OpenBSD Journal

Spamfilter for OpenBSD

Contributed by Dengue on from the curse-the-spammer dept.

Phil Munts writes : "I have written a simple spam filtering system for OpenBSD. I've tested it within a controlled intranet environment, but before I go live with it on the Internet, I'd like to have folks with more security expertise look it over. It is at http://www.munts.com/spamfilter "

This looks interesting, maybe I'll try it this weekend...

(Comments are closed)


Comments
  1. By Alex Farber () farber@cpan.org on mailto:farber@cpan.org

    spamfilter.c doesn't look very OpenBSD'ish to me ;-)

    char temp[1000];
    char filename[256];
    ...
    strtok(temp, " trn");
    sender = strtok(NULL, " trn");
    ...
    sprintf(filename, "/home/%s/.spamfilter/%s-XXXXXXXX", myself, sender);

    Comments
    1. By David () on

      I agree.

      sprintf and strcpy should _never_ be used.

      snprintf and the new asprintf should be used.
      Also, use strlcpy in place of strcpy

  2. By David () on

    1.) main() should always return int.
    2.) the return value of strtok() should be checked...
    3.) spamfilter.register.c needs ctype.h included for toupper().
    4.) don't use sprintf. use snprintf or asprintf/free
    5.) in spamfilter.cron.c, if src == NULL, you write to syslog.. but later src is read with fgets.. what if src == NULL?
    6.) i see a few openlog()'s, but no closelog()'s.

    Just a few things I spotted.

  3. By Ryan Cooley () on

    It's too easy to just have a bot that will parse this message and automatically send a reply, without a human to interact (and thus be held liable).

    There are a few choices:
    1. For the user to reply with the word "REGISTER-432341" in the subject (that number being randmomly generated of course).
    2. Change the email address to be broken up, or preferedly, an image.
    3. Make a special FORM that a human must navigate through, changing some characters, or clicking a few boxes, etc.

    Other than that, it is a great idea.

  4. By Phil Munts () phil@munts.net on mailto:phil@munts.net

    I read much and post seldom. This was my first
    and only (so far) submission to OBJ. Today
    I received the following email:

    I have visited www.openbsdjournal.org and noticed that your
    website is not listed on some search engines. I am sure
    that through our service the number of people who visit
    your website will definitely increase. SeekerCenter is a
    unique technology that instantly submits your website
    to over 500,000 search engines and directories -- a
    really low-cost and effective way to advertise your
    site. For more details please go to SeekerCenter.net.

    Seriously, I've appreciated the comments people
    have made about the buffer overflows. I've
    learned a lot, and will be cleaning things up
    shortly.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]