makes
sense to have untrusted applications send through the network's MTA(s)
and to put the machine behind pf blocking outgoing port 25. You don't
want to get blacklisted. Also, code that's letting this happen likely
has many other problems. I'd isolate it.
