Page 1 of 1

Possible way to abuse spamgourmet?

PostPosted: Wed Nov 15, 2006 2:38 pm
by iridos

just read a bit in the "news" section about spamgourmet being blacklisted in spamcop.

That started me wondering, if spamgourmet couldnt be abused by spammers: What would stop a spammer from signing up and using spamgourmet as an "open" relay that resends all emails for him to thousands of messages?

There is the (very useful) feature to send mails via spamgourmet to provide an easy way to send mails that have spamgourmet as the return address. All that is needed is the correct hash, which the website provides.
a) as far as I'm aware spamgourmet is open source, so the way this hash is calculated should be easy to get from the source and
b) if this fails a script could automatically retrieve the hash from the web-site.

How fast would you notice this kind of abuse? Do you already have something in place to make this type of abuse impossible?

If not, my suggestion would be to limit the amount of mails one can send this way per day to 50. This is more than any normal human user could sensibly use, but by far not enough, to make the "feature" useful to the average spammer anymore.

For the unlikely case that someone really has a legitimate reason to send > 50 mails per day via spamgourmet (I cannot think of any!), you could allow him to sign up for a commercial account for... dunno $30/month. Obviously he's using spamgourmet in a way that uses much of your resources and more importantly, this would give you his real name and address, allowing you to sue him in case he uses spamgourmet to distribute spam.


PostPosted: Wed Nov 15, 2006 6:19 pm
by SysKoll
We already limit the hourly rate of emails you can send from any account. The limit is low enough to make spamgourmet useless as a spam relay.

PostPosted: Wed Nov 15, 2006 11:45 pm
by josh
yeah, that's pretty much it - we introduced the throttle specifically to stop that possibility. Also, you can't get the hash from looking at the code, because a component of it is a private key (and a random-ish number, iirc)