On Sun, 20 Nov 2005, Suresh Ramasubramanian wrote:
For extra points you could do smtp auth on the filtered smarthost as well, to help you jump on issues faster. Set it up so the user's local uid/gid gets used to auth to the remote exim box .. centralized ldap or mysql userdb does the trick for that.
That way spammers cant spam out direct through cgis - but peoples normal email and script generated traffic goes out just fine through your filtered gateways.
Our most common successful spam incidents involve exploited vulnerabilities in web forms. It's difficult for spammers to get email out of our network, because we block port 25, our MXs only accept incoming email, and our outgoing relays have names that spammers can't be bothered to find out. However, web forms come preconfigured, so if the spammer can exploit it they don't have to know anything about our email setup. Secure SMTP between the web server and the outgoing relay won't help. Recent versions of Exim have a rate-limiting feature which I am using to mitigate this vulnerability - though it's hard to deploy without disrupting legitimate users. Tony. -- f.a.n.finch <dot@dotat.at> http://dotat.at/ BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR GOOD.