spamassassin a possible security risk?

Thomas Zehetbauer thomasz at
Tue Oct 19 01:42:16 UTC 2004

Although I know of no exploit at the moment I find it quite risky that
Fedora currently comes configured to 

1) run spamd as root
1.1) allowing everyone to connect
1.2) trying to parse, lookup and impersonate an untrusted username
1.3) scanning e-mail messages on behalf of that user
1.3.1) using system resources
1.3.2) possibly executing external applications and accessing network
2) start spamd as user
2.1) allowing everyone to connect
2.2) trying to use the configuration of an untrusted user
2.3) using system resources
2.4) possibly executing external applications and accessing network

Binding to is not secure as linux by default uses the 'weak
end host' model.

Evolution can be configured to not start/use spamd/spamc but this must
be changed using gconf-edit (/apps/evolution/mail/junk/sa/use_daemon).


  T h o m a s   Z e h e t b a u e r   ( TZ251 )
  PGP encrypted mail preferred - KeyID 96FFCB89
      finger thomasz at for key

Prohibiting cryptography to prevent terrorism is as meaningful as
...prohibiting mumming to prevent bank robbery!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: This is a digitally signed message part
Url : 

More information about the users mailing list