On Thu, 10 Apr 1997, Jawaid Bazyar wrote:
>
> Greetings,
>
> on the suggestion of someone on the inet-access list (a list for ISPs
> where I am plugging exim heartily ;) I tried the following:
>
> >From a host not in our accepted relay list:
>
> telnet hypermall.com 25
> MAIL FROM: bazyar@???
> RCPT TO: anyone%anywhere.com@???
> ... is syntactically correct
>
> I.E., munging up the address as above causes Exim to not properly reject
> this message. I suspect it ought to check to see if there's a % in the
> local part and go ahead and drop the "@hypermall.com" if that's possible.
>
> With this 'hole', spammers can still relay off my mail box. :(
>
> Comments, suggestions?
There is no support for the "percent hack" at the SMTP input stage,
which is where the relaying check happens. I kind of assumed that people
who didn't want relaying wouldn't have turned on the "percent hack" in
the first place. If you don't set percent_hack_domains on hypermall.com,
then although the message will get through the RCPT TO check, it will
get rejected as "unknown user" at a later stage.
There is an item buried somewhere deep on the wishlist to implement some
more variable control over the use of % routing. I have made a note to
include some thought about relay control when I finally get to that
item.
--
Philip Hazel University Computing Service,
ph10@??? New Museums Site, Cambridge CB2 3QG,
P.Hazel@??? England. Phone: +44 1223 334714
