gboug at unico
Mar 31, 2003, 12:05 AM
Post #4 of 6
(3501 views)
Permalink
|
It should be fairly trivial to write a wrapper that
ensures that the email has the correct domain... As
a first wild hack at a trivial mail filter:
#!/usr/bin/perl -w
use strict;
my @email = <STDIN>;
my $mailsent = 0;
foreach (@email) {
# We are only checking the header for a From field...
last if (/^\n$/);
if (/^From/) {
my $emailOK = 0;
# Insert code to grab and verify the email
# address here. If email is OK, set $emailOK
# to 1;
if ($emailOK) {
print foreach (@email);
$mailsent = 1;
last; # only want to send it once...
}
}
}
if (!$mailsent) {
# Do whatever you want with evil spam email here...
}
Then you could put in your aliases file:
rt-alias: "|/path/to/check | RT_COMMAND_HERE"
Should work without too much trouble... Biggest issue I can
see with this method is that it might send a blank email through
to RT if no valid email address is found. If RT ignores blank
input (hopefully it does... I haven't tried it yet...) then you
will be set...
Advantage of doing it this way is if you want to have your
queues protected on a per-queue basis...
In theory, you could also pass it through procmail and get that
to do your mail filtering... That would be another way to do it...
I'm not sure if procmail rules can be set up for email aliases...
You would have to check that out more thoroughly... Would give
you a lot more flexibility with what to do with spammers, etc.
if you used procmail... Depending on how your email server is
setup, it might be more efficient than doing it through RT...
HTH
Greg
> -----Original Message-----
> From: rt-users-admin[at]lists.fsck.com
> [mailto:rt-users-admin[at]lists.fsck.com] On Behalf Of David Vrtin
> Sent: Monday, 31 March 2003 4:46 PM
> To: James Lucas
> Cc: rt-users[at]lists.fsck.com
> Subject: Re: [rt-users] permissions loophole?
>
>
> On Sat, 29 Mar 2003 22:54:33 GMT, "James Lucas" wrote:
>
> > I have noticed one odd thing with the way it processes mail
> (although
> > it = may be my setup but I can't see where), if there is a
> user on the
> > = system, e.g. autocreated by opening a ticket, they can
> reply to any
> > = other ticket by simply changing the number in the subject of the
> > message = and this reply will be forwarded onto the ticket
> requestor.
> >
> > This does not seem correct to me as it would allow a spammer to
> > randomly = guess ticket numbers and then send mail to our customers
> > using rt as the = relay.
>
> I have same problem. We don't want RT to sent mail out of RT,
> if the transaction
> is originated via *Email*.
>
> I think, we need some patch??
>
>
> Best regards,
> David
>
> _______________________________________________
> rt-users mailing list
> rt-users[at]lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-> users
>
> Have you
> read the FAQ? The RT FAQ Manager lives at
> http://fsck.com/rtfm
>
|
