Possible way to abuse spamgourmet?

Discussion of items in the "What's New" log.

Possible way to abuse spamgourmet?

Postby iridos » Wed Nov 15, 2006 2:38 pm

Hi,

just read a bit in the "news" section about spamgourmet being blacklisted in spamcop.

That started me wondering, if spamgourmet couldnt be abused by spammers: What would stop a spammer from signing up and using spamgourmet as an "open" relay that resends all emails for him to thousands of messages?

There is the (very useful) feature to send mails via spamgourmet to provide an easy way to send mails that have spamgourmet as the return address. All that is needed is the correct hash, which the website provides.
a) as far as I'm aware spamgourmet is open source, so the way this hash is calculated should be easy to get from the source and
b) if this fails a script could automatically retrieve the hash from the web-site.

How fast would you notice this kind of abuse? Do you already have something in place to make this type of abuse impossible?

If not, my suggestion would be to limit the amount of mails one can send this way per day to 50. This is more than any normal human user could sensibly use, but by far not enough, to make the "feature" useful to the average spammer anymore.

For the unlikely case that someone really has a legitimate reason to send > 50 mails per day via spamgourmet (I cannot think of any!), you could allow him to sign up for a commercial account for... dunno $30/month. Obviously he's using spamgourmet in a way that uses much of your resources and more importantly, this would give you his real name and address, allowing you to sue him in case he uses spamgourmet to distribute spam.


Iridos
iridos
 
Posts: 6
Joined: Thu Nov 09, 2006 4:01 pm

Postby SysKoll » Wed Nov 15, 2006 6:19 pm

We already limit the hourly rate of emails you can send from any account. The limit is low enough to make spamgourmet useless as a spam relay.
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm

Postby josh » Wed Nov 15, 2006 11:45 pm

yeah, that's pretty much it - we introduced the throttle specifically to stop that possibility. Also, you can't get the hash from looking at the code, because a component of it is a private key (and a random-ish number, iirc)
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm


Return to What's New

Who is online

Users browsing this forum: No registered users and 23 guests

cron