[ On Sunday, January 25, 2004 at 02:42:44 (-0500), Eli wrote: ]
> Subject: RE: [Exim] Stopping out-of-office auto-reply mail loops
>
> Some say the From: or Reply-To: headers (which can make sense), but then I
> think about these possibly being faked, or if someone is spammed (not high
> enough to be discarded/dropped) and has a vacation message on, using these
> fields could result in a bunch of emails sent out to faked addresses.
There's a _lot_ more danger in trusting the SMTP envelope sender
address -- which is one of the reasons it must be used only by the MTA
for non-delivery notifications.
If you worry about the RFC [2]822 headers being faked then you've either
lost the game before you even start to play or else you need to learn to
use mechanisms that allow you to authenticate all message content.
In any case a proper mail agent autoresponder won't blindly trust the
originator address either -- it will refrain from sending more than one
response per week (or whatever) to any given address thus preventing any
third party from abusing it or tricking it into creating harmful mail
loops.
> Currently I'm thinking of using the $return_path variable, mainly because
> it's a lot easier, and somewhat safer than using $header_from: (or at least
> making some kind of long winded ${if ...} test based on from: and reply-to:
> headers like a MUA should pick from).
Much better would be to use an external agent program that was designed
to handle all of these issues instead of trying to over-load the purpose
of your MTA program. :-)
> (BTW, sorry for my top posts - Outlook's only good message format is top
> posting :()
Surely you can manually delete the original?
If not then that's yet another very good reason to _never_ use M$ crapware.
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>
