rmail and leading "-" in address - BSD

This is a discussion on rmail and leading "-" in address - BSD ; Hi - I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by '/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from dumb spammers using guessed email addresses with leading '-' like '-important@example.tld'. This will result in an uuxqt ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: rmail and leading "-" in address

  1. rmail and leading "-" in address

    Hi -

    I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by
    '/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from
    dumb spammers using guessed email addresses with leading '-' like
    '-important@example.tld'.

    This will result in an uuxqt call ...

    /bin/rmail -important@example.tld

    .... with an UUCP error, which is absolutely correct, because rmail
    doesn't know of any parameter '-important@example.tld'.

    Workaround is a wrapper script calling 'rmail -- $*'.
    (all on an uptodate 6.3-RELEASE)

    Ok, now my questions because I'm still considering myself a BSD newbie.

    1) /bin/rmail is part of FBSD, correct?
    2) every update or upgrade will overwrite my wrapper /etc/rmail,
    correct?
    3) as UUCP isn't used any longer that much, that behavior will not have
    been fixed in 7.x?
    4) should I report this as a bug and propose that wrapper?
    5) live with it? ;-)

    Regards,
    Michael
    --
    to let

  2. Re: rmail and leading "-" in address

    Michael Grimm wrote:
    >
    > I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by
    > '/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from
    > dumb spammers using guessed email addresses with leading '-' like
    > '-important@example.tld'.
    >
    > This will result in an uuxqt call ...
    >
    > /bin/rmail -important@example.tld
    >
    > ... with an UUCP error, which is absolutely correct, because rmail
    > doesn't know of any parameter '-important@example.tld'.


    That seems insecure.

    > Workaround is a wrapper script calling 'rmail -- $*'.
    > (all on an uptodate 6.3-RELEASE)
    >
    > Ok, now my questions because I'm still considering myself a BSD newbie.
    >
    > 1) /bin/rmail is part of FBSD, correct?


    Looks like it, yes.

    > 2) every update or upgrade will overwrite my wrapper /etc/rmail,
    > correct?


    Only if it were part of the upgrade. For example, you can count on a
    new version of ls when you upgrade the system. But the process
    generally isn't going to wipe out directories, so files you've created
    will stick around. Unless they're overwritten by new files using the
    same name you picked, which is unlikely.

    However: /etc is not a good place for scripts. On FreeBSD,
    /usr/local/bin would be a more logical place.

    > 3) as UUCP isn't used any longer that much, that behavior will not have
    > been fixed in 7.x?


    Don't know.

    > 4) should I report this as a bug and propose that wrapper?


    It seems like a bug in uuxqt. Maybe check with the port maintainer on
    that before filing a PR on rmail.

    > 5) live with it? ;-)


    Getting it fixed maybe helps you in the future and maybe somebody else
    won't have to find and fix the same problem.

    --
    Warren Block * Rapid City, South Dakota * USA

  3. Re: rmail and leading "-" in address

    On Mon, 20 Oct 2008 21:34:16 +0000 (UTC),
    Michael Grimm wrote:
    > Hi -
    >
    > I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by
    > '/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from
    > dumb spammers using guessed email addresses with leading '-' like
    > '-important@example.tld'.
    >
    > This will result in an uuxqt call ...
    >
    > /bin/rmail -important@example.tld
    >
    > ... with an UUCP error, which is absolutely correct, because rmail
    > doesn't know of any parameter '-important@example.tld'.
    >
    > Workaround is a wrapper script calling 'rmail -- $*'.
    > (all on an uptodate 6.3-RELEASE)
    >
    > Ok, now my questions because I'm still considering myself a BSD newbie.
    >
    > 1) /bin/rmail is part of FBSD, correct?
    > 2) every update or upgrade will overwrite my wrapper /etc/rmail,
    > correct?


    You mean `/bin/rmail', right?

    > 3) as UUCP isn't used any longer that much, that behavior will not have
    > been fixed in 7.x?
    > 4) should I report this as a bug and propose that wrapper?
    > 5) live with it? ;-)


    This looks like a bug in `uuxqt', so a better fix would be to patch
    *that* program, and submit the fix to the FreeBSD port maintainer.


  4. Re: rmail and leading "-" in address

    Warren Block wrote:
    > Michael Grimm wrote:


    >> I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by
    >> '/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from
    >> dumb spammers using guessed email addresses with leading '-' like
    >> '-important@example.tld'.
    >>
    >> This will result in an uuxqt call ...
    >>
    >> /bin/rmail -important@example.tld
    >>
    >> ... with an UUCP error, which is absolutely correct, because rmail
    >> doesn't know of any parameter '-important@example.tld'.

    >
    > That seems insecure.


    -v, please.

    >> 2) every update or upgrade will overwrite my wrapper /etc/rmail,
    >> correct?


    Sorry. That's been a dumb typo of mine. I meant '/bin/rmail'. That
    wrapper script needs to be put into '/bin' with the isame name
    '/bin/rmail' in order to allow uuxqt to access it. The original
    '/bin/rmail' is renamed into '/bin/rmail-excecutable'. Sorry, that
    was very much misleading :-(

    > Only if it were part of the upgrade. For example, you can count on a
    > new version of ls when you upgrade the system. But the process
    > generally isn't going to wipe out directories, so files you've created
    > will stick around. Unless they're overwritten by new files using the
    > same name you picked, which is unlikely.


    I believe that now it should be clear why I assume that an upgrade or
    update will overwrite a wrapper script called '/bin/rmail'.

    >> 4) should I report this as a bug and propose that wrapper?

    >
    > It seems like a bug in uuxqt. Maybe check with the port maintainer on
    > that before filing a PR on rmail.


    Hmm. The local part with a leading '-' are prefectly correct for email
    addresses, if I'm not mistaken. The usage of rmail out of uuxqt is
    '/bin/rmail '. And uuxqt itself just fires up that
    command. Therefore I would rather try to contact the developers
    responsible for rmail? Please, correct me if I'm mistaken.

    >> 5) live with it? ;-)

    >
    > Getting it fixed maybe helps you in the future and maybe somebody else
    > won't have to find and fix the same problem.


    ACK ;-)

    Regards,
    Michael
    --
    to let

  5. Re: rmail and leading "-" in address

    Michael Grimm wrote:
    > Warren Block wrote:
    >> Michael Grimm wrote:

    >
    >>> I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by
    >>> '/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from
    >>> dumb spammers using guessed email addresses with leading '-' like
    >>> '-important@example.tld'.
    >>>
    >>> This will result in an uuxqt call ...
    >>>
    >>> /bin/rmail -important@example.tld
    >>>
    >>> ... with an UUCP error, which is absolutely correct, because rmail
    >>> doesn't know of any parameter '-important@example.tld'.

    >>
    >> That seems insecure.

    >
    > -v, please.


    Letting someone outside your system send uncontrolled options to an
    internal program can be dangerous in general.

    http://xkcd.com/327/

    --
    Warren Block * Rapid City, South Dakota * USA

  6. Re: rmail and leading "-" in address

    In article ,
    Michael Grimm wrote:
    >Warren Block wrote:
    >> Michael Grimm wrote:

    >
    >>> I'm receiving my mail via UUCP, thus '/bin/rmail' will be called by
    >>> '/usr/local/libexec/uucp/uuxqt', and I'm receiving a lot of spam from
    >>> dumb spammers using guessed email addresses with leading '-' like
    >>> '-important@example.tld'.
    >>>
    >>> This will result in an uuxqt call ...
    >>>
    >>> /bin/rmail -important@example.tld
    >>>
    >>> ... with an UUCP error, which is absolutely correct, because rmail
    >>> doesn't know of any parameter '-important@example.tld'.

    >>
    >> That seems insecure.

    >
    >-v, please.
    >
    >>> 2) every update or upgrade will overwrite my wrapper /etc/rmail,
    >>> correct?

    >
    >Sorry. That's been a dumb typo of mine. I meant '/bin/rmail'. That
    >wrapper script needs to be put into '/bin' with the isame name
    >'/bin/rmail' in order to allow uuxqt to access it. The original
    >'/bin/rmail' is renamed into '/bin/rmail-excecutable'. Sorry, that
    >was very much misleading :-(
    >
    >> Only if it were part of the upgrade. For example, you can count on a
    >> new version of ls when you upgrade the system. But the process
    >> generally isn't going to wipe out directories, so files you've created
    >> will stick around. Unless they're overwritten by new files using the
    >> same name you picked, which is unlikely.

    >
    >I believe that now it should be clear why I assume that an upgrade or
    >update will overwrite a wrapper script called '/bin/rmail'.
    >
    >>> 4) should I report this as a bug and propose that wrapper?

    >>
    >> It seems like a bug in uuxqt. Maybe check with the port maintainer on
    >> that before filing a PR on rmail.

    >
    >Hmm. The local part with a leading '-' are prefectly correct for email
    >addresses, if I'm not mistaken. The usage of rmail out of uuxqt is
    >'/bin/rmail '. And uuxqt itself just fires up that
    >command. Therefore I would rather try to contact the developers
    >responsible for rmail? Please, correct me if I'm mistaken.


    But that isn't the FULL calling sequence for /bin/rmail.

    uuxqt should be calling /bin/rmail safely.

    e.g.
    /bin/rmail --

    It's something that lots of developers fail to remember.

    uuxqt is broken based on the description, not rmail.

    Mark

    >>> 5) live with it? ;-)

    >>
    >> Getting it fixed maybe helps you in the future and maybe somebody else
    >> won't have to find and fix the same problem.

    >
    >ACK ;-)
    >
    >Regards,
    >Michael
    >--
    >to let




  7. Re: rmail and leading "-" in address

    Mark Andrews wrote:
    > In article , Michael Grimm wrote:


    >> Hmm. The local part with a leading '-' are prefectly correct for
    >> email addresses, if I'm not mistaken. The usage of rmail out of uuxqt
    >> is '/bin/rmail '. And uuxqt itself just fires up that
    >> command. Therefore I would rather try to contact the developers
    >> responsible for rmail? Please, correct me if I'm mistaken.

    >
    > But that isn't the FULL calling sequence for /bin/rmail.
    > uuxqt should be calling /bin/rmail safely.
    > e.g.
    > /bin/rmail --
    > It's something that lots of developers fail to remember.
    >
    > uuxqt is broken based on the description, not rmail.


    Ok. Understood. I'll either try fix it myself, or ask the maintainer
    for help.

    Thanks to all of you.

    Regards,
    Michael
    --
    to let

+ Reply to Thread