From kragen@dnaco.net Wed Aug 12 12:12:45 1998 Date: Wed, 12 Aug 1998 12:12:43 -0400 (EDT) From: Kragen To: pobox@pobox.com cc: postmaster@telia.com, aleph1@dfw.net Subject: Re: EMERGENCY: new remote root exploit in UW imapd (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Keywords: X-UID: 1200 Status: O X-Status: I've posted several messages to Bugtraq over the last few weeks. It appears that someone at Telia has an extremely broken mail-routing system: - it forges mail from me when it bounces mail - it bounces the mail to the wrong place (the From: address instead of the envelope sender, to whom bounces always ought to be addressed) - it identifies itself as 'tfsgate' in HELO instead of using a proper FQDN - it lies about the status of the mail in the bounce -- it claims it wasn't delivered to BUGTRAQ, instead of that it wasn't delivered to a subscriber at their site. - it takes three weeks to bounce the mail I don't know whether "t4o64p25.telia.com" is a dynamically-assigned IP address or not, I don't know whether it's apparent whose address there is causing the bounces, I don't know if other people at pobox have been getting these messages, and I don't know what 'TFS' is. I'm sure all other posters to BUGTRAQ have been getting this message (so it may be appropriate to post this to BUGTRAQ.) I think this is a serious problem Telia needs to get fixed. If it's possible to do so, it would be nice if pobox could block mail from this machine -- assuming it doesn't have a dynamic IP address. Kragen ---------- Forwarded message ---------- Received: from growl.pobox.com (growl.pobox.com [208.210.124.27]) by april.dnaco.net (8.8.5/8.8.5) with ESMTP id HAA11571 for ; Wed, 12 Aug 1998 07:53:59 -0400 (EDT) From: kragen@POBOX.COM Received: (from daemon@localhost) by growl.pobox.com (8.8.7/8.8.5) id HAA22150 for kragen@dnaco.net.filterdone; Wed, 12 Aug 1998 07:58:53 -0400 (EDT) Received: from tfsgate (t4o64p25.telia.com [195.67.206.145]) by growl.pobox.com (8.8.7/8.8.5) with SMTP id HAA26591 for ; Wed, 12 Aug 1998 07:58:51 -0400 (EDT) Message-Id: Date: Wed, 12 Aug 1998 13:51:49 +0000 Subject: Re: EMERGENCY: new remote root exploit in UW imapd MIME-version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 X-Mailer: TFS Gateway /310000000/310104007/310104037/310200563/ Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by april.dnaco.net id HAA11571 #################################################### This message was not delivered to BUGTRAQ@NETSPACE.ORG TFS Admin was informed with a copy of this message Sender was informed with a copy of this message #################################################### On Wed, 22 Jul 1998, IBS / Andre Oppermann wrote: > Kragen wrote: > > qmail uses no standard C library functions, other than syscalls, if I > > remember correctly. > > That is true, but he hasn't documented it very well, in fact you have > to look through and follow the function to see what is really does. The first version of qmail I looked at had no documentation for the stralloc stuff, so I wrote some () and published it. More recent versions appear to have a man page for the stralloc functions, obsoleting my web page. Kragen