Webmail problem: User can send unlimited emails

N

nicknn

Verified User
Joined
Oct 4, 2006
Messages
31
Hello

I noticed a bug in all webmails
I use tealen , but i think this can affect roundcube and squremail to.

Recently a nigerian spammer has loged in in a week password mail account,
and used this account to send tons of scam spam.

He changed the preferences and set the sender addres to [email protected]

We use /etc/virtual/usage, and limit the mails to 2000 per day per account.

But when a not_in_the server_domain is used as the sender address,or mails are send with an empty user value f_user=
the emails do not count.
They dont count for apache user either

Is it possible to do something in exim to allow only local domains (sender address must be *@localdomain.com) to send mail?

Or to modify exim, to count all this orphan emails to eg orphan user, so the limit rules apply?
 
nicknn said:
I noticed a bug in all webmails
I use tealen , but i think this can affect roundcube and squremail to.
Click to expand...
I wouldn't call it bug, but rather a design issue.

And in any event it's not something in any of the webmail programs, but rather in the way DirectAdmin counts usage.
Recently a nigerian spammer has loged in in a week password mail account, and used this account to send tons of scam spam.

He changed the preferences and set the sender addres to [email protected]

We use /etc/virtual/usage, and limit the mails to 2000 per day per account.

But when a not_in_the server_domain is used as the sender address,or mails are send with an empty user value f_user=
the emails do not count.
They dont count for apache user either
Click to expand...
Squirrelmail inserts into the first Received header the authenticated username, so that could be used. When you send email from another email client is the authenticated username appearing somewhere in the headers?
Is it possible to do something in exim to allow only local domains (sender address must be *@localdomain.com) to send mail?
Click to expand...
Probably, though by default exim allows authenticated senders to send email anywhere, so this would have to be implemented in a custom ACL or in a customized addition to exim.pl. And it would be very limiting on legitimate users.
Or to modify exim, to count all this orphan emails to eg orphan user, so the limit rules apply?
Click to expand...
Probably if we knew what header to check for the username.

Jeff
 
You must log in or register to reply here.
Back
Top