[Secure-testing-team] Re: Bug#332259: spampd fails with 'Error in process_request': Modification of read-only variable in Syslog.pm

[Sven Mueller]

Martin Schulze schrieb:
> Sven Mueller wrote:
> 
>>>Hence, it's rather "one mail falls through" or something.  Doesn't sound
>>>security-relevant to me.
>>
>>Well, it's more of an indirect DoS. The mails are rejected with an SMTP
>>temporary failure code according to my quick test. This means that those
>>mails fill up the sending SMTP daemons queue (which is usually the same
>>host or a closely related host to the host spampd runs on).
> 
> The mails should be automatically cleaned from the queue when they are
> locked in it for too long.

Sure, usually after several days. By that time, millions of mails could
have accumulated if the attacker wants that. For any kind of mail serice
provider, this would be a serious threat. And I don't know any MTA which
can cope easily with a huge number of stalled messages (read: many
thousand stalled messages).

Though I respect your sceptic view on this, I still think this is a
possible DoS on the mailserver which uses the spampd instance. Not an
extremely serious threat (since relatively few mailservers use spampd
and the attacker would need to know it is used, which is hard to
detect), but still a threat.

>>Apart from that, this is bug is at least a serious problem, since it might
>>deny perfectly legal mails from reaching the envelope recipient.
> 
> Spam filters usually do that...

Not this one. spampd is usually only used to _mark_ spam, not to reject it.

regards,
Sven

PS: Though online again (yippie), I still can't work on this problem
(not being able to log into any of my Linux boxes right now). I still
try to recover full network access. At the very latest, I should be able
to get to this problem some more when back in the office Tuesday next week.