> :0
> * ^Subject: user_prefs update
> * !^X-Loop: ${USER}@domain.com
> * !^FROM_DAEMON
> {
>       :0bc:
>       | mv -f $USERPREFS $USERPREFS.old && cat - > $USERPREFS
> 
>       :0fhW
>       | formail -I "Subject: user_prefs retrieve"
> }

Just to point out the blatantly obvious to most, nobody should use
this system-wide without changing the lines to include some simple
rudimentary per-user password... unless you want one user to be
able to cause another user's mail to be junked (at best... if you're
not using spamd, then a custom rule can be defined in a user prefs
turning this into a potential remote access hole[1]).

David.

[1] Try this rule and observe:

  full BLAH eval:File::Copy::copy("print","error")
  describe BLAH blah
  score BLAH -1

  ..it doesn't work, but it calls code in File::Copy before failing
  (the problem is that this calls:
           File::Copy::copy($self, (message ref), "print", "error")
   so to actually prove this as a problem, you'd need a function where
   that can be dangerous with the first two arguments as given)

   a second evil thing that could be done is putting a database under
   your control in the config file and watching what gets logged in it


_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to