bbs.spamgourmet.com

[caspertone]

I just reread again the faq and saw that giving a SG address as forwarding address is forbidden for obvious looping reasons.

This is a question to evaluate SG security. It could be imagine that
badspammer could set up an SG account. suscribe to millions sites with the given address. Accept suscriptions in the given email address. Then, make forward that email address to the SG address, but before, make the initial a trusted sender of the account. Then, wait for SG to blow.

Has this scenario been though? Is it possible to set up as a trusted or exclusive sender one of the previous forwarding addresses? If it is forbidden, what about another forwarding loop to make the attack?

Thanks,
CTone

[SysKoll]

Caspertone,

Congratulations, you should be a software tester. That's indeed a possibility. We are preparing a method called throttling that will stop any account from forwarding an excessive number of email. Even in the looping scenario you describe, our method will detect the high volume of forwarded email and temporarily disable the account.

Josh, that's one more nasty scenario that makes throttling a priority.

[josh]

throttling will prevent it from happening in our code -- we also have sendmail upstream, and it has some features to prevent this that are active.

In the early days, I did test this a few times, and sendmail stopped the loop.

[Caspertone]

So, we continue in expert hands ...
Thks
CTone